NAC Passes the Crown – to NAC

Written by

With the perimeter lost due to the proliferation of mobile devices and controls for them now more prevalent, Tara Seals looks at network access control and looks at what role it has in security now.

Network access control (NAC) seems like such a simple concept on the surface: in its purest form, it’s a set of technologies that automates user and device authentication onto networks, blocking risky devices and rogue log-in attempts. It also lets IT departments know what’s connecting to the network, from where and for what purpose.

However, as they say, the devil is in the details. Thanks to complexity and implementation challenges, NAC has caused IT teams headaches for years, earning itself a lingering bad reputation.

Ironically, NAC’s downfall appears to have become its salvation. More complexity, brought on by shifts in how people work is contributing to a major renaissance for NAC’s role in the security landscape. The adoption of cloud IT, mobile working, the Internet of Things (IoT), and requirements for anytime, anywhere access to corporate resources are necessitating the automation of policy enforcement based on authentication, discovery, endpoint configuration or users' role/identity. In this environment, NAC can increase network visibility in order to reduce the risks associated with noncompliant devices and open access to enterprise network facilities.

The NAC market grew 36% in 2014 to earn revenues of $552.8 million; Gartner expects this to more than double to $1.46 billion by 2018.

“There is a key benefit to controlling access to an enterprise's infrastructure through the network components: such control is endpoint-independent,” Gartner said in a brief. “NAC can be used to isolate IoT devices and other nonstandard endpoints at the network switch or the wireless infrastructure.”

NAC is Dead

In the past, NAC was first and foremost meant to address otherwise cumbersome ways of managing network connections. IT could use existing network tools for monitoring DHCP and DNS servers to look for new devices that are connecting to the company infrastructure. Typically, this was done on an exception basis, with any out-of-the-ordinary behavior triggering alarms. Alternatively, IT could also closely monitor network traffic for new connections and vet each one manually.

Obviously, neither approach is without headaches and overhead, so traditional NAC came on the scene. Unfortunately, it brought its own set of challenges.

In the early days, NAC capabilities were typically built into network vendor products, like switches and routers – Cisco was a first-mover in the space. As such, these tended to be proprietary solutions and led to a certain amount of vendor lock for businesses. “That’s a lingering issue,” explained Brian Honan, a security analyst at BH Consulting. “It can prove challenging to adapt to changing needs. If you want to integrate with other systems that have more function-specific approaches, it’s a major headache.”

A more recent way to implement NAC is to use a software-based solution, where agents are placed on various approved devices, and everything without an agent is blocked from connecting to the network. Honan noted that this is the more flexible and transparent way to do things, but it still can’t easily accommodate changes in the way modern business works, and it brings an immense amount of overhead for administrators.

“If you take the fact that most companies are dealing with shadow IT and bring-your-own-device (BYOD), along with more mobile users and teleworkers, you now have devices that aren’t physically there anymore, but are rather connecting via cloud or internet,” Honan said. “So companies need to look at a combination of NAC for their traditional network, and mobile device management (MDM) for managing mobile platforms. With the growth in new threats you have people in offices with their own laptops and controlling that type of access is becoming much more of a challenge.”

Not only that, but, as Pulse Secure points out in a recent brief, today’s work environment is open and collaborative, and visitors, contractors, and business partners expect on-demand connectivity to the enterprise network and resources, and that makes an agent-oriented approach almost impossible to manage.

“Further to this, the combination of the IoT, cloud applications and BYOD means there are more endpoints accessing the network than ever before,” the firm said. “Each employee can have multiple devices accessing the network – a corporate device, mobile phone and their own iPad or Ultrabook, all with different operating systems and regularly updating software.”

All of that has earned traditional NAC a bad reputation for disastrous implementations.

“In many large organizations, networks have evolved over years, if not decades,” said Honan. “What NAC tries to do is enforce order on that chaos – and that is the biggest challenge. I’ve seen companies roll out NAC effectively, but I’ve also seen plenty of NAC projects fail because of the complexities involved. The IT staff tends to underestimate the time and the effort required to get NAC up and running properly. So NAC hasn’t taken off the way it was expected to a number of years ago. That’s down to the vendors and the customers not understanding how to implement it properly.”

Long Live NAC

To address this snowballing complexity in the enterprise environment, NAC has begun to evolve. From a technology standpoint, by all accounts, NAC has gotten easier to use, with a better ability to centralize the administration efforts and to use network behavioral analysis with rules that are dynamic and flexible about what should and should not be allowed on the network. Most notably, NAC support for mobile devices, roaming users and virtual machines is increasingly part of the solution. As the penetration of these devices increases, and the apps they run become more business-critical, NAC is starting to become not just device-aware, but also app-aware.

