What Is Network Access Control (NAC)?
Network access control (NAC), also known as network admission control, is the process of restricting unauthorized users and devices from gaining access to a corporate or private network. NAC ensures that only users who are authenticated and devices that are authorized and compliant with security policies can enter the network.
As endpoints proliferate across an organization—typically driven by bring-your-own-device (BYOD) policies and an expansion in the use of Internet-of-Things (IoT) devices—more control is needed. Even the largest IT organizations do not have the resources to manually configure all the devices in use. The automated features of a NAC solution are a sizable benefit, reducing the time and associated costs with authenticating and authorizing users and determining that their devices are compliant.
Further, cyber criminals are well aware of this increase in endpoint usage and continue to design and launch sophisticated campaigns that exploit any vulnerabilities in corporate networks. With more endpoints, the attack surface increases, which means more opportunities for fraudsters to gain access. NAC solutions can be configured to detect any unusual or suspicious network activity and respond with immediate action, such as isolating the device from the network to prevent the potential spread of the attack.
Although IoT and BYOD have changed NAC solutions, NAC also serves as a perpetual inventory of users, devices, and their level of access. It serves as an active discovery tool to uncover previously unknown devices that may have gained access to all or parts of the network, requiring IT administrators to adjust security policies.
Further, organizations can choose how NAC will authenticate users who attempt to gain access to the network. IT admins can choose multi-factor authentication (MFA), which provides an additional layer of security to username and password combinations.
Restricting network access also means control of the applications and data within the network, which is normally the target of cyber criminals. The stronger the network controls, the more difficult it will be for any cyberattack to infiltrate the network.
What Are the Advantages of Network Access Control?
Network access control comes with a number of benefits for organizations:
- Control the users entering the corporate network
- Control access to the applications and resources users aim to access
- Allow contractors, partners, and guests to enter the network as needed but restrict their access
- Segment employees into groups based on their job function and build role-based access policies
- Protect against cyberattacks by putting in place systems and controls that detect unusual or suspicious activity
- Automate incident response
- Generate reports and insights on attempted access across the organization
What Are the Common Use Cases for Network Access Control?
Bring Your Own Device (BYOD)
With the rise of work-from-home policies, employees are increasingly relying on their personal devices to complete work-related tasks. BYOD, the policy of permitting employees to perform work using the devices they own, increases efficiency and reduces overall cost. Employees are likely more productive on devices of their choosing rather than those provided by the company.
NAC policies can be extended to BYOD to ensure that both the device and its owner are authenticated and authorized to enter the network.
Internet-of-Things (IoT) devices
Security cameras, check-in kiosks, and building sensors are just a few examples of IoT devices. Although IoT devices extend an organization's network, they also expand its attack surface. Further, IoT devices may go unmonitored or in sleep mode for long periods of time. NAC can reduce risk to these endpoints by applying defined profiling measures and enforcing access policies for different categories of IoT devices.
Network Access for Non-employees
NAC is also helpful for granting temporary access to non-employees, such as contractors, consultants, and partners. NAC can allow access to such users so they can connect to the network seamlessly without having to engage the IT team. Of course, the policies for non-employees have to be different from those of regular employees.
What Are the Capabilities of Network Access Control?
Policy Life-cycle Management
NAC enforces policies for all users and devices across the organization and adjusts these policies as people, endpoints, and the business change.
Profiling and Visibility
NAC authenticates, authorizes, and profiles users and devices. It also denies access to unauthorized users and devices.
Guest Networking Access
NAC enables an organization to manage and authenticate temporary users and devices through a self-service portal.
Security Posture Check
It evaluates and classifies security-policy compliance by user, device, location, operating system, and other criteria.
NAC reduces the number of cyber threats by creating and enforcing policies that block suspicious activity and isolate devices without the intervention of IT resources.
NAC can integrate with other security point products and network solutions through the open/RESTful application programming interface (API).
What is the Importance of Network Access Control?
Because NAC provides oversight of all devices in use across the organization, it enhances security while authenticating users and devices the moment they enter the network. The ability to monitor network activity and immediately take action against unauthorized or unusual behavior means that malware threats and other cyberattacks are reduced.
The automated tracking and protection of devices at scale translates into cost savings for organizations because fewer IT resources are needed. Further, blocking unauthorized access or a suspected malware attack prevents companies from suffering financial losses that may result if those activities are not thwarted.
As the number and variety of devices organizations use continue to increase, organizations cannot manually verify users and their endpoints' security policies as they attempt to enter the network. The automation features of NAC offer tremendous efficiency to the process of authenticating users and devices and authorizing access.
Enhanced IT Experiences
With seamless access, user experience is frictionless when connecting to the network. That there are controls in place working in the background gives users confidence that their IT experience is protected without any effort on their part.
Ease of Control
The visibility features of NAC effectively serve as a 24/7 inventory of all the endpoints authorized by the organization. This is helpful not only when IT needs to determine which endpoints or users have been granted access to the network but also for life-cycle management, when devices must be phased out or replaced.
What Are the Types of Network Access Control?
Pre-admission network access control occurs before access is granted. A user attempting to enter the network makes a request to enter. A pre-admission network control considers the request and provides access if the device or user can authenticate their identity.
Post-admission network access control is the process of granting authorization to an authenticated device or user attempting to enter a new or different area of the network to which they have not been granted authorization. To receive authorization, a user or device must verify their identity again.
How Fortinet Can Help
The demand for NAC solutions is increasing. The number of endpoints in use by an organization and its partners continues to grow, driven by BYOD policies, third-party or contractor arrangements, and IoT devices. Further, and as a result of the attack surface expanding, cyberattackers have increased both the scale and sophistication of the cyber threats they launch on these devices.
FortiNAC is the Fortinet NAC solution. It enhances the Fortinet Security Fabric and provides awareness, control, and automated response capabilities for all hardware that connects to an organization's network, including devices, servers, routers, and IoT devices. An example of FortiNAC in action is the active discovery of endpoints across an organization.
FortiNAC's capabilities meet organizations' need for visibility, control, and automation that ensure all devices are known, authorized, and protected. In a NAC case study, FortiNAC was cited as one of the fastest-growing NAC solutions on the market.