For VendorsBlog
Login

NAC - Network Access Control

NAC - Network Access Control

Network Access Control (NAC) is a set of technical measures and tools that protect all end devices.

Employees must monitor credentials connected to user services, information that it was made using a connection, and that applications can use it within an established session. NAC systems provide this task and provide centralized control and administration of policy access to the information environment.

The actions of the NAC system are to determine if the device is attempting to connect to the network, and if its configuration meets certain access rules. After the identification procedure, the system decides what level of access to system resources should be provided.

In parallel with the increase in the number of external attacks through viruses, worms, and spyware, NAC solutions continue to gain popularity. Special attention is paid to this class of products by antivirus developers, since first of all, it is worth considering working remotely as potential users, even if unintentionally, violators.

When choosing NAC, you should pay attention to the possible features of the products:

  • Whether the application of policies is necessary before or after connecting the device to the protected network.
  • Will the NAC agent be installed or will the solution be used without an agent.
  • External performance or built-in system components.

Often, companies planning to use NAC as a means of protecting against external threats come to the conclusion that in order to meet all internal requirements for such a system and comply with internal information security policies, two solutions must be set up in parallel. It depends primarily on the number and characteristics of existing information technology systems within the corporate network.

Compare of products in the category NAC - Network Access Control

Compare: Network Admission Control (NAC)

Characteristics

Ease of Implementation

Requires network pre-requisites
Requires network pre-requisites
Complex, requires advanced integrations and deployment skills
Deployment driven, modular software, intuitive, flexible

Software-Based

Virtual or hardware appliance
Virtual or hardware appliance
Virtual or hardware appliance
Software-only

Heterogeneous Network

Can integrate with some infrastructure
Works best with Cisco environment
Integrates with all network infrastructure
Integrates with all network infrastructure

Centrally Managed

Recommends appliances for deployment in all locations
Recommends appliances for remote locations
Recommends appliances for remote locations
Deployed from one location, no need for remote appliances

VLAN Segmentation

Available only with 802.1X
Available only with 802.1X
Limited support for VLAN
Native implementation of VLAN segmentation

Standardized API

Inbound and outbound APIs
Offers scalable context
Integrates with other services
Shares context both inbound and outbound

Role-Based Policies

More effective with 802.1X
More effective with 802.1X
Define policies based on organizational roles
Define policies based on organizational roles

Agentless

Optimal with agent
Requires an agent for posture assessment
Requires a dissolvable agent for full functionality
Support for over 25 different authentication methods that do not require an agent

Full Non-802.1X Deployment

Optional 802.1X authentication
Requires 802.1X to authenticate devices
Does not require 802.1X to authenticate devices
Does not require 802.1X to authenticate devices

No Requirement for Topology Changes

Network firmware upgrades, complex configuration, RADIUS
Network firmware upgrades, complex configuration, RADIUS
Many features rely on the configuration/set up of port mirror/span port
No requirements for mirror or span ports

Scalable Deployments

802.1X limits scalability of deployments
802.1X limits scalability of deployments
Requires additional appliances and upgrades
Lightweight infrastructure enables easily scalable deployments across geolocations

Remote Branch Deployments

Requires on site configuration and challenges branch availability
Requires on site configuration and challenges branch availability
Recommends on-site appliances for full feature set, limitations for sizing
Seamless coverage of remote branches

Wireless Support

Wireless via 802.1X
Wireless via 802.1X
Partial integration with on-premise wireless controllers
Optional 802.1X wireless

Device Visibility

Visibility enhanced with 802.1X compatible devices
Visibility enhanced with 802.1X compatible devices
Visibility into all network devices only with port mirroring enabled
100% streamlined device visibility (NAS and device view)

Application Visibility

Requires agent
Requires agent
Enhanced visibility into business level applications
Seamless application data collection

IOT Device Visibility & Control

Discovery and control capabilities
Basic profiling of IoT devices
Discovery and control capabilities
Two-fold device detection and analysis

Network View

No capability for full network view
No capability for full network view
Limited capability for full network infrastructure view
Simple to operate, understand issues and see them immediately

Incident Response

Lack of context, requires manual intervention
Lack of context, requires manual intervention
Built-in integration with various security vendors
Open-platform, native API integration, intuitive data flows

Guest Access

Full capabilities for guest access
Full capabilities for guest access
Full capabilities for guest access
Limited native capabilities

BYOD

BYOD control and visibility with captive portal
BYOD control and visibility with captive portal
BYOD control and visibility with captive portal
Limited native capabilities for BYOD control
Found mistake? Write us.

