Network Access Control (NAC)

Security for networks with IoT

An introduction to NAC

What is Network Access Control (NAC)?

Network access control, or NAC, is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their corporate networks. 

This technology has been around for nearly two decades, but a new generation of its solutions is helping organizations keep up with today’s ever-expanding attack surface, delivering not only visibility of the network environment, but also enforcement and dynamic policy control.  Whether devices are connecting from inside or outside the network, it can automatically respond to compromised devices or anomalous activity.

Modern solutions also provide a clear view into network assets to support regulatory certifications and security best practices that require organizations to establish and maintain an accurate inventory of all connected devices—even in virtual environments where assets are constantly connecting and disconnecting from the network. The monitoring and response capabilities are especially critical since many devices open users to additional risk via compromised, poorly written and un-patchable software, unadvertised back doors hardwired into firmware, and other factors.

NAC is an important part of a Zero Trust Network Access model for security, in which trust is no longer implicit for users, applications, or devices attempting to access the network, and for which IT teams can easily know who and what are accessing the network, as well as how to protect corporate assets both on and off the network.

 

How NAC Secures Your Network

NAC provides visibility over everything connected to the network, as well as the ability to control those devices and users, including dynamic, automated responses. It plays a role in strengthening overall network security infrastructure.

A properly functioning solution can deny access to noncompliant users or devices, place them in quarantine, or restrict access to a small number of network resources, separated from the rest of the network. NAC generally supports the following:

  1. Authentication and authorization of users and devices
  2. User and device profiling
  3. Denial of unsecured devices
  4. Quarantine of unsecured devices
  5. Restricting access to unsecured devices
  6. Policy lifecycle management
  7. Overall security posture assessment
  8. Incident response through policy enforcement
  9. Guest networking access

 

Network Access Control Benefits and Use Cases

IoT and BYOD

The adoption of IoT devices is growing exponentially, especially in high-risk markets such as healthcare and retail where even a few years ago there were far fewer network-connected devices. Converging with this trend is BYOD (Bring Your Own Device), which over more than a decade has brought an influx of new mobile devices connecting to corporate networks. Both create substantial new security risks and open new threat vectors, and unsecured devices dramatically increase the risk of intrusion, breach, and a catastrophic cyberattack. The right NAC solutions ensure compliance for all devices connecting to networks, checking that proper controls are in place before corporate network resources are accessible.

There are now billions of non-traditional compute, IP-enabled devices that are connecting to networks. (This means basically everything on the network that isn't a laptop or mobile phone, from IP cameras, to VoIP phones, printers, HVAC controls, temperature sensors, badge readers, digital displays, bluetooth sensors, and many more examples.)

Incident Response

The role of NAC in incident response is often significant. Solutions can be configured to automatically enforce security policies, share contextual information, and isolate unsecure devices from accessing other parts of a network.

Contractors

Contractors, partner employees, and other guest workers need specialized access only to those parts of the corporate network that enable a good user experience and allow them to do their jobs. NAC plays a key role in maintaining access privileges while ensuring guest users have smooth connectivity and a good overall experience.

Medicine

Healthcare is an industry rapidly embracing the Internet of Medical Things (IoMT) and now many new networked devices are coming online to support advances in medicine and medical care. But as more medical devices access the corporate network, it is critical to employ NAC solutions that can help protect devices and massive troves of sensitive personal data, including medical records. This can help improve healthcare security overall and keep medical facilities and other healthcare institutions safe from ransomware and other prevalent threats.

Compliance

Regulatory compliance isn’t optional, and organizations can receive serious fines and create myriad other problems if access controls aren’t implemented or aren’t demonstrably effective. NAC solutions have long been thought of as risk mitigation technology—which they certainly are—but the right ones can also help enforce compliance controls under regulations such as HIPAA, SOX, or PCI-DSS, and ensure smooth compliance audits.

 

FortiNAC: Network Access Security Solution

FortiNAC is the Fortinet network access control solution. It enhances the overall Fortinet Security Fabric with visibility, control, and automated response for everything that connects to the network. It provides protection against IoT threats, extends control to third-party devices, and orchestrates automatic responses to a wide range of networking events.

FortiNAC enables three key capabilities to secure IoT devices:

  • Network visibility to see every device and user as they join the network
  • Network control to limit where devices can go on the network
  • Automated response to speed reaction time to events from days to seconds

The FortiNAC solution protects both wireless and wired networks with a centralized architecture that enables distributed deployments with automated responsiveness.

