NAC:  Challenge and Opportunity

Network Access Control is often discussed, but there is little common ground among network and security specialists as to what extent it covers. The demand to implement internal  network protection is ever increasing , due to the fact that corporate networks are successively being made accessible to customers, service providers, partners, auditors and roaming users. Access to data is to be granted to such „extrinsic“ users without compromising network security.

Network protection is nothing really new. The requirement to log into a network providing one´s user name and password has been state of the art for decades. Authentication technologies such as directory services and Radius service to manage access rights in networks are not recent inventions either.

First proposals to implement network access control and/or network admission control surfaced around 2005, in the context of the extensive worldwide damage incurred in the years 2003 and 2004 by computer worms such as SQL Slammer, Blaster or Sasser. No logging into network resources was then required for this malicious software to spread. Infected computers at first searched for other vulnerable computers  in the local subnet, thereby detecting further IP addresses to infect. Thus, any Notebook having a valid IP address, randomly attached to a network could crash the network. The threat thus does not primarily originate from the user but from the device.

In some networks a security mechanism based on „Port Security“ was established, a functionality supported by most switch types. Thereby, one or more MAC addresses are associated to each switch port, and the switch will discard all packets not originating from an authorized device. This procedure is quite effective, but requires quite an administrative effort: All permissions must be updated whenever a device is moved to another location in the network . Since increasingly mobile units are being rolled out, this approach is becoming ever more uneconomical.

What is Network Access Control?

Network Access Control ensures that only devices complying with a predefined security standard have access to network resources.

NAC must therefore enforce the security policy for all devices that are to obtain access to a network.
A security policy regulating network access must comprise:

• Authentication: Any device that requests access to the network must authenticate itself. Authentication should include classification of end-user devices to be able to execute possible rule-based decisions based on the device type.
• Security Check: Before granting network access to a device, a check must be performed to determine whether it manifests possible vulnerabilities and whether required security software has been installed. This security check should be performed regularly as long as a device is attached to the network, since a device´s security status may change at any time, possibly even by manipulations by the user.
• Authorization: NAC can manage a device´s access rights to a network according to its classification. Thus, IP telefones may be routed to specific VLANs where they obtain access to any required infrastructure but are removed from the network segments where corporate data resides. Mobile devices, inherently more vulnerable than desktop units, may be routed to network segments with restricted access.