New Role of network access control (NAC)

Network Access Control (NAC) has a bad reputation. We need to change it. Over the past decade, NAC has encountered deployment failures and overly strict security policies, which has led many CEOs to find that their laptops cannot access the network according to the NAC implemented by the IT department.

However, the current situation has changed. Experts pointed out that NAC does not only provide access control, but also provides terminal visibility and security awareness of the environment. Enterprise Strategy Group research shows that NAC is evolving into a new platform product called terminal monitoring, access and security (EVAS), which can realize security awareness of the environment, it can provide information to other security platforms and apply specific policies of these platforms.

ESG senior director analyst Jon Oltsik pointed out that early NAC solutions will check the status of user devices, ensure they are not infected with viruses, and install the correct terminal security software, and then allow them to connect to the network. Then, NAC adds software patches and configuration checks. Now, NAC has been further developed into an EVAS platform to meet enterprises' demands for environmental security awareness. He said Cisco, Juniper, ForeScout, And Bradford have all launched such products.

The feature of EVAS is the addition of two new features. This platform can be integrated into other security and policy systems. Unlike early NAC systems, it can not only process traditional PCs, but also process a wider range of terminal devices.

Jon Oltsik said: "EVAS has been integrated into other parts of the infrastructure, including MDM [mobile device management], authentication and RADIUS servers. It not only provides analysis information, but also strengthens policies. In addition, EVAS is designed for next-generation terminal development, not just for PCs. It includes mobile terminals and some other IP devices, such as printers, control systems, medical devices, and other network devices to be monitored. It can identify devices and provide environment-related information on these devices.

Enterprises will deploy many security analysis tools, including the security and event management platform, data packet analysis, and traffic analysis. What security engineers really lack is more detailed information about these analyses. When you want to know which devices users are using, what activities they are performing, and system configurations at a specific time, a lot of information is missing and it is difficult to capture this information. EVAS can be used as an intermediate device to capture this information and provide more detailed information ." He also pointed out that EVAS can also apply policies, which cannot be implemented by the analysis platform ."

Terminal visibility and access control: is it a name change or a new technology?

Frost & Sullivan Chris Rodriguez, an analyst in the network security industry, pointed out that NAC is not necessarily a new product. However, in recent years, the customer has discovered some use cases except simple access control. This technology has added some new features. EVAS is an attempt to more accurately reflect the value of NAC ." In addition, he believes that this has changed the reputation of the NAC market in the past few years due to deployment failure. Customers have always said that using the NAC solution, they can see more things than any terminal management solution, and they see more than just the devices owned by the enterprise. It can also monitor equipment owned by employees and devices that cannot install clients, such as control systems and medical monitoring devices.

EVAS controls terminals rather than data

Although visibility and situational awareness are important, not everyone thinks that terminals are the most important element. Forrester Research head analyst John Kindervag pointed out that security providers should focus on what is truly valuable-data.

Kindervag said: "I agree with visibility, but our terminal does not need it. More data is needed on the terminal, because the number of terminals is too large. You cannot control so many terminals. We need to control what we can control, that is, Data. In order to protect data, enterprises need to detect and monitor all traffic, so that they can know what has changed. He said it would be a waste of time to worry about who has the permission to access the network. Here, traffic is very valuable. We do not need to directly access the terminal, so the traffic can tell us what happened in the terminal. This is also a more likely location for implementation. It has nothing to do with accessing the network device. We must correct this in terms of understanding. The boundary is meaningless. We need to surpass it ."

Terminal-based control also leads to a misunderstanding of security and compliance. Yes, all the people entering our network approve the access. So it's better to let them get in right. Let everyone come in from the front door, but we have to keep an eye on the data. If someone wants to change data, take measures. After you pay attention to the data, terminal protection may be affected, but do not think that this problem can be solved on the terminal.

For many years, both Kindervag and Forrester Research have believed that enterprises should adopt a "zero-Trust" security model, that is, they believe that all traffic is untrusted and should be checked and analyzed. Even if the devices authorized to connect to the network comply with the rules, they may still threaten the company's data. Therefore, enterprises must track data transmission, instead of focusing on who and what devices are accessing the network.

The NAC/EVAS vendor supports this zero-trust method. ForeScout Chief Sales Officer Scott Gordon said: "If you have an enterprise policy that requires users to activate the personal firewall, set a specific patch level, and require installation and activation of data loss protection software. Our system can dynamically verify network access. If data loss protection [DLP] is installed but not running, there may be a risk that the DLP management system will mistakenly think everything is normal. The NAC/EVAS platform detects that the terminal has not activated DLP and instructs the DLP system to notify the client of the device ."