Network access control (NAC) has always been important. However, with so many people working remotely, its profile has risen sharply in the enterprise. Essentially, NAC helps enterprises implement policies for controlling device and user access to their networks regardless of their location. The goal is to bring order to the chaos of connections, whether they are internal or external. Those connections might be from in-house personnel, a remote workforce, customers, consultants, contractors, and guests.
Each of these groups require access, although the kind of access varies sharply from one person or group to another. Administrators require a different tier of control to lower-level workers, and groups such as guests or contractors are given limited access rights.
Basic Features of NAC
The features of NAC platforms vary from one vendor to another. But most of the following basic capabilities should be present in any NAC product:
- Dedicated policy management that can define and administer security configuration requirements
- The ability to specify the access control actions for compliant and noncompliant endpoints.
- Ability to block, quarantine, or grant varying degrees of access.
- Management of guest access.
- A profiling engine that can discover, identify, and monitor endpoints.
- Easy integration with other security applications and components.
- Operation from the edge to the cloud as the same policies that apply to traditional perimeter network access should apply for access to the cloud.
- Support for Zero Trust and SASE security frameworks where identity, not the method of connection, dictates what a user or device can access.
- NAC must operate in a multi-vendor environment, across wired, wireless and WAN connections and integrate with the rest of the security ecosystem.
- Continuous monitoring of devices to assess their security posture, risk and compliance, and network behavior.
- Least privilege network access enforcement based on user identity, device identity and ownership, device security posture and risk profile.
Also read: Best Network Automation Tools for 2021
Primary Use Cases for NAC
The primary used cases of NAC are:
- Device visibility
- Asset inventory
- Endpoint compliance
- Network segmentation
- IoT and OT security
- Zero Trust security
- Return to office risk mitigation.
Top NAC Vendors
Enterprise Networking Planet reviewed the various NAC platforms and tools on the market. Here are some of the top vendors in this field, in no particular order:
Aruba, a Hewlett Packard Enterprise company, offers ClearPass. It applies policy and granular security controls, such as where and how the associated traffic can navigate the network, to ensure that proper access is granted to those connected to both wired and wireless enterprise networks. The ClearPass family comprises ClearPass Device Insight, which uses AI to discover and profile IoT devices; ClearPass Policy Manager, which enables security teams to define business-level access policies; ClearPass OnGuard for agentless endpoint security assessment; and ClearPass OnBoard, which streamlines BYOD connectivity.
- Agentless policy control and automated application: ClearPass Policy Manager allows IT staff to implement policies for how users and devices connect and what corporate data they can access
- Built-in enforcement of access privileges for segmented traffic: Aruba Policy Enforcement Firewall dynamically segments traffic across wired, wireless and WAN connections with the same policies and access rights.
- Secure access for guests, corporate devices, and BYOD: Simplified access for authorized users using role-based policy and identity to authenticate users.
- ClearPass is designated Cyber Catalyst by Marsh. This program, operated by eight of the largest cyber insurers, evaluates security products.
- Automatically eliminates blind spots by finding and fingerprinting IoT devices with AI-based, cloud-delivered discovery and profiling.
- Integrates with over 170 security and IT management solutions and can act as a clearing house for attack alerts.
- Can propagate access policies for other vendors, including Cisco.
- Supports authentication protocols including Radius, LDAP, AD.
- Common Criteria certified.
The Forescout NAC platform is built around licenses for Forescout eyeSight, eyeControl, eyeSegment, and eyeExtend). It gives security and IT operations teams real-time visibility of all IP-connected devices when accessing the network. Users can choose from more than 20 active and passive discovery and profiling methods to match to the business environment and ensure continuous network availability. More than 12 million device fingerprints in the Forescout Device Cloud offer device classification capabilities to determine device function, OS, vendor and model.
- Coverage across all locations, networks and device types, without blind spots, with or without 802.1X authentication.
- Agentless assessment of security posture, risk and compliance; automated policy-based remediation workflows; assessing and mitigating risk from device decay as employees return to office.
- Network Segmentation: Baselining of existing network communications between devices and non-disruptive implementation of segmentation policies.
- Access Enforcement: Block rogue and unauthorized devices, enforce least privilege access across networks.
- Single platform for all managed, unmanaged and unagentable devices – IT, IoT, IoMT, ICS/OT and virtual/cloud instances.
- 20+ passive and active visibility techniques with passive-only options.
- Agentless assessment for Windows, macOS, Linux and IoT devices.
- Unified policy engine for automating posture assessment, remediation, incident response and network access workflows.
Portnox Core is an on-premise network access control solution that provides actionable network and device visibility, as well as automating enforcement actions. This agentless, software-based, and vendor-agnostic product provides device intelligence, full network view, and full customization of remediation and action scripts.
- No network prep work required, no appliance installations or infrastructure changes.
- Web based UI with smart workflows, onboarding, and automated response actions.
- No need to replace appliances when increasing the number of devices, clusters and backups done via software.
- Visibility into VoIP, IoT, and BYOD.
- Portnox Clear is a managed service that provides network visibility, continuous risk monitoring, and remediation of endpoints across all access layers.
- Enhance remote access security for VPN, VDI, and enterprise cloud applications with continuous endpoint risk monitoring and device remediation.
- Secure WiFi access in the cloud no matter location or device type through the use of identity-based authentication that leverages personal credentials or digital certificates.