FortiNAC is an ideal solution for any stage or maturity level of a security strategy. Using FortiNAC, organizations can:

  • Deliver agent and agentless scanning of the network for detection and classification of devices
  • Create an inventory of all devices on the network and assess the risk of every endpoint connected to the network
  • Use a centralized architecture for easy deployment and management
  • Leverage extensive support for third-party network devices to ensure overall effectiveness
  • Enforce dynamic access control
  • Prepare for incident response and reduce containment time to seconds, sometimes from as long as days or weeks
  • Integrate with SIEM solutions to provide detailed contextual data and reduce investigation time
  • Automate the onboarding and permissions process for large numbers of endpoint devices, users, and guests

Explore Models and Specs
Request the Product Demo.

Introduction to FortiNAC

Gain Visibility, Control, and Automated Response across your wired and wireless network using network access control.

立即觀看

Features

monitoring icon

Agentless scanning

Detect and identify headless devices as they connect to the network

analytics icon

17 profiling methods

Utilize up to 17 different ways of determining the identity of a device

icon benefits management

Simplified onboarding

Automate onboarding process for large number of endpoints, users, and guests

Benefits

segmentation icon

Micro-segmentation

With identified devices, FortiNAC can narrowly restrict network access for those devices to only necessary network assets

platform support icon

Extensive multi-vendor support

Interact with and configure network devices (switches, wireless access points, firewalls, clients) from more than 150 vendors

Scalable

Scalability

FortiNAC architecture enables effective scaling to multi-site locations and supporting millions of devices

FortiNAC News

FortiNAC Models and Specifications

The FortiNAC product line includes hardware appliances, virtual machines and licenses.  The licenses can run on either the hardware appliance or the virtual machine.  Each FortiNAC deployment requires both a Control and Application server.  Note that if your deployment is larger than what a single server can support, you can stack servers for more capacity.  The FortiNAC solution has no upper limit on the number of concurrent ports it can support.

函數
Control and Application Server
Capacity
Each server manages up to 2,000 ports in the network
函數
Control and Application Server
Capacity
Each server manages up to 15,000 ports in the network
函數
Control and Application Server
Capacity
Each server manages up to 25,000 ports in the network
函數
Management Server
Capacity
Unlimited
函數
Reporting and Analytics Server
Capacity
n/a
Capacity
See datasheet for details
Capacity
Unlimited
Functionality
Endpoint Visibility and Auto Provisioning
Device Count
100, 1K, 10K, or 50K concurrent endpoint device per license
Functionality
Visibility and Control
Device Count
100, 1K, 10K, or 50K concurrent endpoint device per license
Functionality
Visibility, Control, and Response
Device Count
100, 1K, 10K, or 50K concurrent endpoint device per license

Our Customers Emphasize the Value of FortiNAC in Gartner Peer Insights Reviews

 

★★★★
“Fit Our Needs As A K-12 Organization That Wanted To Do BYOD Minus Issue With Registration”

Director of Media and Technology
IndustryEducation
Role: CTO
Firm Size: <50M USD

“This solution fits our needs because it allows for network segmentation, filtering, and user management within the product. It also interoperates with our directory, our firewall, and our filtering solutions seamlessly."

★★★★★
“Implementation Was Smooth And Product Runs With Very Few Problems”

VP Networking
Industry: Finance
Role: Infrastructure and Operations
Firm Size:1B - 3B USD

“Our company has been using the FortiNAC product for around 6 years and it has been a good experience. We use it to manage around 13K devices across 3 data centers and 260+ locations.”

★★★★
“Solid NAC Solution... Some Room To Improve Interface And Support”

Sr Director, Network Operations
Industry: Miscellaneous
Role: Infrastructure and Operations
Firm Size: <50M USD

“Once we got the hang of managing it, it's really been a god-send having visibility of all devices connected across our entire network.”

★★★★★
“Flexible Product, Vendor Agnostic, A Great Value In Device Registration On The Network”.

LAN Admin
Industry: Education
Role: Infrastructure and Operations
Firm Size: Gov't/PS/ED <5,000 Employees

“Flexible product, can get very detailed as to what you want to check/analyze/scan or can be setup very simplistic for on-boarding purposes. Is vendor agnostic on the hardware side and implementation was very smooth. We have been using this product for 11 years.”

★★★★★
“Seemless With No Customer Impact”

CIO - CISO
Industry: Healthcare
Role: CIO

"The product is easy to use and understand and the support team helped whenever asked. The protection of the network cannot happen without Port security and this product does that and gives you visibility."

★★★★
“Solid Products, But Needs Persistent Agent For Chromebooks”

Network Administrator
Industry: Education
Role: System Integrator
Firm Size: Gov't/PS/ED <5,000 Employees

“The overall experience has been great.”

★★★★★
“Effective Tool That Works Well”

Lead Network Architect Engineer
Industry: Government
Role: Infrastructure and Operations
Firm Size: Gov't/PS/ED <5,000 Employees

“The Network Sentry - Network Access Control aka NAC, has been critical in the control of access to our environment. It has allowed us to keep those who don't belong out, it alerts on attempts, and allowed us to catch audit penetration attempts.”

