What is Network Access Control (NAC)?
Businesses across the globe complied with ‘stay-at-home’ orders caused by the pandemic. As millions of people worked from home, cloud applications soared. For most organizations, the pandemic was unexpected, as was their rapid migration to the cloud.
Traditional network access control covered technologies used to filter desktops attempting to reach resources in a data center. With more applications moving out of the data center and into the cloud, IT professionals needed to rethink network access control.
Securely Connecting Remote Users
Is the New Priority
Over the last several years, IT professionals needed to re-engineer network management. They had to adapt their infrastructures and cybersecurity posture to address new challenges.
- Rapid migration of applications from the data center to the cloud
- Unpredictable growth of remote users requiring direct cloud and Internet access
- Network extension to support any number of globally-distributed secure mobile entry points
- Support for BYOD (Bring Your Own Device), which refers to employees using personal, uncontrolled devices that need to connect to corporate networks
- Support for IoT and IIoT sensors and devices
- Rise in volume and complexity of cyber threats
In the event of a data breach, businesses and public sector agencies face tremendous costs—and even the potential for criminal penalties—for privacy law non-compliance. A breach can also cause significant damage to a brand or to your agency’s reputation.
Read this white paper to find out how MDR can minimize the impact of a breach.
Changing Times Changed Network Access Control
The definition of Network Access Control has changed. It’s expanded to include the new technologies and policies required for securing clouds and remote users. It’s easiest to define network access control by reviewing its three subcategories or ‘functional pillars’
- User ID
- User device ID
- Contextual login data
- Log on and off date and time
- Networks and applications accessed
- Security alerts generated
- Patches – Ensuring all software, security applications, and OS patches are current may seem tedious but are important for closing known security gaps. They are crucial to mitigating known vulnerabilities that can be exploited by zero-day attacks.
- Restricted Access – If a user is authenticated but can’t fully comply with security policies, one option is to provide them with limited access to less vulnerable networks, easy to recover assets, or applications such as those with read-only permission.
- Redirection – IT professionals can create special remediation sites that will allow the user to safely update their devices with the most recent patches and be scanned for viruses.
- Backup – Data protection and backup can be performed during a remediation process. Applications and services are available that will perform periodic scans and backup of remote devices.
- Remote Device Management Applications – There are special applications available to IT professionals. They are specifically designed to aid in the management and security of remote devices.
User Authentication, Authorization, and Logging
Authentication confirms that users are who they say they are. Once authenticated, the user is granted access to the sub-networks, clouds, and the applications they are authorized to use. As an example, confidential sub-networks or clouds might be restricted to engineering or human resource personnel. Confidential applications and data storage may include payroll or software code libraries. In addition to granting access, the authentication service can also log security information such as,
We have all experienced one form or another of user authentication. Popular techniques include:
Password Authentication – Passwords and usernames are a basic form of authentication. The more complex and random the name and password, the better. Although a nuisance, many authentication settings require passwords to have a minimum number of characters. These must include both letters and numbers, upper and lower case letters, and special characters such as ?#&$%. They provide more security than a birthday or pet’s name but are still prone to theft.
Two-factor (2FA) or Multi-factor Authentication (MFA) – With 2FA, a username and a password are usually required, along with additional evidence. That may be a challenge question, such as the name of a favorite sports team or dessert. Another technique is to have a security code sent to the user’s email address, which will need to be retrieved and entered. Another common method is a time-limited code or token sent to another device such as a mobile phone. The code can be part of an instant message or provided using a secure token application. It must be entered before the predefined time limit expires.
Biometric Authentication – Biometric authentication uses fingerprint, retinal, iris, voice, or face recognition sensors to identify unique physical user characteristics. In many cases, they require special sensing equipment on the device. Many companies are incorporating biometric sensing technologies as standard features on their products.
Hardware Token Authentication – This technique requires a particular hardware device specific to the user. That can be a USB dongle, sim-card, or removable read-only solid-state drive. The device must be connected to the user system and is generally used in conjunction with 2FA authentication. These devices are expensive and require more management than other forms of authentication.
Transaction or Contextual Authentication – AI has added a new dimension to authentication. IT professionals can use behavior to authenticate users. Username and password are enriched with details such as the user’s local time, physical location, system ID, network IP address, operating system, etc. When a new login request is received, the transaction data is correlated with known information to authenticate the user.
