What is network access control (NAC)? 

What are the capabilities of network access control?

The main function of network access control is controlling network access and determining which areas of the network users should be able to access. For example, a developer would have access to specific developer tools, and a user in HR would have access to employee data. An NAC solution can also stop employees from accessing resources for which they don’t have authorization. It limits employee access on the corporate intranet, so only those in roles that need access to sensitive customer data can access it.

Besides restricting user access, the NAC can also prevent access from endpoints that don’t comply with security policies. These controls help reduce the risk of an attack from an unauthorized or compromized device. Furthermore, every employee device used for corporate purposes must comply with corporate security policies (for instance, completing two-factor authentication) before accessing the network.

To achieve full NAC capabilities, an organization needs to build its access control system holistically. It must cover the entire scope of the organization’s IT environment, including bringing previously unmanaged devices under management. Many modern NAC solutions consider not only the devices but the existing access protocols and tools the network needs for comprehensive protection

Network access control types

There are two basic types of network access control solutions, pre- and post-admission.

• Pre-admission: This type of NAC works by controlling access at the time a user or device requests admission to the network. This type of control evaluates the attempt and allows entry when the user requesting access proves they’re authorized to enter the network according to the organization’s security policies.
• Post-admission: This type of network access control happens after the user is inside the network, when they try to access another part of it. The post-admission NAC presents an added layer of security. If an attacker bypasses the pre-admission layer, the post-admission layer can stop lateral movement and limit the damage of an ongoing cyber-attack. With this type of NAC, the user needs to authenticate each time they want to move to another part of the network.

Benefits of an NAC solution

Network Access Control ensures that any user who accesses their network, resources, data, or devices is verified and authorized to do so. Controlling who enters your network is a fundamental first step to protecting your organization’s sensitive data and applications from malicious activities.

NAC is different from other barrier security methods in that it offers centralized management of security policies and executes previously set requirements. This solution delivers consistent access control across all endpoints trying to connect to the corporate network—all while giving administrators the centralized ability to grant or revoke access.

Because organizations not only need to keep bad actors out of their network but prevent authorized use from being exploited for malicious purposes, an NAC solution provides the visibility and control needed over the devices and users accessing the network. It controls not only who can enter the network but manages access for users who are already inside the network, in compliance with security policies.

Use cases for network access control

NAC versatility makes it suitable for a wide range of scenarios and use cases:

1. BYOD environment
As more companies rely on remote work, Bring-Your-Own-Device is becoming more common. The challenge of BYOD is that CISOs have to find a way to provide secure network access to thousands of different, unmanaged devices. Remote or hybrid staff and third-party contractors use an array of devices—tablets, desktops, laptops, and smartphones—to connect to the company network. This makes endpoint and network security incredibly complex.

Adding Internet of Things (IoT) devices to this already complex scenario means you need an NAC system to also identify and categorize those devices. The increasing use of smart sensors for monitoring utilities and security systems will also increase the demand for Network Access Control.

The risk is especially high with mobile devices such as tablets, smartphones, and laptops. These personal devices may not have up to date operating systems, and IT has limited visibility into the health of the devices without a unified endpoint management solution. In addition, it is pretty common for users to disable security features or install applications that are blacklisted on managed devices. The dangers become even greater when these mobile devices connect to public networks, such as those offered in airports, public libraries, and coffee shops.

Adding Internet of Things (IoT) devices to this already complex scenario means you need an NAC system to also identify and categorize those devices. The increasing use of smart sensors for monitoring utilities and security systems will also increase the need for Network Access Control.

All these device types make it especially challenging for organizations to provide users with secure access to the network while managing network security threats.

2. Giving role-based network access to third parties
Another difference between NAC and other security technologies that either allow or deny access to a network is that NAC has the advantage of granting network access at a granular level. Manual management of roles and permissions is resource-intensive and inefficient. When NAC solutions integrate with role-based network access systems such as active directory controls, the management of roles and permissions can be executed with greater control and flexibility.

Weak security protocols in network access are one of the most common vulnerabilities found in penetration tests. An NAC solution can help by providing access to sensitive data only for authorized users. Giving direct access to the resources minimizes network shares, mitigating another common risk.

3. Reducing the risk of advanced persistent threats ATP
Although network access control solutions don’t usually have specific functions to detect and stop APT intrusions, they can play a role in mitigating the potential impacts of an APT attack. NAC systems can stop the attacker from connecting to the network, and by integrating with APT detection solutions, can help isolate compromised systems before attackers can infiltrate deeper into the network.

NAC can also play a role in preventing supply-chain attacks by restricting access to the network of a compromised third party and limiting the lateral movement of attackers in the event of a breach.

Citrix NAC solutions

Cybersecurity risks are rising as organizations become more distributed, with threats coming from unmanaged devices, personal devices, and third parties such as vendors and clients. Citrix secure access solutions provide zero trust network access and endpoint protection to corporate networks and systems.

• Citrix Secure Private Access simplifies and secures access to all applications with a reliable VPN alternative. It increases your scalability, enabling fast onboarding for remote workers. Citrix Secure Private Access securely supports BYOD and unmanaged devices, improving your security posture. This solution enables zero trust network access (ZTNA) delivery to all applications, such as web, SaaS and client-server, on premises or in the cloud. Thus, this tool is essential to prevent network-level attacks.
• NetScaler helps deliver secure access to applications on any device, over any network with policy-based access and advanced access controls for BYOD
• Citrix Endpoint Management provides additional security policies for more advanced mobile device management and context-aware security. Citrix also offers support for all major mobile devices, so no matter how your employees work, you can secure their access to your corporate network.