adam's notes

Network Access Control (NAC)

Network access control (NAC) is a system for authenticating endpoints before they can fully connect to the network.

  • designed to mitigate risks from rogue devices and services
  • basic type of NAC can be implemented by configuring port security mechanisms
  • basic NAC solutions
    • can authenticate clients on the basis of machine certificates and/or user passwords
  • sophisticated NAC solutions
    • can enforce a health policy (aka posture checking)
      • the client must submit an attestation report
        • secure report proves that the client is running an authorized OS and has up-to-date patches and security scanner configurations
      • ensures that devices meet a minimum set of security standards before being granted network access
  • can restrict access based on user profile, device type, location, and other attributes
  • ensure users and devices can only access the resources necessary to complete their duties
  • helps in identifying and quarantining suspicious or noncompliant devices

NAC and VLANs

  • NAC and virtual local area networks (VLANs) work together to improve and automate network security
    • one way NAC integrates with VLAN protections is through dynamic VLAN assignment
      • is a NAC feature that assigns a VLAN to a device based on the user’s identity attributes, device type, device location, or health check results
      • can interact with dynamic VLAN to implement quarantine procedures
        • NAC system can automatically move it to a quarantine VLAN

Agent vs Agentless Configurations

  • NAC can enforce security policies using agent-based and agentless methods
    • agent-based
      • a software agent is installed on the devices that connect to the network
      • agent communicates with the NAC platform
        • providing detailed information about the device’s status and compliance level
      • can enable features such as automatic remediation
        • NAC agent can perform actions like updating software or disabling specific settings to bring a device into compliance with mandatory security configurations
      • agent can be:
        • persistent
          • it is installed as a software application on the client
        • nonpersistent
          • aka dissolvable agent
          • is loaded into memory during posture assessment but is not installed on the device
    • agentless
      • uses port-based network access control or network scans to evaluate devices
      • e.g.,
        • agentless NAC may use DHCP fingerprinting to identify the type and configuration of a device when it connects
        • or it might perform a network scan to detect open ports or active services
      • may not provide as detailed information about a device’s status
        • but can be used with any device that connects to the network without prior configuration

Graph View

Backlinks