Network Access Control

Network Access Control (NAC) is a security solution that enforces policy on devices that access networks to increase network visibility and reduce risk.

NAC’s posturing capability determines if a system is sufficiently secure and compliant enough to connect to a network.

NAC is an example of risk-based access control (RBAC), as systems that are not compliant are considered higher risk and either are place in a quarantine and remediation network or zone or are prohibited from connecting to the network until they are compliant. You can read more about RBAC and other access control models on this post.

Zero Trust Network Security (ZTNA) is a security framework that assumes zero trust for all users, devices, and applications, regardless of whether they are inside or outside the corporate network perimeter. You can read more about it on this post.

A ZTNA solution may be combined with a NAC, but they are different terms.

NAC Goals

NAC goals:

  • Prevent/reduce known attacks directly and zero-day indirectly
  • Enforce security policy throughout the network
  • Use identities to perform control

NAC Options

NAC options:

  • Pre-admit / post-admission philosophy: test systems before/after are allowed on the network
  • Agent-based (client-enabled) / Agentless (client-disabled)
    • Agent-based dissolvable / permanent
  • Client-enabled / client disabled: refers to the state of an endpoint device’s ability to interact with the NAC system.
  • In-band / out-of-band monitoring: in-band monitoring involves inspecting network traffic as it flows through the primary data path of the network. Out-of-band monitoring, on the other hand, involves inspecting network traffic through a separate, dedicated network.

Post-admission philosophy allows or denies access based on user activity after connection. Since this does not check the status of a machine before it connects, it brings the risks that it cannot prevent the exploit of the system immediately after connection.

NAC Technologies

IEEE 802.1x is a port-based NAC that uses EAP authorization protocol.

You might also be interested in…

External References

  • NAC
    • Mike Chapman et al; “CISSP Official Study Guide 9th Edition”, chapter 11 “Secure Network Architecture and Components”, p. 549-550; Wiley, 2021.

Leave a Reply

Your email address will not be published. Required fields are marked *