Network Access Control (NAC)
by Naveen Sharma - CISSP - Monday, 26 November 2007.
The three cardinal questions for security compliance, which every network administrator and owner endeavour to answer are:
  • How do I stop unauthorized users and endpoints from accessing resources on my network, whether through wired or wireless means?
  • How do I validate the user’s and endpoint’s health status? For example: assess the level of operating system patches installed and the status of malware detection engines and definitions.
  • How do I remediate the endpoints and users if they fail the above, and present a layered “defense in depth” with security technologies in a co-operative environment?
Often these questions remain unanswered, and the results are visible in the news and reports.

NAC or the end point security solution can provide the answer to all the above questions - and more - if designed and configured properly. This article presents the NAC architecture with the details of major components and their functionality, along with considerations in implementation in real production environments.

Vendors have promoted NAC solutions leveraging their own product offerings. For example Cisco’s NAC uses the Cisco PIX firewall, ASA Appliances, Routers and Switches to perform NAC functions. On the other hand Microsoft, being the dominant provider of operating systems, has offered NAC (by the name of NAP, or Network Access Protection) built on the product line offerings such as Windows server, Windows XP and recently Microsoft Vista. I will use the terms NAC and endpoint security interchangeably for the ease of the reader.

NAC solutions provide the following:
  • Determine the security posture of clients.
  • Grants access to various parts of the network, depending upon the outcome of first step.
  • Remediate compliance failures, and distributes policy to endpoints.
For example, if a policy says to deny access to endpoints whose patch level is older than 30 days, then NAC will restrict the access of those clients which are non compliant for this policy, and optionally a remediation process will be invoked to make that client compliant by downloading and installing required patches. The three keywords in the NAC process are: Identify, Assess and Remediate.

The previous figure shows a high level NAC architecture where the end users access enterprise resources by wireless, VPN and LAN. We have the option of enforcing the policies at the firewall, or at other access device such as a Layer2/3 switch or DHCP server.

The fundamental components of a NAC solution are:

1. Endpoints
2. Enforcement points
3. Policy and remediation services

The vendor offerings may comprise of a combination of the above components of NAC. Understanding of these components will allow the reader to differentiate vendor offering from one another in a pragmatic manner.


First, there must be a mechanism to determine the security posture of the endpoint machine before taking any decision for identity and access management. The endpoint assessment technologies currently available include:
  • Agent-less: nothing is downloaded or installed on the endpoint host.
  • Agent: An application is pre-installed or downloaded at the first connection.
  • ActiveX or browser plug-in: this is downloaded to the endpoint when connection is attempted.
  • Scanner: performs an IP based vulnerability scan to determine the installed patches, services etc on the endpoint.
The agent-less approach uses an end point’s administrative account to connect (via Windows RPC) to central user management systems for all the end points. The administrative overhead is considerable, adding to the cost of this approach.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th