English
HomeBlogNetwork Admission Control (NAC)

Network Admission Control (NAC)

Posted on Apr 26, 2024 by
  Howard
84

What Is Network Admission Control (NAC)?

The NAC solution enforces stringent security measures to regulate user access, facilitating end-to-end security. It permits only authorized users and secure terminals to connect to the network while isolating unauthorized or insecure users and terminals. Additionally, it grants access to limited resources solely to authorized users and terminals. This comprehensive approach enhances the overall security posture of the network, bolstering its protection capabilities.

What Is the Purpose of NAC?

In a traditional enterprise network, the intranet is commonly perceived as secure, with security threats predominantly originating from external networks. As a result, various security measures, including firewall deployments, are implemented to thwart external attacks. However, significant security vulnerabilities often arise within the intranet. For instance, employees browsing certain websites on the campus may inadvertently download malicious software like spyware and Trojan horses, leading to the propagation of security risks throughout the intranet.

Within a campus network, the security posture of every terminal directly impacts the overall network security. This security status encompasses factors such as antivirus capabilities, patch levels, and system security configurations. Furthermore, the presence of numerous unauthorized access users on the campus network can jeopardize the integrity of the service system and potentially lead to the compromise of critical information assets.

The Network Access Control (NAC) solution offers an effective means to manage network access privileges, ensuring timely updates of system patches and antivirus databases. This capability empowers administrators to swiftly identify, isolate, and remediate insecure terminals, thereby addressing the intranet security needs of the campus network.

What Are the Capabilities of NAC?

NAC offers a range of functionalities.

Identity Authentication

Access to the campus network necessitates authentication of users, ensuring that only those authorized can gain entry. This fundamental practice is imperative for maintaining the security of the campus network. Terminal identity authentication for devices such as PCs within the campus network must adhere to the following guidelines:

  • Upon inputting the correct username and password, a user employing a secure terminal can seamlessly establish a network connection.

  • Users utilizing insecure terminals will only gain access to a network isolation domain, subsequently requiring terminal security rectification before full network connectivity is granted.

  • Access to the network is strictly prohibited for unauthorized users.

Access Control

To regulate the resources accessible to users effectively, meticulous matching can be performed utilizing user identity, access time, access location, terminal type, terminal source, and access mode, commonly abbreviated as 5W1H.The subsequent description elaborates on the concept of 5W1H:

Who is connected to the network (employees or guests)?

Whose devices are being utilized (enterprise devices or BYOD devices)?

What types of devices are being used (PCs or mobile phones)?

When is the access initiated (during working hours or non-working hours)?

Where is the access initiated (in the R&D area, in a non-R&D area, or at home)?

How do devices access the network (through wired or wireless networks)?

Terminal Security Check and Control

The Network Access Control (NAC) solution verifies the security status of terminals, permitting only those that are secure and healthy to connect to the network. The security checks must adhere to the following requirements:

  • Conducts scans on terminals prior to their connection to the network to assess their security status, including checks for antivirus software installation, patch updates, and password strength.

  • Collaborates with the NAC device to restrict access for terminals that fail the security check. This measure safeguards the service system from potential damage and facilitates automated resolution of security issues for the terminals.

  • Refrains from granting network access to terminals with unresolved security issues that cannot be promptly repaired.

System Repair and Upgrade

The NAC solution offers both automatic and manual system repair and upgrade functionalities. It is capable of automatically downloading and upgrading system patches, initiating updates for antivirus databases, and enforcing security protocols such as terminating illicit or non-compliant processes.

How Does NAC Work?

The NAC solution comprises three primary components: the security terminal, NAC device, and server system.

  • The Security Terminal: This software operates within the user terminal system. Its functions include authenticating user terminals, assessing their security status, and implementing security policies specific to user terminals.

  • NAC Device: This component is responsible for enforcing security policies within the network. These policies dictate actions such as permitting, rejecting, isolating, or restricting user access based on the customized security policies designed for enterprise networks.

  • FS NAC Solution Authentication Modes: This solution supports various authentication modes, including 802.1X authentication, MAC address authentication, and Portal authentication. Within these authentication modes, the NAC device facilitates the authentication process between a user terminal and the NAC server. Acting as a switch, router, access point (AP), or other security device, the NAC device forcibly authenticates access users, rejects unauthorized access attempts, and isolates insecure terminals. This ensures that network services are provided solely to authorized users and secure terminals.

