Software-Defined Network Access Control Requirements Part 3

The solution should support Guest network access, both wired and wireless with the flexibility of creation, auto purging and access control via access lists. The NAC solution should provide three ways in which it can provide Guest access: Hotspot (immediate non-credentialed access), Self-Registration and Sponsored Guest access. NAC should also provide a rich set of APIs to integrate with other systems such as vendor management systems to create, edit and delete Guest accounts.

Further, the various portals that the end user sees should be able to be completely customized with the right font, color, themes, etc. to match the look and feel of the enterprise’s brand. NAC should create local accounts for Guests. These accounts can be created by an employee hosting the Guest (the Sponsor) using a built-in portal or created by the Guest themselves by providing some basic info. The Guest can receive credentials via email/SMS and use that to authenticate themselves to the network and thereby get network access. The admin can define what level of access to provide to such users.

The solution should support Integration with third party solutions e.g., VPN concentrators/firewalls as well as the ability to integrate with AD for proxying Radius requests for Authentication, and authorization including the capability to extend posture services across the VPN.

Access Control with NAC should support returning back a VLAN and a Service specific identifier attribute which will automatically map the VLAN to its relevant network segment. The NAC solution should provide support where Endpoints can be tagged and the tags used to enforce effective network access control policies and can also be shared with eco-system partners to enrich their services.

The solution should support devices that do not support 802.1x protocol. Provide authentication support for devices that do not support 802.1x protocol using MAB which is listed among other authentication techniques that include 802.1x, Web Authentications etc.

It should provide AAA device administration and audit configuration of network devices.

Support for rogue/anomalous behavior detection. The NAC solution should provide ability to detect and quarantine rogue devices (devices exhibiting anomalous behavior) in the network. Ability to achieve this through API with third party IPS/FWs to quarantine devices that are identified by the IPS/FW as violators to security rules and as sources of threat should also be provided.

The solution should be able to monitor changes to specific attributes and profiles for connected endpoints. If a change matches one or more of preconfigured anomalous behavior rules, NAC should mark the endpoint as Anomalous. Once detected, NAC can take action (with CoA) and enforce certain policies to restrict access of the suspicious endpoint. One of the use cases for this feature includes detection of MAC address spoofing.

The solution should support Posture Policy that will define the set of requirements for an endpoint to be deemed “Compliant,” based on file, registry, process, application, Windows, and AV/AS checks etc, and rules. The NAC solution should provide Posture which leverages installed and temporal agents looking inside the endpoint to provide assurance that operating system patches, antimalware, firewall, and more are installed, enabled, and up to date before authorizing the device onto the network.

Compliance Enforcement allows taking an overall compliance status, derived through either NACs own Posture engine or through said MDM/EMM integrations, and use it in an access policy. Combined with other attributes, e.g., identity, this enables a powerful capability that lowers the organizational risks and shrinks the overall threat surface created by non-compliant, unhygienic endpoints trying to connect to the network.

Such a policy can allow fully compliant endpoints to have full access to required resources by the user using it, while allowing access to only remediation systems, help-desk systems and/or low-risk services by endpoints found non-compliant. Using either NAC’s Posture engine or an MDM, an organization can evaluate how many endpoints are compliant, and ensure that non-compliant endpoint with outdated and/or unsupported software cannot access critical resources.

This completes our breakdown of what a NAC solution should be. Network Access Control, otherwise known as Network Admission Control in summary, is the process of restricting unauthorized users and devices from gaining access to a corporate or private network. NAC ensures that only users who are authenticated and devices that are authorized and compliant with security policies can enter the network.