Network Access Control

Posted by in Security+ | 0 comments

Network Access Control

The Security+ exam expects you to have an understanding of what network access control is, and some basic methods used to implement network access control. In short, network access control does just what it sounds like: it controls access to a network. Firewalls also control access to networks using rules within access control lists.

Note: This blog is an excerpt from the
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide.

 

Network Access Control

Allowing access to your private network can expose your network to a significant number of risks from the clients. If an employee VPNs into the network with a computer infected with malware, this computer can then infect other computers on the internal network. Network access control (NAC) methods can inspect clients and prevent them from accessing the network if they don’t pass the inspection.

Most administrators have complete control over computers in their network. For example, they can ensure the clients have up-to-date antivirus software installed, operating systems have current patches applied, and their firewalls are enabled. However, administrators don’t have complete control of computers employees use at home or on the road.

Network access control provides a measure of control for these other computers. It ensures that clients meet predetermined characteristics prior to accessing a network. NAC systems often use health as a metaphor indicating that a client meets these predetermined characteristics. Just as doctors can quarantine patients with certain illnesses, network access control can quarantine or isolate unhealthy clients that don’t meet the predefined network access control conditions.

Network access control includes the following components:

  • Inspection and control. NAC inspects clients to ensure they meet specific predefined health conditions, such as being up-to-date and are running antivirus software. NAC grants access to healthy clients, but restricts network access to clients not meeting predefined conditions.
  • Authentication. Clients provide credentials for authentication when they try to connect. Based on the proven identity, the NAC can grant or block access.

Security+ Practice Test Questions

SY0-501 Practice Test Questions 

Over 300 realistic Security+ practice test questions

All questions include explanations so you'll know why the correct answers are correct,

and why the incorrect answers are incorrect.

Pass the Security+ Exam

the First Time You Take It

Multiple quiz formats to let you use these questions based on the way you learn.
  • Learn mode - randomized. View each of the questions in random order. Learn mode allows you to keep selecting answers until you select the correct answer. Once you select the correct answer, you'll see the explanation. Click here to see how learn mode works.
  • Learn mode - not randomized. View each of the questions in the same order. Use this if you want to make sure that you see all of the questions. Learn mode allows you to keep selecting answers until you select the correct answer. Once you select the correct answer, you'll see the explanation. Click here to see how learn mode works.
  • Test mode - randomized. View each of the questions in random order. In test mode, you can only see the correct answers and explanations after you complete the test. Click here to see how test mode works.
  • Test mode - not randomized. View each of the questions in the same order. In test mode, you can only see the correct answers and explanations after you complete the test. Click here to see how test mode works.
  • Test mode - 75 random questions. View 75 random questions from the full test bank similar to how the Security+ exam has a potential maximum of 75 multiple choice questions. In test mode, you can only see the correct answers and explanations after you complete the test. Click here to see how test mode works.

Get the full bank of SY0-501 Practice Test Questions Here

 SY0-501 Practice Test Questions


INCLUDES QUESTIONS TO HELP YOU PREPARE

FOR THE NEW PERFORMANCE BASED QUESTIONS 

Bonus - Performance Based Questions

Three sets of performance-based questions including over 30 questions. These questions show you what you can expect in the live exam. They include drag and drop, matching, sorting, and fill in the blank questions. See a demo here.

Bonus - Extra Practice Test Questions

New multiple-choice questions in the extra test bank. Questions are added occasionally. You can see what has been added recently here.

Get the full bank of Security+ (SYO-501) Practice Test Questions Here

Get the full bank of Security+ Practice Test Questions

Click here if you're looking for SY0-501 Full Study Package

Security+ Full Access Package

Get Certified Get Ahead Security+

Pass the First Time!

Up-to-date Content

New multiple-choice and performance-based questions added regularly

Pass the first time with quality practice test questions, performance-based questions, flashcards, and audio.

Buy The Full Access Study Package Today

60 Days Access

Need more time? You can easily renew for another 60 days at a significantly reduced price.

All materials are available online shortly after making your payment.

Get the Security+ Full Access Study Package Here

Our online Security+ study materials are the perfect complement to the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. They can also be used to help ensure you're ready no matter what study guide you're using.

This exam is expensive.

Make sure you're ready before exam day. 

Here's what you'll get:
  • All of the multiple-choice questions from the best-selling CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. See a demo here. All questions have full explanations so you'll know why the correct answers are correct and why the incorrect answers are incorrect.
  • Over 40 new multiple-choice questions we've added after publishing the study guide.
  • Over 30 performance-based questions. See a demo here.
  • All of the flashcards from the study guide. View them in any Web browser.
  • All of the audio from the study guide. Listen to a sample here.
  • Access to a free discount code for 10% off your Security+ voucher.

