Considerations When Deploying Network Access Control

Network Access Control Overview

Today we look at deploying Network Access Control (NAC) and five considerations to explore before implementation. Network Access Control is a solution that applies and enforces network access policies. In its most basic implementation, NAC is the decision maker of what devices are allowed on the network. NAC is implemented in both wired and wireless networks and often integrates with other systems in the security stack to enforce security policy.

Today’s requirements for enabling all parts of the business while maintaining network security require some type of NAC. Additionally, a well-implemented NAC can reduce network configuration time. Instead of manually configuring every switch port at time of deployment, the switch and NAC combined will automatically configure the port for the type of device that is connected, no matter which port the device connects to.

NAC can quickly become a complex, yet crucial part of your network infrastructure. In our recent post covering some simple steps to strengthening your security posture, we touched on the importance of maintaining controls to your network access.

Here are some important considerations for deploying Network Access Control.

Know What is on the Network

The number of devices on corporate networks is continuously increasing. Between the Internet of Things (IoT), physical security, media endpoints, phones, tablets, and computers, growth is constant. Most of this growth comes from devices that should be not be trusted (think of some recent, high-profile security breaches) but need some level of network access. The business requires these devices to have some level access, whether Internet or to another connected device, but they should not be granted unfettered access to the enterprise.

To compound matters, these devices are often designed and manufactured by companies that don’t traditionally make network devices. This means the devices often don’t support common authentication standards, such as 802.1X, but still need network access. Additionally, nearly every NAC deployment finds devices on the network that you didn’t already know about.

Planning for these devices, both in how they authenticate and what type of access they have is crucial to a successful NAC deployment.

Where to Enforce Security Policy

Network devices have more capability today than they ever have. Increased capability can bring increased complexity. For example, most wireless systems can enforce some layer of network policy enforcement, from application-based firewalls to stateless ACLs. In many networks, every hop has the ability to enforce some type of network control.

We recommend being intentional on where to enforce your network policy. For some organizations, this means the NAC solution pushes down dynamic ACLs on every switch port. For others, this means the NAC places different classes of hosts into different VLANs and all traffic traverses the firewall for policy enforcement. Being intentional on where you enforce policy makes your access policy easier to implement and troubleshoot.

Security Stack Integration

All modern NAC solutions support integration with other elements of your security stack. When selecting, designing, and implementing NAC, it is important to consider which devices to integrate with and plan accordingly.

A common integration is between the NAC and firewall. If the firewall detects a malware infection, it can inform your NAC. The NAC then will send a change of authorization (CoA) to the switch or wireless controller, which can deauthenticate a user or place them into a remediation zone.

Guests, Contractors and BYOD

Many companies still use a pre-shared key for one or more wireless networks. We all know these keys inevitably get known and no longer are effective. Additionally, you can rotate your pre-shared key, but this becomes frustrating overhead to change on your wireless infrastructure, all connected devices, and communicate the key to the right parties.

In addition to employee and corporate-owned device access, NAC can also support guests, contractors, and employee-owned devices without resorting to a single pre-shared key. Consider how you want to treat all these devices, whether the same or differently, and how you want to on board these devices to your network.

User Experience

Companies implement NAC to help secure users, not to frustrate them. Take to time to fully test all workflows and policies to ensure that the NAC deployment can be systematically deployed across the organization without causing interruptions to legitimate traffic. Nothing stops a NAC roll out like a VIP’s device getting kicked off the network.

Considering user experience also means designing how the system will fail. If a remote site loses its connection to the NAC systems, how will it fail? It is important to consider and balance user experience with security requirements.

Where to Go From Here…

The design, execution, and integration of NAC outcomes requires careful forethought. Leveraging resources that have experience and the requisite trainings will greatly reduce your risk and improve the likelihood of a positive technology experience. Our team of experts has built the expertise to deliver a NAC-based outcome. We can also help you understand the proper solution to align to your current network topology.

As NAC becomes more defined in your ecosystem, you’ll want to consider the various phases of deployment. We explored a NAC maturity model in a subsequent post.

If you’re looking for a team to come alongside you when deploying network access control, we’re a phone call away. Stay focused. Get better. Be excellent.