Network Access Control NAC | IT NETWORKS
Network Access Control NAC
But if that's all that it was, then it wouldn't be fundamentally different from a network authentication and authorization server.
Traditional authentication to the network follows the IEEE 802.1X standard that provided an authentication method to devices wishing to join a Local Area Network (LAN) or wireless LAN.
 |
802.1X Wireless/Wired Authentication |
The mechanism was a port-based network access control which used agents, the software running on client devices that provide credentials to the authenticator to control access to the network.
Another means to control access to a public network such as one serving a coffee shop or in a hotel, is a captive portal.
If you've ever connected to a network in an airport, hotel, or coffee shop, you might recall interacting with a web page, sometimes agreeing to some legal mumbo-jumbo before access is granted.
This worked well enough as long as there was a user to authenticate or an agent that could be loaded onto the device. But then handheld wireless devices appeared, and people found them very useful when conducting business.
To leverage the advantages of these devices, businesses began to permit Bring-Your-Own-Devices - BYODs - on to the network.
Parallel to this trend, headless Internet of Things IoTs, began to connect to the network which didn't have the CPU cycles or memory to host an agent for authentication or to support security programs.
This is why they're headless. Ultimately, it meant that IT administrators were no longer aware of all the devices that we're connecting to the network administrators were no longer aware of all the devices that we're connecting to the network.
Bad actors immediately saw the potential to use these devices as a means to attack networks. IoT devices are part of larger IoT systems that gather information or provide local points of control.
In smart homes, IoT devices can better regulate heat and humidity, monitor what's in your fridge, and help you with your grocery list, and remotely control the locks on your doors.
IoT devices are deployed in business networks as well to connect security cameras, control lighting, and thermostats, and measure room occupancy and usage.
Their convenience has made them very popular and the number of devices has proliferated. But the variety of devices, the lack of standards, and the inability to secure these devices make them a potential conduit of contagions into the network. It means, these devices cannot be trusted. It became apparent that BYOD and IoT devices needed to be tracked, controlled, and monitored for any evidence that they have been compromised.
When NAC was introduced to a network, one of the first tasks it did was to profile all connected devices. Then, according to its profile, or purpose, NAC permitted access to network resources based on its function, much like how individuals are given access to sensitive information on a need-to-know basis.
For example, an IP camera should be able to send and receive traffic from the NVR server on the network, but should NOT have access to any of the sales or finance servers.
The limited and controlled access supports the benefits of IoT systems while limiting the damage they can do to a network.
If the compromised device is restricted to only those devices with which it legitimately needs to connect, then it virtually segments the network and quarantines the contagion to one portion of the network.
While NAC can identify and control network devices it can have shortcomings.
Some NAC solutions were designed to assist with the BYOD device onboarding of wireless networks. They work well in those environments but underperform in wired environments creating a security vulnerability.
Other solutions were developed to work within a single vendor's environment and worked well only when all the network is from that vendor but leaves security holes when other vendor's equipment is in the network.
And some solutions require seeing the network traffic, which works well in small, simple networks, but doesn't scale well in large, distributed networks.
Ideally, you want a NAC solution that has complete visibility into the network to identify all the devices and all the users. This means that it must be effective in both wireless LANs and LANs.
It must interoperate with a multiplicity of vendor products, to a degree that it can communicate and profile the device, and most importantly, that it can profile headless devices that are not equipped with an agent. The NAC solution should have a centralized architecture to enable an efficient coverage of large and multi-site networks.
It should possess the ability to micro-segment the network to limit devices to only those resources that are required.
Critically, NAC should also be integrated into the security framework, so that when a breach is detected, NAC will automatically notify the Security Operations Center, and coordinate with other security devices to isolate and expunge the contagion.
Fortinet, for example, has a NAC solution that's called FortiNAC
 |
| FORTINAC By FORTINET |
In Programing
How to install PYTHON 3.8.0 :
https://itnetworks2020.blogspot.com/2019/12/1-programming-with-python-installing.html
In Security
Endpoint introduction :
https://itnetworks2020.blogspot.com/2019/10/endpoints-introduction.html
Firewalls:
https://itnetworks2020.blogspot.com/2019/10/firewalls.html
Security Email Gateways:
https://itnetworks2020.blogspot.com/2019/10/secure-email-gateway.html
CyberSecurity Evolution : UnKnown Threats:
https://itnetworks2020.blogspot.com/2019/10/cybersecurity-evolution-unknown-threats.html
CyberSecurity Evolution : Known Threats
https://itnetworks2020.blogspot.com/2019/10/cybersecurity-evolution-known-threats.html
Comments
Access Control