  • Server System: Comprising the NAC server, antivirus/patch/software server, and service server.

  • The NAC server serves as the cornerstone of the NAC solution. Users may interact with the NAC server prior to undergoing identity authentication and security checks. This server is responsible for user authentication, security audits, enforcement of security policies, and collaboration with the NAC device to allocate user privileges. In instances where a user successfully completes identity authentication but fails the terminal security check, they typically access the antivirus/patch/software server. This server automates the process of updating the antivirus database on the terminal and installing or updating patches for the operating system and application software to ensure compliance with terminal security requirements. The service server is designated for enterprise service management, accessible solely to authenticated and authorized users.

As an illustration, within an enterprise network, users are categorized into distinct roles such as employees, partners, and guests. The NAC solution facilitates the customization of network access and permission control rules tailored for different user roles.

  • Employees: Employees are individuals with fixed office locations and long-term work contracts. They predominantly utilize company-provided devices as their primary workstations. These devices typically come equipped with security terminals installed prior to distribution to employees. Upon successful authentication, employees are granted sufficient access rights to the company network, reflecting their status within the organization.

  • Partners: Partners encompass individuals who frequently move and operate with fewer constraints from the enterprise. They are typically connected to the enterprise network for specific durations and primarily access certain servers within the network. Partners often utilize company devices equipped with security terminals. However, it's imperative to strictly control the rights of partners due to their lower terminal security compared to employees.

  • Visitors: Visitors are individuals temporarily connected to the enterprise network. Typically, visitors access the enterprise network wirelessly and are limited to Internet access through this network. To mitigate the risk of enterprise information asset leakage, visitors are strictly isolated from employees and partners. This isolation ensures the security of enterprise assets while accommodating temporary network access for visitors.

NAC Applications

The Network Admission Control (NAC) solution finds applicability across various network scenarios, including enterprise campus networks, bring-your-own-device (BYOD) environments, Internet of Things (IoT) deployments, and public Wi-Fi networks.

Enterprise Campus Network

The NAC solution meticulously distinguishes between network access rights for employees and non-employees, guided by their respective roles within the enterprise network.

BYOD

In response to employees' increasing demand for innovation and personalization in their work environments, many enterprises are exploring the option of allowing employees to connect to the intranet using their personal smart devices, a practice commonly known as Bring Your Own Device (BYOD). Typically, employees' personal devices, such as mobile phones, tablets, and laptops, do not have security terminals installed. However, accessing the enterprise intranet through these devices may introduce security vulnerabilities. To address this concern, the NAC solution employs terminal-type identification technology to automatically recognize the types of devices employees use to connect to the enterprise intranet. This enables authentication and authorization processes based on user information, device type, and device operating environment, thereby enhancing security measures.

IoT

The majority of IoT (Internet of Things) devices lack support for traditional authentication protocols or security certificates. To address this challenge, the NAC (Network Admission Control) solution employs automated identification methods to recognize IoT devices based on their electronic identity information. This information typically includes details such as the device version, vendor information, version number, product name, and terminal type. Subsequently, the NAC solution executes network access authentication for IoT devices in accordance with the predefined security policies configured for such devices.

Public Wi-Fi Network

Public Wi-Fi networks are extensively utilized across cafes, shops, airports, hotels, and various other public venues, offering customers and guests convenient access. However, completely open public Wi-Fi networks inherently pose security risks due to the absence of identity authentication measures. As a result, users should exercise caution when connecting to such networks. To enhance security, the NAC solution offers authentication options such as WeChat authentication and SMS authentication. When accessing a public Wi-Fi network, users can either scan a QR code via WeChat or input their mobile number on the web portal page to authenticate their identity, ensuring a more secure connection through real-name authentication.

Tags

You might be interested in

See profile for undefined.
FS Official
Route Reflector (RR)
See profile for undefined.
FS Official
Social Engineering
See profile for undefined.
FS Official
Man-in-the-middle (MITM)
News Letter
Videos
FS Same Day Shipping Ensures Your Business Success
01:28
Nov 20, 2023
672
FS Same Day Shipping Ensures Your Business Success
Recent Trend
Cloud-based Networks Grow with Your Business

Cloud-based Networks Grow with Your Business

Anchor Your Hybrid Cloud Networking Strategy

Anchor Your Hybrid Cloud Networking Strategy

Hot Tags
Popular
FS.com About FS FS APP Contact Privacy Terms