Computer Recognition Authentication – This technique is similar to a hardware token. It leaves a unique software token on the system the first time the user logs in. It will look for that software token the next time the user logs in to authenticate that it is the same device and is not spoofed.
CAPTCHA – This technology was created because many authentication cyber-attacks use computers and not humans. CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) displays different images to users and asks them to enter what they see. There are versions available for users who are visually impaired.
User authentication can become expensive and difficult to manage. It’s recommended to select a technique that best meets the access privileges of the user. For example, a support line representative may not require the same authentication as someone in accounts payable or payroll.
Mobile Entry Point Security
In an age of remote users and cloud applications, endpoint management and security are becoming the main focus for IT professionals.
Mobile entry point security covers a range of technologies used to protect networks from remotely connected devices. It is a subset of Endpoint Security, which protects both the network and the actual device. This material focuses on providing security at a remote point of entry to the network, which has become the target of cyber threats.
Mobile entry points support the remote workforce with secure local access regardless of where and when they work. These mobile entry points can be integrated with other local security services such as secure web gates and firewalls. This combination provides remote users with secure direct access to the corporate network, their cloud-based applications, and the Internet.
With local mobile entry points, users have more performance and security than public connections. For example, a local mobile entry point can be within the same city as the user, ensuring consistently high performance as opposed to access located in another city or across the country, which creates latency and degraded performance.
Depending on the location of the workforce, IT professionals can have hundreds to thousands of mobile entry points worldwide. Mobile entry points with integrated security services such as Firewall-as-a-Service and secure web gateways are generally available through global service providers.
Entry points, and all integrated services, such as access control and cybersecurity, are managed by the corporate SOC team. Entry point security policies are enforced locally by the entry point.
Entry points with integrated firewall and secure web gateway technologies provide a broad spectrum of cybersecurity services.
Authentication – As reviewed earlier, mobile entry points provide authentication, which confirms that users are who they say they are. Once authenticated, the user is granted access to the sub-networks, clouds, and applications they are authorized to use.
Secure Connection– A secure (DTLS) connection is established between the remote user and the mobile entry point to ensure secure encrypted communication across public networks. Some entry points also support VPNs for additional connection security with remote sites and partners.
QoS and Network Performance Monitoring – Mobile entry points can be integrated with performance monitoring services or have settings for predefined minimum QoS levels. Traffic from an overloaded and low performing mobile entry point can be moved to another entry point with more available bandwidth.
As previously mentioned, mobile entry points can be integrated with other SOC managed local security services, such as Firewall-as-a-Service and secure web gateway services. This combination provides a more complete cybersecurity posture.
Cyber Threat Detection – All traffic is inspected for threats. Depending on policies, access is halted, and an alert is sent if a threat is detected. This could be malware from the connected device or coming from a cloud application or website.
DNS (Domain Name Service) – DNS is important when remote users are accessing the Internet. If the requested website is on the blocklist and known to be malicious, the access request is denied.
DLP (Data Loss Protection) – Outgoing traffic is inspected. Any communication is halted, and alerts are sent if it contains sensitive information such as security credentials, credit card details, or controlled documents. The service options can also monitor what is accessed, retrieved, or copied and report and block unauthorized activity.
Outbound Encryption – Confidential information leaving the network and destined for an authorized user or third party will be secured. The entire data set will be encrypted, or parts can be scrambled using tokenization to ensure confidentiality. The service can also support digital rights management and compliance management applications.
Application Usage – Remote access services can track user movement, actions, and behavior. The information provides visibility for IT professionals into how the network and cloud applications are used. It makes it easier to determine which applications are useful and gaining interest versus those that should be retired or updated. It’s also valuable to understand if users are accessing applications that are not authorized.
Mobile entry points and other integrated local security services provide IT professionals with the cybersecurity capabilities needed to protect their networks and cloud applications. They also provide users with secure and direct access to the corporate network, Internet, and cloud resources.
Security Policy Enforcement
IT professionals must have minimum security requirements for any device attempting to connect to the network or cloud applications. Endpoint security ensures that such devices adhere to predefined security levels for malware detection, vulnerability, and intrusion protection. They may also require that all patches and upgrades for the operating system, applications, and software be installed. The inspection and validation process may be performed by a security application or agent installed on the target device. Until the process is complete, the only access provided is to resources that inspect, upgrade, and automatically remediate the device. Once the process is finished and validated, the device is granted access. Key points to consider when reviewing security policy enforcement include,
Enforcing security policies for endpoint devices provides another safeguard. It protects both the user and the network.
