Getting the knack of NAC

If implemented properly, network access control can significantly lower the overall security risks faced by an enterprise.

The basic premise of network access control (NAC) is that it allows only authorised and compliant devices to access and operate on a network.

Unfortunately, many NAC offerings are too complex to implement, expensive to acquire and easy to bypass. However, there are signs that this is changing.

Despite all the hype about NAC, the market today is moving forward, especially in terms of a more commonly understood definition of what an NAC solution is expected to provide. At the same time, enterprises are more aware of their needs. Based on their initial exposure to NAC projects, enterprises have established a clear demand for a strong technology that delivers a fast time-to-value at a reasonable cost.

However, in terms of closing the vulnerabilities that enable all the various available approaches to NAC to be bypassed, not much has changed.

Real-time device detection is still a serious issue that has not yet been addressed. Most NAC solutions do not maintain real-time contextual information regarding the network and its elements. Simply put, without real-time network and element knowledge, achieving NAC is not possible.

The list of additional vulnerabilities is long. Some NAC solutions cannot even identify or prevent rogue devices from accessing a network, while others do not provide user authentication. Some are erroneously based on vulnerability scans to determine if a device complies with a defined access policy, while most rely on the switching infrastructure to provide a shared quarantine, such as a quarantine VLAN. These vulnerabilities create a situation for bypass opportunities from both the inside and outside.

Unfortunately, the outcome of these and other vulnerabilities is the fact that many of the NAC solutions that are being implemented now can be bypassed easily. Security through obscurity does not work — knowing less than 100 percent of the devices on the network and reacting to changes after they have occurred is simply not enough. If these vulnerabilities are not addressed NAC will merely offer compliance checks on known devices, rather than the intended network access controls to allow only authorised and compliant devices and users to access and operate on the network.

Both existing and potential users are looking for less complex solutions. This means that NAC deployments that involve changes to network architecture and the deployment of agents are no longer considered as options. The market wants easily implemented solutions that do not rely on the networking infrastructure to provide the NAC functionality — getting read/write access to the networking infrastructure is not a trivial issue.

NAC will fulfill its promise to lower the overall security risks of an organisation when the NAC process isolates all devices as they are being attached to the network, and when it allows a device access to the network only if it is authorised, its user is authenticated and it is compliant with the enterprise network access policy.

Ofir Arkin is the co-founder and chief technology officer of NAC provider Insightix.