The most confusion in talking about network access control comes from trying to understand what someone means when they say NAC. Our industry has done a terrible job defining NAC, mostly because the NAC market is a mish-mash of homegrown solutions from vendors specializing in everything from SSL VPNs for remote access, to switches, wireless and antivirus software.
As a result of our Franken-NAC birth, network access control cannot be consistently described from vendor to vendor or solution to solution. What this means for organizations is that they need to have a good understanding of the flavors of NAC available and an excellent understanding of their own needs and expectations. The simplest way to break down NAC solutions is to understand the enforcement method and the associated relative security of each type of system. At one end of the spectrum, we have simple whitelist/blacklist solutions with behavior monitoring. At the other end, we have more aggressive enforcement with active endpoint checking. Check out the NAC definitions spectrum.
Reactive NAC operates on a negative enforcement model
Starting on the far left of Figure 1 are reactive NAC features. Generally these solutions will include a MAC address-based whitelist, either through manual entry or network discovery. Each whitelisted device is allowed to participate on the network until an intrusion detection system (IDS) or anomaly detection solution deems it unfit and terminates its access. These solutions do not use agents or client software on the endpoint to report status; therefore they do not offer endpoint integrity status from a proactive or preventative view. Reactive solutions usually operate on a negative enforcement model, meaning all communication is allowed until a pattern matches a malicious or negative pattern from the IDS.
- No agent or client on endpoint
- MAC (or similar) whitelist
- Monitors for malicious activity with IDS
- Does not offer endpoint integrity data
- Post-connect monitoring only
Pros: Since the system doesn't require client software on the endpoint, reactive solutions are typically easier to implement across a larger environment and in situations with mixed operating system platforms.
Cons: By virtue of the enforcement, these solutions are reactionary and do not provide preventative measures to validate endpoint status, nor do they offer the same level of authentication and accounting available in more traditional NAC solutions.
Proactive/Preventative NAC offers more visibility
Proactive or preventative NAC solutions live between the worlds of the strict prohibitive systems on the right side of Figure 1 and the loose reactive systems on the left. Proactive solutions include a bit more visibility into the endpoint by using a full heavy agent or a dissolvable agent (i.e., ActiveX) to gather data about the endpoint's status. Proactive solutions may authenticate by MAC address, similar to a reactive solution, or by user login. Most proactive solutions offer pre- and post-connect testing and a set of light remediation options.
- Uses an endpoint integrity agent of some type
- Authenticate and track by user or MAC address
- Offers pre- and post-connect testing
- Allows access until endpoint is non-compliant
- May run in a monitor-only mode for audit purposes
Pros: The proactive solutions offer much more visibility into the endpoint and tracking of specific users. These solutions are the most common in enterprise environments where networks need to accommodate a variety of user types and operating systems while maintaining more visibility into and enforcement of the endpoint's integrity requirements.
Cons: Requires configuration for remediation options and captive portals to authenticate the user or device and install the agent needed.
Prohibitive requires client agent
Prohibitive NAC systems are the most aggressive in the set and are typically used in a layer 2 enforcement mode with 802.1X for port security. In these solutions, there is a heavy agent (similar to an antivirus client) on the endpoint that constantly gathers, reports and provides basic immediate remediation. Since these solutions involve 802.1X for authentication, the security and user control is much more granular than a MAC-based implementation of NAC.
- Heavy endpoint integrity agent
- Granular policies for endpoint integrity
- Layer 2 enforcement with 802.1X
- User-based access, not device-based
- Role-based access may be provisioned through VLANs
- Access not allowed until authentication and integrity checks are passed
Pros: Prohibitive solutions offer the most security and are appropriate for high-risk or regulated industries that need to meet strict user access auditing and control policies. The default-deny access policy forces endpoint and user authentication prior to network access. Check out the NAC integration overview chart.
Cons: Configuration and maintenance can be difficult since the prohibitive systems tend to incorporate more pieces of the infrastructure, including RADIUS and directory servers for 802.1X authentication and switches and access points for enforcement. Figure 2 provides an integration snapshot for each NAC type.
Jennifer Jabbusch is an infrastructure security consultant with Carolina Advanced Digital, Inc., a security integrator based in North Carolina. Jennifer specializes in areas of network security, NAC/NAP, 802.1X and wireless security and consults for a variety of government agencies, educational institutions and Fortune 100 and 500 corporations. She serves as a contributing SME on access control, business continuity and telecommunications, and lead SME in the cryptography domains of the official (ISC)2 CISSP courseware and maintains the SecurityUncorked blog.