Skip to content
Be excellent.
  • My Account
  • My Wishlist
Menu
  • My Account
  • My Wishlist
$0.00 Cart
  • Customer Solutions
    • Application & Data Experience
    • End User Experience
    • Security & Risk Mitigation
  • Who We Are
    • Our Commitment to You
    • What Our Clients Say
    • Our Partners
    • Careers
  • Knowledge Base
  • Get in Touch
Menu
  • Customer Solutions
    • Application & Data Experience
    • End User Experience
    • Security & Risk Mitigation
  • Who We Are
    • Our Commitment to You
    • What Our Clients Say
    • Our Partners
    • Careers
  • Knowledge Base
  • Get in Touch
Value Center
Network Access Control
Office of the CIO
Office of the CIO

Exploring a NAC Maturity Model

  • April 10, 2020
  • From the Experts
  • No Comments
  • Application & Data Experience, Data Protection, End User Experience, Identity & Access Management, Network Access Control, Network Architecture and Execution, Wireless Network

As our current technical service models stabilize during this work from home transition, we’ll take a minute to visit strategies for improving our user experience for the future return of employees to the office. Today, we explore a Network Access Control (NAC) maturity model and the maturation of the deployment within our ecosystems.

NAC Maturity Model

Network Access Control is the way to control what devices are allowed on the network, and how much access they have. It is often referred to as the police force of your network, enforcing the rules and policies of the business. In Considerations When Deploying Network Access Control, we discussed 5 strategic layers to explore before implementing or tuning your NAC deployment. The following highlights a maturity model as you work to develop the breadth of the available outcomes.

NAC is a crucial technology to protect branch and campus networks, but the ever-increasing number of devices connecting to the network makes a well-designed and implemented solution crucial to keeping the business secure and connected.

Modern NAC solutions have a multitude of features. Some which may make sense for your business needs…some which won’t. For a successful NAC implementation, we recommend taking a phased approach, looking at different steps on the NAC maturity model along the way. The levels of maturity are:

  1. No NAC
  2. Basic AAA
  3. Role-Based Access Control & Dynamic VLAN Assignment
  4. Health Check & Posture Assessment
  5. Integration with Security Stack

No NAC

All business start here. The network is crucial to any business and getting users online usually happens before network security is considered. If this is where your business is currently, here are some things to consider:

  • Does my network gear support 802.1X and mac-based access control?
  • What is the risk to the business of an unknown or unhealthy device connecting?
  • What types of devices do I have and what types should be allowed on the corporate network?

Basic AAA

Authentication, Authorization, and Accounting is the framework for network access. In enterprise networks, this is accomplished with the RADIUS protocol. Basic AAA is the first stage of NAC. At this stage, your network access servers (NAS) (switches, wireless controllers) are authenticating users, giving a basic go/no go reply when a device tries to connect.

Most enterprises use a combination of 802.1X and MAC authentication to achieve this result. Devices are dynamically profiled as well. This provides additional insight to what devices are trying to connect to the network.

Role-Based Access Control & Dynamic VLAN Assignment

Once basic AAA is working in an environment, role-based access control and dynamic VLAN assignment is the next logical step. At this stage, the NAC infrastructure continues to authenticate users, but also returns additional information back to the NAS to give it context around the user. This can be a VLAN assignment, putting different departments in different networks automatically, a security group tag (SGT), grouping endpoints in a dynamic fashion that can be referenced by security policies, or roles that determine what kind of resources an endpoint has access to.

Health Check & Posture Assessment

Some organizations want to do a health check on endpoints to determine if they meet compliance requirements. Examples of health checks and posture assessment are:

  • Windows patches up to date
  • Endpoint protection client running and updated

These checks are then used in the connection policy to specify if these devices are allowed onto the network or what security posture they’re given. For example, a device that has an outdated endpoint protection client could be put in a low-privilege network that allows the client to update but does not allow the endpoint access to sensitive resources. Once the device is remediated, the endpoint is given additional access.

Integration with Security Stack

All the major NAC products offer integration with the rest of your security stack. This allows you to integrate threat intelligence from your firewall or netflow analyzer with your network access control. You can use an indicator of comprise, such as an endpoint talking to a known command-and-control to kick that endpoint into a quarantine network, notify the user, and create a service ticket. This both automates and speeds the tedious process of discovery and containment.

As you can see, NAC can be everything from basic access control to automated security containment and multiple steps in between. Different business requirements drive different levels of maturity and complexity of the solution.

Next Steps

Not sure where to go from here? Looking to develop a strategy around implementing or fine-tuning NAC within your environment?

Let’s have a conversation. We love to work alongside you to identify opportunities for improvement.

Share This Post
Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on email
Email

Leave a Comment Cancel Reply

Your email address will not be published. Required fields are marked *

PrevPreviousA Beginner’s Guide to Azure Network Design
NextEUC Delivery: Master Image OptimizationNext
Linkedin Twitter Envelope
Get a Customized Solution

616.202.6518

  • My Account
  • Privacy Policy
  • Terms & Conditions
  • Apply For Credit
  • Careers
  • Contact Us
Menu
  • My Account
  • Privacy Policy
  • Terms & Conditions
  • Apply For Credit
  • Careers
  • Contact Us

Sign Up For The Latest

Sign up for our blog and product updates and receive an instant online coupon code.

© 2021 Elevate Technology Partners LLC. Designed & Developed by Kynda.
Apply For Credit
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsAccept
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are as essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.