Network Access Control (NAC)
by Naveen Sharma - CISSP - Monday, 26 November 2007.
In the agent base approach an agent application is pre-installed or NAC prompts for the installation of agent at the first logon of the user to the network. Agents not only assist in determining the posture of the endpoint, but can also do access control and reporting to the NAC server on the end user machine, with the inbuilt firewall. One of the disadvantages of agent based approach is that it works on the assumption that the agent will be pre-installed or will be installed at the first attempt of access to the network, which can be potential source of risk.

In the scanning method the NAC scans the end machine and, based on the scan result, the posture is determined for the next step of identity and access to network resources. This approach may or may not test the endpoint’s patch levels, Anti-virus definition files status, or file/registry value. Another issue is that of the time required to scan an endpoint, which may be exacerbated at peak endpoint activity due to simultaneous endpoint scans. With the ActiveX or browser plug-in technology, the plug-in is downloaded on the end point for posture determination and to report the compliance status of the end point. The advantages of this are comparatively less memory and CPU overhead.

Enforcement Points

Enforcement is the pivotal element of the whole NAC architecture, as all the access decisions are implemented here. NAC offerings from vendors tend to favour their own product lines: for example some traditional network companies implement access control on their layer2/3 switch (which may be a difficulty for users who have different brand switches). Here are the possible enforcement options currently available in the market:
  • Inline: includes firewalls, layer 2/3 switches and purpose built appliances.
  • 802.1X: IEEE standard for port based access control.
  • DHCP: IP assignment restrictions.
Inline based enforcement options include firewalls, layer2/3 switches or purpose built dedicated inline appliances. Some vendor’s NAC solutions offer support for other vendor’s firewalls and switches for enforcement, which is welcome news for users who have a multi-vendor networking infrastructure.

Considerations for inline devices are:
  • Bandwidth requirements: must support the traffic and provide future scalability, or else the inline device will become the choke point.
  • High availability: redundancy is expected, in case the primary inline device fails (and the time associated with fail over).
  • The degree of separation provided between the endpoints and the business critical systems inside the network.
  • Reporting from the enforcement device: for both compliant and non complaint endpoints.
802.1X or port based network access control is a protocol based on Extensible Access Protocol (EAP), an IEEE standard. New generation layer 2/3 switches offer the possibility of segregating specific IP’s onto a separate VLAN, and imposing various access control lists on the VLAN traffic.


Cloned, booby-trapped Dark Web sites steal bitcoins, login credentials

Apart from being a way for dissidents and journalists to do their business without being spotted and identified by "the powers that be", the Dark Web is also a place where criminals sell and buy illegal wares and services and, apparently, where they also get robbed by scammers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Jul 3rd