Network Access Control (NAC) is an approach to computer network security that attempts to unify endpoint security technology (such as antivirus, host intrusion prevention, and vulnerability assessment), user or system authentication^[1] and network security enforcement^[2]. A security policy is a generic document that outlines rules for computer network access, determines how policies are enforced and lays out some of the basic architecture of the company security environment. ... Anti-virus software consists of computer programs that attempt to identify, thwart and eliminate computer viruses and other malicious software (malware). ... Host-based intrusion-detection is the art of detecting malicious activity within a single computer. ... Vulnerability assessment is the process of identifying and quantifying vulnerabilities in a system. ... For other uses of the terms authentication, authentic and authenticity, see authenticity. ...

Background

Network Access Control is a computer networking concept and set of protocols used to explain how to secure the network nodes prior to the nodes accessing the network^{[citation needed]}. NAC also integrates the automatic remediation process (fixing non-compliant nodes before allowing access) into the network systems, allowing the network infrastructure such as routers, switches and firewalls to work together with back office servers and end user computing equipment to ensure the information system is operating securely before interoperability is allowed. This article is about the machine. ... A computer network is an interconnection of a group of computers. ... For meanings in specific fields, see protocol (computing) or protocol (cryptography). ... Node(Latin nodus ‘knot’) is critical element of any computer network. ... It has been suggested that this article or section be merged with Information systems. ...

Network Access Control (NAC) aims to do exactly what the name implies: control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do. This article or section is in need of attention from an expert on the subject. ...

"NAC's roots trace back to the trusted computing movement. In this context an open-architecture was created as an alternative to proprietary NAC initiatives. TNC-WG aims at enabling network operators to provide endpoint integrity at every network connection, thus enabling interoperability among multi-vendor network endpoints.^[3]" seems to pertain to nothing in the article.

Goals of Network Access Control

Because NAC represents an emerging category of security products, its definition is both evolving and controversial. The overarching goals of the concept can be distilled to:

Mitigation of zero-day attacks

The key value proposition of NAC solutions is the ability to prevent end-stations that lack antivirus, patches, or host intrusion prevention software from accessing the network and placing other computers at risk of cross-contamination of network worms.

Policy enforcement

NAC solutions allow network operators to define policies, such as the types of computers or roles of users allowed to access areas of the network, and enforce them in switches, routers, and network middleboxes.

Identity and access management

Where conventional IP networks enforce access policies in terms of IP addresses, NAC environments attempt to do so based on authenticated user identities, at least for user end-stations such as laptops and desktop computers.

A middlebox is a device in the Internet that provides transport policy enforcement. ... An IP address is a unique number, akin to a telephone number, used by machines (usually computers) to refer to each other when sending information through the Internet using the Internet Protocol. ... For other uses of the terms authentication, authentic and authenticity, see authenticity. ...

Concepts

Pre-admission and post-admission

There are two prevailing design philosophies in NAC, based on whether policies are enforced before or after end-stations gain access to the network. In the former case, called pre-admission NAC, end-stations are inspected prior to being allowed on the network. A typical use case of pre-admission NAC would be to prevent clients with out-of-date antivirus signatures from talking to sensitive servers. Alternatively, post-admission NAC makes enforcement decisions based on user actions, after those users have been provided with access to the network.

Agent versus agentless

The fundamental idea behind NAC is to allow the network to make access control decisions based on intelligence about end-systems, so the manner in which the network is informed about end-systems is a key design decision. A key difference among NAC systems is whether they require agent software to report end-system characteristics, or whether they use scanning and network inventory techniques to discern those characteristics remotely. In computer science, a software agent is an abstraction, a logical model that describes software that acts for a user or other program in a relationship of agency. ...

Out-of-band versus inline

In some out-of-band systems, agents are distributed on end-stations and report information to a central console, which in turn can control switches to enforce policy. In contrast the inline solutions can be single-box solutions which act as internal firewalls for access-layer networks and enforce the policy. Out-of-band solutions have the advantage of reusing existing infrastructure; inline products can be easier to deploy on new networks, and may provide more advanced network enforcement capabilities, because they are directly in control of individual packets on the wire. However, there are products that are agentless, and have both the inherent advantages of easier, less risky out-of-band deployment, but use techniques to provide inline effectiveness for non-compliant devices, where enforcement is required

Remediation, quarantine and captive portals

Network operators deploy NAC products with the expectation that some legitimate clients will be denied access to the network (if users never had out-of-date patch levels, NAC would be unnecessary). Because of this, NAC solutions require a mechanism to remediate the end-user problems that deny them access.

Two common strategies for remediation are quarantine networks and captive portals: The captive portal technique forces an HTTP client on a network to see a special web page (usually for authentication purposes) before surfing the Internet normally. ...

Quarantine

A quarantine network is a restricted IP network that provides users with routed access only to certain hosts and applications. Quarantine is often implemented in terms of VLAN assignment; when an NAC product determines that an end-user is out-of-date, their switch port is assigned to a VLAN that is routed only to patch and update servers, not to the rest of the network. Other solutions use Address Management techniques (such as Address Resolution Protocol (ARP) or Neighbor Discovery Protocol (NDP)) for quarantine, avoiding the overhead of managing quarantine VLANs.

Captive portals

A captive portal intercepts HTTP access to web pages, redirecting users to a web application that provides instructions and tools for updating their computer. Until their computer passes automated inspection, no network usage besides the captive portal is allowed. This is similar to the way paid wireless access works at public access points.

A virtual LAN, commonly known as a VLAN, is a logically segmented network mapped over physical hardware. ... In computer networking, the Address Resolution Protocol (ARP) is the standard method for finding a hosts hardware address when only its network layer address is known. ... Neighbor Discovery Protocol (NDP) for IPv6 is defined in RFC 2461. ... HTTP (for HyperText Transfer Protocol) is the primary method used to convey information on the World Wide Web. ...

Commercial NAC solutions

• McAfee Network Access Control from McAfee
• Mirage Networks - Network Access Control
• Sophos Network Access Control from Sophos
• Symantec Network Access Control from Symantec

McAfee, Inc. ... Sophos is a developer and vendor of security software and hardware, including anti-virus, anti-spyware, anti-spam and Network Access Control for desktops, servers, email systems and other network gateways. ... Symantec Corporation NASDAQ: SYMC, founded in 1982, is an international corporation which sells computer software, particularly in the realms of security and information management. ...

References