Industry Trends

Network Access Control (NAC): Use Cases & Best Practices

By Peter Newton | May 28, 2021

As organizations shift their business models to keep up with the technologically evolving world, their networks continue to grow more complex with the influx of new devices. In turn, security teams struggle to maintain visibility across remote, in-office, and hybrid work environments, increasing the potential for cybercriminals to gain entry into corporate networks without being detected. 

This post explains how network access control (NAC) solutions can address these issues and how security teams can leverage this technology as their networks work to adapt.

What is Network Access Control (NAC)?

Network access control is a centralized approach to secure network access in which policies are enforced across all devices and users. The primary goal of NAC is to keep unauthorized devices or users from accessing a private network. This is often done with zero trustaccess solutions that provide visibility into all devices on a private or corporate network. 

Though NAC technology has existed for nearly two decades, a new generation of solutions is now needed to protect the modern, ever-sprawling attack surface – one that only grew more complex amid the rapid shift to remote work. This makes it vital to have visibility into devices connecting from both inside and outside the network and an ability to automatically respond when/if devices are compromised.

With regulatory certifications and cybersecurity best practices requiring organizations to establish and maintain control of all connected devices, network visibility and dynamic policy control are key. As an important part of a Zero Trust Access (ZTA) model for security, NAC enables IT teams to easily monitor network on-boarding and control access to network resources.

Key Capabilities of Network Access Control Solutions 

A NAC solution's primary function is to deny access to unauthorized devices or users while allowing authorized devices and users appropriate access. Additional functionality of NAC solutions includes the following:

FortiNAC, Fortinet's network access control solution, provides visibility across the network for every device and user, including internet of things (IoT) devices. It also extends control of the network to third-party products enabling microsegmentation policies and changing of configurations on switches and wireless products from more than 170 vendors. FortiNAC also leverages automation to react to events in seconds, containing devices before they can allow viruses or hackers to spread across the network.

Use Cases for NAC Solutions 

In the modern world, physical and virtual devices often repeatedly join and leave a network, and the devices themselves can vary greatly in their risk profile. Understanding the different use cases for this technology informs a more comprehensive NAC solution. Common use cases include: 

  • IoT: The use of IoT devices only continues to grow. This includes their use in Operational Technology (OT) settings and connections to enterprise networks from home networks. Such devices can go unnoticed or unmonitored by older NAC solutions, making them a prime source of exploitation for cybercriminals. The right NAC solution will identify and monitor IoT devices, in addition to traditional devices.
  • BYOD (Bring Your Own Device): With employees working remotely from personal computers or accessing the corporate network from personal phones, a proper NAC solution must also be able to handle permissions and authentication of unfamiliar devices attempting to access the network.
  • Incident Response: In addition to simply controlling network access, a robust network access control solution should be able to respond to threats quickly and effectively. This is where automation comes into play. Automation in a NAC solution enforces security policies, shares contextual information, and isolates insecure devices at the point of connection to the network before they can do any damag
  • Contractors: Often, companies want to allow contractors, partners, or temporary workers access to only certain parts of the network. NAC can be used to maintain access privileges and prevent unauthorized access to certain parts of the network while ensuring guest users have smooth connectivity and a good experience.
  • Medicine: In the world of healthcare, there is a growing reliance on the Internet of Medical Things (IoMT) devices. But healthcare is a highly regulated industry, and network compliance is vital. Properly structured NAC solutions can provide the necessary protection of sensitive personal data and medical records in a network with multiple users and IoMT devices.
  • Compliance: Organizations can be fined if they do not meet regulatory requirements for their respective industries. NAC solutions can be considered a form of risk mitigation that helps enforce compliance controls under regulations such as HIPAA, SOX, or PCI-DSS.

In addition to the use cases described above, many organizations need NAC solutions to work across branch offices that may be located globally. FortiNAC, for example, can be implemented as part of a Secure SD-Branch solution, enabling customers to converge their security, WAN, and LAN. 

Best Practices for Network Access Control

A robust network access control solution is vital for any modern network in order to protect against threats. Becoming familiar with these six best practices will help you start off on the right foot:

1. Do your research

Make sure you purchase a NAC solution that fits your network’s actual needs. For modern businesses, this often means clear visibility into internal and external devices (including IoT), built-in enforcement tools, and dynamic policy controls. You may also need features that are specific to your industry, network size, or local regulatory requirements.

2. Set benchmarks for device access

Your NAC solution should help you keep a close eye on how many devices (and what kinds of devices) access your network on a day-to-day basis. Setting a baseline regarding how many devices access your network will help you immediately detect when there is abnormal activity on your network.

3. Adopt an identity-based permission structure

Make sure everyone on your network has an identity that can be verified. Once you’ve done that, create permissions based on an individual’s identity and only grant access to areas of the network that are instrumental to their day-to-day activities. You can always enable special permissions later – but being discerning about permissions will lower your chances of a catastrophic cyberattack. 

4. Establish special guest controls

It’s important to ensure every user on your network has a role – but for guests, some additional granularity may be needed. Set boundaries for users that aren’t full-fledged members of your organization and provide different tiers of access depending on their needs. For example, an outside sales representative will need limited, timed access. On the other hand, a contractor may need more in-depth access to your network for a longer period of time.

5. Ensure IT staff continuously monitor for alerts

Most NAC solutions will provide alerts if there is any abnormal network activity – and an ignored or poorly addressed alert can quickly lead to a data breach. For that reason, make sure you have at least one IT member assigned to handle NAC alerts – and consider enlisting more help if you have many endpoints.

6. Pull reports regularly

By keeping tabs on your historical and real-time network activity, you’ll be able to better prepare for audits while providing key stakeholders with insight into how your NAC solution protects your network.

Secure Your Network with FortiNAC

FortiNAC works with the Fortinet Security Fabric to provide visibility, control, and automated response for every device connected to a network. Not only can it secure IoT and third-party devices, but it can be part of the security solution for any network, regardless of size or structure.

Discover how a Network Access Control solution (FortiNAC) provides organizations with the ability to see and control all the devices and users connected to the network.