InfoExpress offers a family of appliances to meet different NAC requirements. They support enforcement that secures access for mobile, desktop, and IoT devices without network changes. The enterprise version is the CGX server. It can be deployed as a VM or appliance that provides a full suite of network access control applications to create a flexible and custom NAC solution.
- Optionally install agents to provide granular policy compliance and to deploy Dynamic NAC to control access.
- Detect and enforce unknown devices on the network.
- Limit guests to needed resources.
- Support access for personal employee devices.
- Manage compliance for corporate devices.
- A policy builder can create custom rule sets using information about the user, directory membership, device, location, time and more.
- Policies can invoke operations such as flagging devices, sending alerts, and restricting access.
- Selective network access is provided based on the results of policy rules.
- In-band enforcement is supported as part of the appliance. Out-of-band enforcement is supported by integrating with the existing wired or wireless network or through our dynamic NAC feature.
- Additional applications can be hosted on the CGX server platform. These address additional needs, such as registering guests, managing employee devices, enhanced compliance and MDM integration.
Auconet BICS detects every endpoint, combining MAC-based authentication and 802.1X, for each type of device. It can leverage either or both in combination. Its multilayer approach to network security works with IT and industrial networks, at the device and user levels. It can authorize users, devices, and ports, separately, or in any combination, or block any of them, according to predefined policies.
- Auconet delivers a framework for Mobile Device Management (MDM) and BYOD.
- Automatically detects attempts at unauthorized access, protecting sensitive data with an app-based VPN tunnel.
- A central administrator console enables control over devices on mobile platforms, including the ability to block or wipe data from each device.
- VLAN assignment, based on security policies to streamline the provisioning, authorization, and tracking of guests.
- BICS discovers, recognizes, authorizes access for, and controls infrastructure.
- Monitors and protects one or many networks from a single console.
- Multi-tenant BICS implementations secure access to hundreds of separate networks at once.
- Safeguards ATMs, and cash-handling systems, including point-of-sale (POS) devices, such as cash registers and do-it-yourself ticket kiosks.
Pulse Policy Secure
Pulse Policy Secure (PPS) provides visibility and NAC for local or remote endpoints. It enforces foundational security policies and controls network access for managed and unmanaged endpoints, including IoT. It uses Zero Trust principles to manage network access by validating the user, a device’s security posture and connects the device with least privilege access policy. The platform integrates with a wide range of switching, Wi-Fi and firewalls to enforce access policies.
- Bidirectional integration with third-party security solutions.
- Automated responses to Indicators of Compromise (IoC) reduces remediation time.
- Integrates with NGFWs such as Palo Alto Networks, Checkpoint, Juniper and Fortinet, as well as SIEM solutions such as IBM Qradar and Splunk.
- Integration with McAfee ePolicy Orchestrator (McAfee ePO) fortifies endpoint management and automated threat response.
- For OT/IIoT visibility and control, PPS integrates with Nozomi Guardian.
- PPS includes three components: Pulse Profiler identifies and classifies endpoint devices, including IoT. It provides end-to-end visibility, reporting and behavior analytics; Pulse Policy Secure provides a policy engine that leverages contextual information from users, endpoints, and applications. Pulse Client offers agent and agentless options for pre- and post-admission control. It incorporates the Host Checker functionality, which verifies an endpoint’s security posture.
- Centralized visibility and policy management of all endpoints, including IoT.
- Granular assessment of endpoint security posture before allowing access.
- Dynamic network segmentation based on user role and/or device class.
- Roaming between remote and local, using Pulse Connect Secure Integration.
Extreme Networks ExtremeControl provides centralized visibility and control over endpoints in wired and wireless networks. It securely enables BYOD and IoT to protect against external threats. It is integrated with enterprise platforms for network security, enterprise mobility management, and analytics. In addition, it offers an open northbound API for customized integrations to key enterprise platforms.
- ExtremeControl enables granular controls over who, what, when, where, and how endpoints are allowed on the network.
- Matches endpoints with attributes, such as user, time, location, vulnerability, or access type to create a contextual identity.
- Role-based identities follow a user, no matter from where or how they connect.
- Reporting of all user valid authentications and failures with a real-time state table of all connected users and devices alerts to potential issues.
- Testing of new policies and using passive policies for what-if-scenarios prior to enforcement.
- Identify threats by profiling and tracking users and devices, as well as monitoring the health and compliance of devices before and after access.
- Third-party policy support, via user-based ACLs.
- Securely onboard guests and BYOD devices with extensive customization, branding and sponsor-based approvals.
- Built-in device profiling using various internal and external profiling techniques
Opswat acquired some of its NAC technology from Impulse. Opswat MetaAccess NAC ensures every network connection and endpoint device is visible, allowed or blocked in real time. Agentless device identification and profiling provides visibility into detailed information for devices on username, IP address, MAC address, role, device type, location, time, and ownership. It uses heuristics and pattern analysis for device profiling.
- MetaAccess NAC discovers new IoT and User Devices that attempt network access.
- Either Profile in a passive manner or quarantine the device until device type is explicitly known.
- Deep Device Fingerprinting.
- Web Browser User Agent Identification.
- Control IoT or browser-less device access such as printers, VOIP phones, thermostats and lights, or industrial devices.
- Consolidated view of traditional systems, mobile and IoT devices, and operational technology systems.
- Option for SafeConnect to recognize certain device types and passively allow them access.
- Option to whitelist a group of devices with the MAC address, ensuring only these specific MAC addresses will get on the network.
- Windows, macOS, and mobile devices are checked with deep Endpoint Assessments prior to granting network access.