Why is Network Access Control Important (NAC)?
All devices connected to a corporate or private network are a potential security risk to an organization. If a device is lacking important patches, has not installed the latest security updates, or is potentially infected with malware, then allowing it to connect to the corporate network could provide an attacker with a means of accessing the corporate network.
Network Access Control solutions provide organizations with the ability to enforce their security policies by blocking non-compliant devices from connecting to the network. This enables the company to manage its digital attack surface and reduce its risk of cyber threats.
Capabilities of Network Access Control (NAC)
NAC solutions should include the following core capabilities:
- Device Visibility and Profiling: NAC provides an organization with comprehensive visibility into the devices connected to its network and the ability to profile these devices and their users. This visibility can inform and enhance an organization’s endpoint security policies and incident response.
- Security Posture Checks: NAC solutions are designed to only allow authorized and compliant devices to access the corporate network and resources. This requires the ability to inspect a device and assess its security posture and compliance with corporate policies.
- Restricted Network Access: NAC solutions can totally block unauthorized or non-compliant devices from connecting to the network or provide limited access to corporate resources. This allows an organization to provide limited network access to guests, contractors, and unauthorized or risky devices.
- Security Policy Management: NAC enables an organization to manage and enforce its endpoint security policies from a central location. This makes it easier for an organization to update endpoint security policies to address evolving risks or compliance requirements.
Types of Network Access Control
Network Access Control can be implemented under two different models:
- Pre-Admission: Pre-admission NAC restricts access to the corporate network as a whole. Before a device is granted any network access, it is assessed to determine if it is authorized to access the network and compliant with corporate policies.
- Post-Admission: Post-admission NAC is designed to prevent lateral movement of a threat actor within the enterprise network. When a user or device attempts to access resources in another zone of a segmented network, they will be assessed again for authorization and compliance.
Pre-admission and post-admission NAC are not mutually exclusive, and, ideally, an organization will have solutions that implement both. This defense-in-depth approach blocks as many threats as possible from connecting to the network in the first place and attempts to identify any that slipped through the cracks before they can move laterally and gain access to additional corporate resources.
Common Use Cases for NAC
NAC enables an organization to manage access to its network and IT resources. Some common use cases for NAC include:
- Bring Your Own Device (BYOD): As remote work and BYOD policies become more common, devices not owned by the business will increasingly have access to corporate data, systems, and services. NAC enables an organization to ensure that these devices are compliant with corporate security policies before allowing them to access the corporate network.
- Internet of Things (IoT) Devices: IoT devices can bring significant benefits to the business and its employees, but they also have significant security issues, making them a common target for cybercriminals. With NAC, an organization can restrict IoT devices’ access to corporate assets, decreasing the impact of a compromised device.
- Guest/Contractor Access: Guests and contractors may have a legitimate need for access to an organization’s network but do not need access to everything. NAC solutions can limit guests’ and contractors’ access to only what is needed for their role.
- Infected Device Containment: Malware on infected devices may attempt to spread laterally through the corporate network. NAC solutions can block this spread by quarantining these devices on the network.
Network Access Control with Check Point
Network Access Control solutions provide organizations with control over the devices that are connected to the corporate network. With NAC, companies can block non-compliant devices entirely or restrict their access to corporate assets.
Check Point solutions integrate with NAC and identity solutions to address common NAC use cases. Additionally, Check Point solutions offer key capabilities for NAC, including:
Built-in remote access device security posture checks in Harmony Endpoint and Harmony Connect Remote Access ZTNA enforce zero trust access to corporate resources and applications.