Authentication confirms that users are who they say they are. Once authenticated, the user is granted access to the sub-networks, clouds, and the applications they are authorized to use. As an example, confidential sub-networks or clouds might be restricted to engineering or human resource personnel. Confidential applications and data storage may include payroll or software code libraries. In addition to granting access, the authentication service can also log security information such as,
- User ID
- User device ID
- Contextual login data
- Log on and off date and time
- Networks and applications accessed
- Security alerts generated
We have all experienced one form or another of user authentication. Popular techniques include:
Password Authentication – Passwords and usernames are a basic form of authentication. The more complex and random the name and password, the better. Although a nuisance, many authentication settings require passwords to have a minimum number of characters. These must include both letters and numbers, upper and lower case letters, and special characters such as ?#&$%. They provide more security than a birthday or pet’s name but are still prone to theft.
Two-factor (2FA) or Multi-factor Authentication (MFA) – With 2FA, a username and a password are usually required, along with additional evidence. That may be a challenge question, such as the name of a favorite sports team or dessert. Another technique is to have a security code sent to the user’s email address, which will need to be retrieved and entered. Another common method is a time-limited code or token sent to another device such as a mobile phone. The code can be part of an instant message or provided using a secure token application. It must be entered before the predefined time limit expires.
Biometric Authentication – Biometric authentication uses fingerprint, retinal, iris, voice, or face recognition sensors to identify unique physical user characteristics. In many cases, they require special sensing equipment on the device. Many companies are incorporating biometric sensing technologies as standard features on their products.
Hardware Token Authentication – This technique requires a particular hardware device specific to the user. That can be a USB dongle, sim-card, or removable read-only solid-state drive. The device must be connected to the user system and is generally used in conjunction with 2FA authentication. These devices are expensive and require more management than other forms of authentication.
Transaction or Contextual Authentication – AI has added a new dimension to authentication. IT professionals can use behavior to authenticate users. Username and password are enriched with details such as the user’s local time, physical location, system ID, network IP address, operating system, etc. When a new login request is received, the transaction data is correlated with known information to authenticate the user.
Computer Recognition Authentication – This technique is similar to a hardware token. It leaves a unique software token on the system the first time the user logs in. It will look for that software token the next time the user logs in to authenticate that it is the same device and is not spoofed.
CAPTCHA – This technology was created because many authentication cyber-attacks use computers and not humans. CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) displays different images to users and asks them to enter what they see. There are versions available for users who are visually impaired.
User authentication can become expensive and difficult to manage. It’s recommended to select a technique that best meets the access privileges of the user. For example, a support line representative may not require the same authentication as someone in accounts payable or payroll.
In an age of remote users and cloud applications, endpoint management and security are becoming the main focus for IT professionals.
Mobile entry point security covers a range of technologies used to protect networks from remotely connected devices. It is a subset of Endpoint Security, which protects both the network and the actual device. This material focuses on providing security at a remote point of entry to the network, which has become the target of cyber threats.
Mobile entry points support the remote workforce with secure local access regardless of where and when they work. These mobile entry points can be integrated with other local security services such as secure web gates and firewalls. This combination provides remote users with secure direct access to the corporate network, their cloud-based applications, and the Internet.
With local mobile entry points, users have more performance and security than public connections. For example, a local mobile entry point can be within the same city as the user, ensuring consistently high performance as opposed to access located in another city or across the country, which creates latency and degraded performance.
Depending on the location of the workforce, IT professionals can have hundreds to thousands of mobile entry points worldwide. Mobile entry points with integrated security services such as Firewall-as-a-Service and secure web gateways are generally available through global service providers.
Entry points, and all integrated services, such as access control and cybersecurity, are managed by the corporate SOC team. Entry point security policies are enforced locally by the entry point.
Entry points with integrated firewall and secure web gateway technologies provide a broad spectrum of cybersecurity services.
Authentication – As reviewed earlier, mobile entry points provide authentication, which confirms that users are who they say they are. Once authenticated, the user is granted access to the sub-networks, clouds, and applications they are authorized to use.