The most popular products in category NAC - Network Access Control All category products

Suppliers NAC - Network Access Control

Cisco

Cisco

Cisco Systems, Inc. is an American multinational corporation technology company headquartered in San Jose, California, that designs, manufactures and... Read more
Vendor, Supplier
ForeScout

ForeScout

ForeScout has pioneered an agentless approach to network security to address the explosive growth of mobile computing, IoT and cloud computing. We... Read more
Vendor, Supplier
Portnox

Portnox

Founded in 2007, Portnox is a market leader for network access control and management solutions that scale from small to medium businesses through to... Read more
Vendor, Supplier

F.A.Q about NAC - Network Access Control

 What is NAC?

As defined by Forrester Research, "NAC is a mix of hardware and software technology that dynamically controls client system access to networks based on their compliance with policy." But vendors, eager to get in on the NAC buzz, are often using the NAC label for products that are really only peripheral to the access control process.

What are the major NAC initiatives?

There are three:

Cisco's Network Admission Control architecture; the Trusted Computing Group's (TCG) Trusted Network Connect (TNC) program; and Microsoft's Network Access Protection (NAP) architecture.

Are Cisco and Microsoft playing nicely together?

Microsoft's NAP architecture is a major factor in the NAC universe because of the pervasiveness of the company's server and desktop software. However, at this point, key components aren't available, making interoperability impossible to test beyond limited beta versions of Microsoft's NAP platforms. On the upside, 75 vendors have pledged to make their gear interoperable with Microsoft NAP components when they become available. This includes Cisco, with which Microsoft is developing NAP and Cisco-NAC interoperability. Cisco, which is pushing the IETF for NAC standards but does not participate in TCG, has about 30 partners shipping Cisco NAC-compatible gear and another 27 developing such products.

Are there any NAC standards?

The TCG is writing NAC standards to promote multivendor interoperability. The IETF has created a working group to develop NAC standards and Cisco, which does not participate in the TCG, supports the IETF effort.

Are there any stand-alone NAC products on the market?

Cisco, Microsoft and TCG list scores of partners whose gear fits in their NAC schemes and can claim to be NAC vendors. Plus, Juniper has its unified access-control environment. A NAC buyer must find out what a vendor means by "NAC support," but single devices fitting the NAC bill include products from ConSentry Networks, Nevis Networks, StillSecure and Vernier Networks. Other NAC vendors, such as Lockdown Networks and Mirage Networks, work in conjunction with partners. This is not a comprehensive list.

What types of security functions are part of the NAC environment?

Authentication; endpoint scans; policy
compliance checks; policy creation, enforcement and management.

How does NAC work in practice?

NAC products scan computers and other devices before they get on the network to determine whether they possess a security posture in line with corporate policy. Is virus-scanning software up-to-date? Is the
operating system patched? Is a personal firewall in use? That process requires an engine capable of matching scan results to policies to see if the device is qualified to gain access. And it entails devices that can enforce the policy engine's decision: to block access, to restrict access to certain resources or to allow access only to an isolated network segment where security functions can be brought up-to-date.

Can other types of security products play a role in a NAC environment?

Yes. For example, CA's eTrust antivirus and antispyware software play in Cisco's NAC environment by delivering status information to Cisco's Trust Agent. The agent gathers data from the CA software and other software on desktops and laptops to develop a profile of the computers trying to access the network. Similarly, IBM's Tivoli Security Compliance Manager is Cisco NAC-compatible because it scans machines coming onto the network. By itself it can't enforce whether the device gains access; it needs infrastructure from Cisco or some other vendor to enforce policy.