Buy The Full Access Study Package Today

60 Days Access

All materials are available online shortly after making your payment.

Get the Security+ Full Access Study Package Here


Inspection and Network Access Control

Many NAC systems can inspect any client that attempts to access a network. Administrators set predefined conditions for healthy clients, and those that meet these preset conditions can access the network. The NAC system isolates computers that don’t meet the conditions. Common health conditions checked by a NAC are:

  • Up-to-date antivirus software, including updated signature definitions
  • Up-to-date operating system, including current patches and fixes
  • Firewall enabled on the client

NAC clients have authentication agents (sometimes called health agents) installed on them. These agents are applications or services that periodically check different conditions on the computer and document the status in a statement of health. When a client connects to a NAC-controlled network, the NAC system queries the client’s authentication agent. The user is prompted for credentials, and the agent also provides the statement of health.

However, if the client isn’t running the necessary authentication agent, it won’t be prompted for credentials and will never gain access to the network.

Consider the following figure. When a VPN client accesses the network, the VPN server queries the NAC health server to determine required health conditions. The VPN server also queries the client for a statement of the client’s health. As long as the client meets all health requirements, NAC allows the client to access the network.

Network access control - Security+

However, if a client doesn’t meet the health conditions mandated by the NAC server, the VPN server redirects the client to a remediation network (also called a quarantine network). The remediation network includes resources the client can use to get healthy. For example, it would include current approved patches, antivirus software, and updated virus signatures. The client can use these resources to improve its health and then try to access the network again.

While NAC can inspect the health of VPN clients, you can also use it to inspect the health of internal clients. For example, internal computers may occasionally miss patches and be vulnerable. NAC will detect the unpatched system and quarantine it. If you use this feature, it’s important that the detection is accurate. In at least one situation, the NAC identified healthy clients as unhealthy and prevented these healthy systems from accessing the network.

Similarly, your organization may allow visitors or employees to plug in their mobile computers to live wall jacks for connectivity, or connect to a wireless network. NAC inspects the clients, and if they don’t meet health conditions, they may be granted Internet access through the network but remain isolated from any other network activity.

Remember this

Network access control (NAC) includes methods (such as health agents) to inspect clients for health. NAC can restrict access of unhealthy clients to a remediation network. You can use NAC for VPN clients and for internal clients. MAC filtering is a form of NAC.

MAC Filtering

Media access control (MAC) filtering is a form of network access control. You can restrict access to any network using the MAC address. As an example, port security is a form of network access control. You can map the MAC address to specific physical ports on a switch to control what devices have access.

Additionally, you can configure a NAC system to restrict access to any network based on the MAC address. For example, you can use it to predefine what clients can connect to a network with a VPN.

It’s worth stressing that MAC filtering is not an effective control in a wireless network since it attackers can easily circumvent it. Attackers can eavesdrop on wireless transmissions and then spoof allowed MAC addresses. However, MAC filtering is more effective in nonwireless networks since it is more difficult for an attacker to discover authorized MACs.

Security+ Full Access Package

Get Certified Get Ahead Security+

Pass the First Time!

Up-to-date Content

New multiple-choice and performance-based questions added regularly

Pass the first time with quality practice test questions, performance-based questions, flashcards, and audio.

Buy The Full Access Study Package Today

60 Days Access

Need more time? You can easily renew for another 60 days at a significantly reduced price.

All materials are available online shortly after making your payment.

Get the Security+ Full Access Study Package Here

Our online Security+ study materials are the perfect complement to the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. They can also be used to help ensure you're ready no matter what study guide you're using.

This exam is expensive.

Make sure you're ready before exam day. 

Here's what you'll get:
  • All of the multiple-choice questions from the best-selling CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. See a demo here. All questions have full explanations so you'll know why the correct answers are correct and why the incorrect answers are incorrect.
  • Over 40 new multiple-choice questions we've added after publishing the study guide.
  • Over 30 performance-based questions. See a demo here.
  • All of the flashcards from the study guide. View them in any Web browser.
  • All of the audio from the study guide. Listen to a sample here.
  • Access to a free discount code for 10% off your Security+ voucher.

Buy The Full Access Study Package Today

60 Days Access

All materials are available online shortly after making your payment.

Get the Security+ Full Access Study Package Here

Other Security+ Study Resources

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide

Subscribe To Our Newsletter

Join our mailing list and get a free excerpt of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide.  This excerpt includes the introduction and Chapter 1. 

You have Successfully Subscribed!

Get Certified Get Ahead is a participant in the Amazon Services LLC Associates Program,
an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.

Copyright © 2020 Get Certified Get Ahead. All Rights Reserved.