I. Background of Network Access Control (NAC)
Network Access Control ("NAC") enforces security of a network by restricting the availability of network resources to the endpoint devices based on a defined security policy.
A common NAC solution firstly detects an endpoint device connected to the network. Once the device is detected, NAC server will initiate the authentication and security assessment process. This can be performed either directly by a software agent installed on the endpoint device, or indirectly by testing the responses of the endpoint device by an external network-based scanning engine. If the endpoint device satisfies the defined security policy of the protected network, access would be granted to the endpoint device according to its role or identity. Insecure endpoint devices will be isolated in a quarantined area until it is reintroduced to the network and assessed to meet the security requirements. Remediation may be suggested by the NAC solution to the endpoint device, depending on the risk of malicious attempt to access the network.
Depending on the network environment in need, there are two types of NAC solutions, agent-based and agent-less models, for the implementation of network access control.
Agent-based NAC solution deploys NAC agent on the endpoint device. The NAC agent performs security checking and authentication on the endpoint device directly, and provides information and assessment results to the NAC server for authentication.
An example of agent-based NAC is by the 802.1X protocol. It is an IEEE defined protocol to prevent elements from connecting to the network before it is assigned an IP address. All endpoint devices, networking devices and legacy equipments must be configured to use 802.1X.