 
Gartner Peer Insights reviews constitute the subjective opinions of individual end users based on their own experiences, and do not represent the views of Gartner or its affiliates.

Resources

Fuse Community


Related Links

Product Demo

Demo Videos

Fortinet FortiNAC - Security Fabric Integration with FortiGate
Fortinet FortiNAC - Guest/BYOD/Contractor Onboarding
Fortinet FortiNAC - Automated Incident Response Demo
Fortinet FortiNAC - PLC Device Discovery, Identification, and Management
Catching Domain Machines in the Captive Portal
FortiNAC Demo

FortiNAC Integrations Alliance Partners

FortiNAC has integrations with more than 150 vendors, enabling it to integrate with virtually every switch, wireless access point, and firewall in your network.  The below companies are examples of Fortinet Fabric partners with integrations.  For a complete list of vendors with integrations, please see the data sheet

FortiNAC Use Cases

Branch have grown in complexity with more devices, including headless IoT devices, getting connected to the network-without a corresponding increase in staff. To maintain visibility, control, and responsiveness in Branch Offices, FortiNAC is part of the Fortinet's Secure SD-Branch Solution. Learn more here.

Fortinet sd-branch

FortiNAC Videos

Secure SD-Branch overview

FortiNAC FAQs

Below are answers to common questions regarding FortiNAC and related services:    

How does FortiNAC identify a new device on the network?    

FortiNAC uses the network characteristics of the device to classify the devices. There are up to 13 different attributes and techniques that FortiNAC can utilize such as Vendor OUI and DHCP fingerprinting, to profile a device.      

Does FortiNAC analyze device behavior (EUBA) to identify a device?

No, FortiNAC looks at the profile of the device and is not analyzing behavior. 

Do I need a FortiNAC in every location?

No, FortiNAC’s architecture enables complete visibility even from remote locations. There are many organizations that deploy FortiNAC in a cloud such as Amazon Web Services (AWS) to provide NAC for their network.    

Q. What is the upper limit of how many devices FortiNAC can support?

A.  There is no upper limit for how large a network can be.  The FortiNAC servers can be stacked and managed as a group.

Q: What form factor does FortiNAC come in?  

A:  The FortiNAC solution requires a server to run the Control and Application functions.  For smaller organizations, those can run in one server while larger organizations might need dedicated servers or multiple dedicated servers.  Servers can be either hardware appliances or Virtual Machines (VMs).  Licenses that run on the servers determine the level of functionality of the solution. 

Q: What are the most popular form factor?  

A:  The VM form factor is most commonly deployed.

Q: Do you need a server at each location?  

A:  No, the architecture of FortiNAC means that you can centrally deploy and provide coverage for several sites.  FortiNAC is not sniffing the traffic directly, so it does not need to be on the network.  This greatly enhances FortiNAC’s ability to scale to multi-site locations.  

Q: What are the different license levels for FortiNAC?  

A: FortiNAC offers three levels of capability:

  • Base -- offering visibility and network lockdown (does not permit new devices to join without permission)
  • Plus -- offering the Base capabilities and adds user identification and segmentation.
  • Pro -- offering the Plus capabilities and add automatic response

Q: Can you move from one license level to another?  Or do you have to buy a whole new license?  

A:  Fortinet offers upgrade FortiNAC licenses so that if you want to move from Base to Plus, or Plus to Pro, you can simply buy the upgrade license.

Q: Are the FortiNAC licenses incremental in their features?  Do you need to buy Base if you buy Pro?  

A:  No, the FortiNAC licenses are all-inclusive so you only need to purchase the level that you want. 

Q: Are the FortiNAC licenses subscriptions?  

A:  No, the FortiNAC licenses are perpetual.

Q: Are the license measured by user?

A: No, the licenses are based on the total number of concurrent connections to your network that are managed by FortiNAC. This count includes hosts, servers or devices that are online on your network at any given time. When a host, server or device disconnects from the network, the license is released and can be used for another connection. For example, you may have 1000 hosts in your database but if only 100 are connected, then only 100 licenses are used.

Q: Are the FortiNAC licenses shared across locations?  

A:  Yes, when deployed with a Management Server, the FortiNAC licenses can be shared across the locations, as well as across stacked servers. 

Q: Does FortiNAC do end-user behavior analysis (EUBA)?  

A:  No, FortiNAC does not perform behavior analysis but does collect network data about a device, utilizing up to 13 methods to profile a device.    

Q: How does FortiNAC protect against MAC-spoofing if it does not do EUBA?  

A:  FortiNAC can protect against MAC-spoofing both on initial network access and after a MAC address has been granted permission.  FortiNAC will look at 12 other factors to see if the device matches the appropriate profile for that MAC address and OUI.  FortiNAC can quarantine a device with a suspicious profile for a network administrator to investigate and resolve.