Network Access Control
The Security+ exam expects you to have an understanding of what network access control is, and some basic methods used to implement network access control. In short, network access control does just what it sounds like: it controls access to a network. Firewalls also control access to networks using rules within access control lists.
Note: This blog is an excerpt from the
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide.
Network Access Control
Allowing access to your private network can expose your network to a significant number of risks from the clients. If an employee VPNs into the network with a computer infected with malware, this computer can then infect other computers on the internal network. Network access control (NAC) methods can inspect clients and prevent them from accessing the network if they don’t pass the inspection.
Most administrators have complete control over computers in their network. For example, they can ensure the clients have up-to-date antivirus software installed, operating systems have current patches applied, and their firewalls are enabled. However, administrators don’t have complete control of computers employees use at home or on the road.
Network access control provides a measure of control for these other computers. It ensures that clients meet predetermined characteristics prior to accessing a network. NAC systems often use health as a metaphor indicating that a client meets these predetermined characteristics. Just as doctors can quarantine patients with certain illnesses, network access control can quarantine or isolate unhealthy clients that don’t meet the predefined network access control conditions.
Network access control includes the following components:
- Inspection and control. NAC inspects clients to ensure they meet specific predefined health conditions, such as being up-to-date and are running antivirus software. NAC grants access to healthy clients, but restricts network access to clients not meeting predefined conditions.
- Authentication. Clients provide credentials for authentication when they try to connect. Based on the proven identity, the NAC can grant or block access.
Inspection and Network Access Control
Many NAC systems can inspect any client that attempts to access a network. Administrators set predefined conditions for healthy clients, and those that meet these preset conditions can access the network. The NAC system isolates computers that don’t meet the conditions. Common health conditions checked by a NAC are:
- Up-to-date antivirus software, including updated signature definitions
- Up-to-date operating system, including current patches and fixes
- Firewall enabled on the client
NAC clients have authentication agents (sometimes called health agents) installed on them. These agents are applications or services that periodically check different conditions on the computer and document the status in a statement of health. When a client connects to a NAC-controlled network, the NAC system queries the client’s authentication agent. The user is prompted for credentials, and the agent also provides the statement of health.
However, if the client isn’t running the necessary authentication agent, it won’t be prompted for credentials and will never gain access to the network.
Consider the following figure. When a VPN client accesses the network, the VPN server queries the NAC health server to determine required health conditions. The VPN server also queries the client for a statement of the client’s health. As long as the client meets all health requirements, NAC allows the client to access the network.
However, if a client doesn’t meet the health conditions mandated by the NAC server, the VPN server redirects the client to a remediation network (also called a quarantine network). The remediation network includes resources the client can use to get healthy. For example, it would include current approved patches, antivirus software, and updated virus signatures. The client can use these resources to improve its health and then try to access the network again.
While NAC can inspect the health of VPN clients, you can also use it to inspect the health of internal clients. For example, internal computers may occasionally miss patches and be vulnerable. NAC will detect the unpatched system and quarantine it. If you use this feature, it’s important that the detection is accurate. In at least one situation, the NAC identified healthy clients as unhealthy and prevented these healthy systems from accessing the network.
Similarly, your organization may allow visitors or employees to plug in their mobile computers to live wall jacks for connectivity, or connect to a wireless network. NAC inspects the clients, and if they don’t meet health conditions, they may be granted Internet access through the network but remain isolated from any other network activity.
Network access control (NAC) includes methods (such as health agents) to inspect clients for health. NAC can restrict access of unhealthy clients to a remediation network. You can use NAC for VPN clients and for internal clients. MAC filtering is a form of NAC.
Media access control (MAC) filtering is a form of network access control. You can restrict access to any network using the MAC address. As an example, port security is a form of network access control. You can map the MAC address to specific physical ports on a switch to control what devices have access.
Additionally, you can configure a NAC system to restrict access to any network based on the MAC address. For example, you can use it to predefine what clients can connect to a network with a VPN.
It’s worth stressing that MAC filtering is not an effective control in a wireless network since it attackers can easily circumvent it. Attackers can eavesdrop on wireless transmissions and then spoof allowed MAC addresses. However, MAC filtering is more effective in nonwireless networks since it is more difficult for an attacker to discover authorized MACs.
Other Security+ Study Resources
- Security+ blogs organized by categories
- Security+ blogs with free practice test questions
- Security+ blogs on new performance based questions
- Mobile Apps: Apps for mobile devices running iOS or Android
- Audio Files: (Learn by listening with over 4 1/2 hours of audio on Security+ topics)
- Flashcards: 31 Security+ Topic flashcards and 17 Security+ acronyms flashcards (free samples)
- Quality Practice Test Questions: Over 475 quality Security+ practice test questions with full explanations
- Full Security+ Study Packages: Quality practice test questions, audio, and Flashcards)