As our current technical service models stabilize during this work from home transition, we’ll take a minute to visit strategies for improving our user experience for the future return of employees to the office. Today, we explore a Network Access Control (NAC) maturity model and the maturation of the deployment within our ecosystems.
NAC Maturity Model
Network Access Control is the way to control what devices are allowed on the network, and how much access they have. It is often referred to as the police force of your network, enforcing the rules and policies of the business. In Considerations When Deploying Network Access Control, we discussed 5 strategic layers to explore before implementing or tuning your NAC deployment. The following highlights a maturity model as you work to develop the breadth of the available outcomes.
NAC is a crucial technology to protect branch and campus networks, but the ever-increasing number of devices connecting to the network makes a well-designed and implemented solution crucial to keeping the business secure and connected.
Modern NAC solutions have a multitude of features. Some which may make sense for your business needs…some which won’t. For a successful NAC implementation, we recommend taking a phased approach, looking at different steps on the NAC maturity model along the way. The levels of maturity are:
- No NAC
- Basic AAA
- Role-Based Access Control & Dynamic VLAN Assignment
- Health Check & Posture Assessment
- Integration with Security Stack
No NAC
All business start here. The network is crucial to any business and getting users online usually happens before network security is considered. If this is where your business is currently, here are some things to consider:
- Does my network gear support 802.1X and mac-based access control?
- What is the risk to the business of an unknown or unhealthy device connecting?
- What types of devices do I have and what types should be allowed on the corporate network?
Basic AAA
Authentication, Authorization, and Accounting is the framework for network access. In enterprise networks, this is accomplished with the RADIUS protocol. Basic AAA is the first stage of NAC. At this stage, your network access servers (NAS) (switches, wireless controllers) are authenticating users, giving a basic go/no go reply when a device tries to connect.
Most enterprises use a combination of 802.1X and MAC authentication to achieve this result. Devices are dynamically profiled as well. This provides additional insight to what devices are trying to connect to the network.
Role-Based Access Control & Dynamic VLAN Assignment
Once basic AAA is working in an environment, role-based access control and dynamic VLAN assignment is the next logical step. At this stage, the NAC infrastructure continues to authenticate users, but also returns additional information back to the NAS to give it context around the user. This can be a VLAN assignment, putting different departments in different networks automatically, a security group tag (SGT), grouping endpoints in a dynamic fashion that can be referenced by security policies, or roles that determine what kind of resources an endpoint has access to.
Health Check & Posture Assessment
Some organizations want to do a health check on endpoints to determine if they meet compliance requirements. Examples of health checks and posture assessment are:
- Windows patches up to date
- Endpoint protection client running and updated
These checks are then used in the connection policy to specify if these devices are allowed onto the network or what security posture they’re given. For example, a device that has an outdated endpoint protection client could be put in a low-privilege network that allows the client to update but does not allow the endpoint access to sensitive resources. Once the device is remediated, the endpoint is given additional access.
Integration with Security Stack
All the major NAC products offer integration with the rest of your security stack. This allows you to integrate threat intelligence from your firewall or netflow analyzer with your network access control. You can use an indicator of comprise, such as an endpoint talking to a known command-and-control to kick that endpoint into a quarantine network, notify the user, and create a service ticket. This both automates and speeds the tedious process of discovery and containment.
As you can see, NAC can be everything from basic access control to automated security containment and multiple steps in between. Different business requirements drive different levels of maturity and complexity of the solution.
Next Steps
Not sure where to go from here? Looking to develop a strategy around implementing or fine-tuning NAC within your environment?
Let’s have a conversation. We love to work alongside you to identify opportunities for improvement.