Secure Connection– A secure (DTLS) connection is established between the remote user and the mobile entry point to ensure secure encrypted communication across public networks. Some entry points also support VPNs for additional connection security with remote sites and partners.
QoS and Network Performance Monitoring – Mobile entry points can be integrated with performance monitoring services or have settings for predefined minimum QoS levels. Traffic from an overloaded and low performing mobile entry point can be moved to another entry point with more available bandwidth.
As previously mentioned, mobile entry points can be integrated with other SOC managed local security services, such as Firewall-as-a-Service and secure web gateway services. This combination provides a more complete cybersecurity posture.
Cyber Threat Detection – All traffic is inspected for threats. Depending on policies, access is halted, and an alert is sent if a threat is detected. This could be malware from the connected device or coming from a cloud application or website.
DNS (Domain Name Service) – DNS is important when remote users are accessing the Internet. If the requested website is on the blocklist and known to be malicious, the access request is denied.
DLP (Data Loss Protection) – Outgoing traffic is inspected. Any communication is halted, and alerts are sent if it contains sensitive information such as security credentials, credit card details, or controlled documents. The service options can also monitor what is accessed, retrieved, or copied and report and block unauthorized activity.
Outbound Encryption – Confidential information leaving the network and destined for an authorized user or third party will be secured. The entire data set will be encrypted, or parts can be scrambled using tokenization to ensure confidentiality. The service can also support digital rights management and compliance management applications.
Application Usage – Remote access services can track user movement, actions, and behavior. The information provides visibility for IT professionals into how the network and cloud applications are used. It makes it easier to determine which applications are useful and gaining interest versus those that should be retired or updated. It’s also valuable to understand if users are accessing applications that are not authorized.
Mobile entry points and other integrated local security services provide IT professionals with the cybersecurity capabilities needed to protect their networks and cloud applications. They also provide users with secure and direct access to the corporate network, Internet, and cloud resources.
IT professionals must have minimum security requirements for any device attempting to connect to the network or cloud applications. Endpoint security ensures that such devices adhere to predefined security levels for malware detection, vulnerability, and intrusion protection. They may also require that all patches and upgrades for the operating system, applications, and software be installed. The inspection and validation process may be performed by a security application or agent installed on the target device. Until the process is complete, the only access provided is to resources that inspect, upgrade, and automatically remediate the device. Once the process is finished and validated, the device is granted access. Key points to consider when reviewing security policy enforcement include,
- Patches – Ensuring all software, security applications, and OS patches are current may seem tedious but are important for closing known security gaps. They are crucial to mitigating known vulnerabilities that can be exploited by zero-day attacks.
- Restricted Access – If a user is authenticated but can’t fully comply with security policies, one option is to provide them with limited access to less vulnerable networks, easy to recover assets, or applications such as those with read-only permission.
- Redirection – IT professionals can create special remediation sites that will allow the user to safely update their devices with the most recent patches and be scanned for viruses.
- Backup – Data protection and backup can be performed during a remediation process. Applications and services are available that will perform periodic scans and backup of remote devices.
- Remote Device Management Applications – There are special applications available to IT professionals. They are specifically designed to aid in the management and security of remote devices.
Enforcing security policies for endpoint devices provides another safeguard. It protects both the user and the network.
Consider an EDR/XDR Service
Network access control has been redefined. IT professionals need to adapt their infrastructures and cybersecurity posture to address threats facing endpoint devices. Providing a global network or mobile entry points, remote user authentication, security policy enforcement, and endpoint security can be challenging for some organizations.
Many corporations have opted to use a professional cybersecurity provider instead of implementing a DIY ‘do it yourself’ plan. They rely on leading EDR / XDR (Extended Detection and Response) providers for world-class network security. As a bonus, these organizations have experienced up to a 50% reduction in cybersecurity costs.
A professional EDR / XDR service encompasses nearly all the processes, technologies, and techniques used to deter, detect, contain, and remediate cybersecurity threats and attacks. That includes endpoint devices, mobile entry points, cloud applications, compute clouds, WANs, remote sites, and networks.
Cloud Native Network Access Control
Please contact our customer advocates to learn more about our cloud-based EDR/XDR services. Learn more about a complete cybersecurity posture with MDR (Managed Detection and Response) or SASE (Secure Access Service Edge).
