Skip to content

Network Access Control

links: SPA TOC - Host & Network Security - Index


Network Access

Requirements

  • knowing who is using the network
  • limiting the access to networks to authorized users
  • limiting access to clean systems

MAC based Port Security

  • limiting access on switch ports to specified MAC addresses only
  • manual or automatic through "learning"
  • Disadvantages: not flexible in networks with roaming/ mobile devices, MAC addresses can be spoofed

IEEE 802.1X

  • Port-Based Network Access Control
  • restricts the use of networks/ports to authenticated and authorized devices
  • specifies a common architecture and protocols that support mutual authentication between the clients of ports (supplicant) and the switch (authenticator) using a backend (authentication server, e.g. a RADIUS server) & secures the communication between them
  • based on extensible authentication protocol (EAP) and works with any IEEE802 network technology (ethernet, wireless)

Network Access Control (NAC)

  • control access to a network with policies
  • including pre-admission endpoint security policy checks
  • and post-admission controls: where users and devices can go on a network

Goals

  • identity and access management: identify user, his node, ip address, switch-port, network segment, MAC address
  • policy enforcement: grant or deny access to a network segment
  • mitigation of zero-day attacks: deny access for unmaintained, contaminated and malicious nodes

Concepts

  • client verification: before (pre-admission) or after (post-admission) granting access
    • pre-admission: e.g. check for out-of-date antivirus signatures
    • post-admission: continuous compliance checking after device is given access
  • agent or argent less: verification of the client with or without installed client
    • agent-based: Clients need to have an agent installed to connect to the network, agent can verify security policies (antivirus signature, system updates, etc.)
    • agent-less: No agent installed, not all security policies can be verified, relies on 802.1X to authenticate devices
  • remediation: using quarantine networks/vlans
    • for devices that do not follow security policies
    • allows the user to remediate the device (e.g. install updates, etc.)

links: SPA TOC - Host & Network Security - Index