“Users expect a simple, consistent and app-like experience both on and off the network,” said Jodie Sikkel, network infrastructure and security specialist at ANSecurity. “In addition, organizations need technology that allows customers, guests and contractors to have a positive experience of connecting to the guest network when they visit too.”

She pointed out that for today's organizations with distributed workforces and BYOD policies, having a user-based policy approach is critical.

“Companies need to decide what a user’s access rights are and apply a consistent policy across devices so that they can connect remotely or on-site, no matter what screen they’re using,” said Sikkel. “This is becoming much more about the user and their role.”

To that end, updated NAC solutions can empower IT administrators with the ability to define, implement and enforce granular access polices for connecting endpoints based on contextual information (e.g., user ID, role, device type, security posture, location). This eliminates much of the burdensome overhead that NAC had become known for.

“A solution that takes all these factors into account and prevents unauthorized network, application or data access before the device connects to the enterprise, for both VPN and Wi-Fi access is a must for security,” said Pulse Secure in its brief. “This protects the corporate network from infected devices and enforces consistent, cross-network access policies. It also ensures only authorized workers have access to enterprise resources based on their role, location and time of day.”

This reduces the need for IT teams to create multiple policies across multiple platforms for access to the same resources.

“I think we’re going to see an evolution where you won’t have pure, traditional NAC solutions anymore, but rather a collection of technologies that includes endpoint management and MDM,” Honan said. “Instead of having different platforms to do all of these things, companies will be looking for one tool to manage them all. So we need to forget the traditional viewpoint of NAC and look at newer technologies.”

New Roles – and a Caveat

Modern NAC is also flexing its wings – because of the data that it collects and uses, its role can be exploited to increase overall visibility.

“We barely use the word NAC today, because the value proposition has evolved to do so much more than what it was meant to do originally,” said ForeScout chief strategy officer, Pedro Abreu. “The original NAC was a good idea, but the devices were already corporately owned, so this was a second layer of technology. Secondary NAC didn’t give you too much more visibility than you already had.”

However, in the last four years, companies have seen a 40%-50% on average growth in the number of devices connecting to their networks, he said. “Companies lost visibility to what they really had in their networks. In a number of these breaches, attackers were in those networks for months and months, just hiding. So the value prop today is therefore visibility, while the original value prop was authenticating known users.”

It’s not just mobile devices that companies have to worry about: it’s also all of the IP devices out there now, be it a smart TV in the board room, a connected HVAC system, VoIP phones, printers, digital cameras and so on.

Abreu outlined one customer, a bank that literally had more than a million endpoints on the network, including indoor teller machines, ATMs and building automation sensors. Out of those, only 30% were actually being managed. “The new emerging threat is coming from that IoT space and all of the connected devices,” he said. “You have to assume those devices can be compromised.”

Abreu pointed out that companies should expect to deploy NAC technology, and then spend six to nine months just understanding what’s in the environment and how it behaves. For instance, in one hospital customer, an Xbox was found – decidedly against IT policy, but after some calls, IT determined that the console was in the kids’ oncology department and therefore should be allowed.

“It’s a process of understanding why things are out of policy before moving on to the enforcement stage of the technology,” Abreu said. “In the past, NAC could only give visibility if there was authentication. Now, it’s important to have sequestered connections so you can figure out what’s going on, and then take action.”

Not everyone is so bullish. Nathan Wenzer, executive director of security at Thycotic, noted that while modern NAC is much more flexible, it’s important to resist the urge to see it as a panacea or universally applicable.

“There’s a big shift to focusing on users and privilege in the last few years because of the cloud and the hybrid network situation – companies are saying, ‘I don’t know what network I own, I don’t know where users are, I don’t control my own access.’ The only consistent thing is the user and the credential coming in to access stuff – this has become the control point. You can’t control people from the network layer anymore.”

NAC therefore is going to be more of a targeted deployment within a controlled environment, Wenzler believes. “If I’m an energy company, where my systems are tightly regulated and airgapped, with a well-known and well-controlled environment, NAC works here,” he said. “But if I’m a giant company with presence everywhere—NAC doesn’t work. There, it has to be a privileged-based approach.”

Ultimately, controlling which devices connect to the trusted corporate network is not a security function that should be left behind any time soon. That’s especially true for organizations that have to meet with a compliance standard like PCI or HIPPA. In those cases, a rogue device could put them into a fine-drawing non-compliance state as well as open them up to a costly breach.

“NAC still has a place in our security infrastructure,” said Oscar Marquez, CTO at iSheriff. “It remains extremely important that we protect our organization’s network from rogue devices and ensure that devices that do connect meet with our security policy for endpoint security. Let’s remember that one of the most publicized breaches of the last few years started with a climate control device [the Target breach].”

What’s hot on Infosecurity Magazine?