Network Access Control

Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology (such as antivirus, host intrusion prevention, and vulnerability assessment), user or system authentication and network security enforcement.

Network Access Control (NAC) is a computer networking solution that uses a set of protocols to define and implement a policy that describes how to secure access to network nodes by devices when they initially attempt to access the network.[citation needed] NAC might integrate the automatic remediation process (fixing non-compliant nodes before allowing access) into the network systems, allowing the network infrastructure such as routers, switches and firewalls to work together with back office servers and end user computing equipment to ensure the information system is operating securely before interoperability is allowed. A basic form of NAC is the 802.1X standard.

img

Network Access Control aims to do exactly what the name implies—control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do.

Goals of NAC

Because NAC represents an emerging category of security products its definition is both evolving and controversial. The overarching goals of the concept can be distilled as:


  • 1. Mitigation of non-zero-day attacks
  • 2. Authorization, Authentication and Accounting of network connections.
  • 3. Encryption of traffic to the wireless and wired network using protocols for 802.1X such as EAP-TLS, EAP-PEAP or EAP-MSCHAP.
  • 4. Role-based controls of user, device, application or security posture post authentication.
  • 5. NAC solutions allow network operators to define policies, such as the types of computers or roles of users allowed to access areas of the network, and enforce them in switches, routers, and network middleboxes.

Cisco Identity Services Engine

Cisco Identity Services Engine (ISE) is a network administration product that enables the creation and enforcement of security and access policies for endpoint devices connected to the company’s routers and switches. The purpose is to simplify identity management across diverse devices and applications.

img

Cisco ISE Features

Cisco ISE is a consolidated policy-based access control system that incorporates a superset of features available in existing Cisco policy platforms. Cisco ISE performs the following functions:


  • Combines authentication, authorization, accounting (AAA), posture, and profiler into one appliance
  • Provides for comprehensive guest access management for Cisco ISE administrators, sanctioned sponsor administrators, or both
  • Provides support for discovery, profiling, policy-based placement, and monitoring of endpoint devices on the network