What is network access control (NAC)? 

What are the capabilities of network access control?

The main function of network access control is limiting network access to users and also to determine which users should have access to specific areas of the network. Therefore, a visitor may connect to a general area of the corporate network but be stopped if trying to access internal resources.

An NAC solution can also stop employees from accessing resources for which they don’t have authorization. In this way, even if an employee accesses the intranet, this doesn’t mean they can access sensitive customer data unless their role authorizes them.

Besides restricting user access, the NAC can also prevent access from endpoints that don’t comply with security policies. These controls ensure that a malicious file cannot enter the network from an unauthorized device. Furthermore, every employee device used for corporate purposes must comply with corporate security policies (for instance, allowing two-factor authentication) before receiving authorization to access the network.

To achieve full NAC capabilities, an organization needs to build their access control system holistically. It must cover the entire scope of the organization’s IT environment, including bringing previously unmanaged devices under management. This tool also should integrate your organization’s existing access protocols. Many modern NAC solutions consider not only the devices, but the protocols and tools the network needs for comprehensive protection.

Network access control types

There are two basic types of network access control solutions, pre- and post-admission.

• Pre-admission: This type of NAC works by controlling access at the time a user or device requests admission to the network. This type of control evaluates the attempt and allows entry when the user requesting access proves they’re authorized to enter the network according to the organization’s security policies.
• Post-admission: This type of network access control happens after the user is inside the network, when they try to access another part of it. The post-admission NAC presents an added layer of security. If an attacker bypasses the pre-admission layer, the post-admission layer can stop lateral movement and limit the damage of an ongoing cyber-attack. With this type of NAC, the user needs to authenticate each time they want to move to another part of the network.

Benefits of an NAC solution

Network Access Control assures organizations that any user who accesses their network, resources, data, or devices is verified and authorized to do so. Controlling who enters your network is a fundamental first step to protect your organization’s sensitive data and applications from malicious activities.

NAC is different from other barrier security methods in that it offers centralized management of security policies and executes previously set requirements. By doing so, the network access control solution delivers consistent access control through all endpoints trying to connect to a network—all while giving administrators a centralized ability to grant or revoke access on a granular basis.

These solutions won’t be suitable for every organization because the implementation can be time consuming. However, the benefits outweigh the drawbacks, as it can provide a comprehensive layer of protection around sensitive data and assets.

Because organizations not only need to keep bad actors out of their network but prevent authorized use from being exploited for malicious purposes, an NAC solution provides the visibility and control needed over the devices and users accessing the network. It controls not only who can enter the network but manages access for users who are already inside the network, in compliance with security policies.

Use cases for network access control

NAC versatility makes it suitable for a wide range of scenarios and use cases:

1. BYOD environment
As more companies rely on remote work, Bring-Your-Own-Device is becoming more common. The challenge of BYOD is that CISOs have to find a way to provide secure network access to thousands of different, unmanaged devices. Remote or hybrid staff and third-party contractors use an array of devices—tablets, desktops, laptops, and smartphones—to connect to the company network. This makes endpoint and network security incredibly complex.

Adding Internet of Things (IoT) devices to this already complex scenario means you need an NAC system to also identify and categorize those devices. The increasing use of smart sensors for monitoring utilities and security systems will also increase the demand for Network Access Control.

The risk is especially high with mobile devices such as tablets, smartphones, and laptops. These personal devices don’t usually have installed enterprise level mobile device management and security. In addition, it is pretty common for users to disable security features or install applications of dubious security. The dangers become even greater when these mobile devices connect to public networks, such as those offered in airports, public libraries, and coffee shops.

All these conditions make it especially challenging for organizations to provide users secure access to the network while managing network security threats.

2. Giving role-based network access to third parties
Another difference between NAC and other security technologies that either allow or deny access to a network is that NAC has the advantage of granting network access at a granular level. Manual management of roles and permissions is resource-intensive and inefficient. When NAC solutions integrate with role-based network access systems such as active directory controls, the management of roles and permissions can be executed with greater control and flexibility.

Weak security protocols in network access are one of the most common vulnerabilities found in penetration tests. An NAC solution can help by providing access to sensitive data only for authorized users. Giving direct access to the resources minimizes network shares, mitigating another common risk.

3. Reducing the risk of advanced persistent threats
Although network access control solutions don’t usually have specific functions to detect and stop APT intrusions, they can play a role in mitigating the potential impacts of an APT attack. NAC systems can stop the attacker from connecting to the network, and by integrating with APT detection solutions, can help isolate compromised systems before attackers can infiltrate deeper into the network.

NAC can also play a role in preventing supply-chain attacks by restricting access to the network of a compromised third party and limiting the lateral movement of attackers in the event of a breach.

Citrix NAC solutions

Cybersecurity risks are on the rise as organizations become more distributed, with threats coming from unmanaged devices, personal BYOD, and third parties such as vendors and clients. Citrix secure access solutions provide comprehensive protection to corporate networks and systems. All tools in the unified secure access solution from Citrix integrate to provide a cloud-delivered stack based on the zero trust approach that strengthens the organization’s security posture.

• Citrix Secure Private Access simplifies and secures access to all applications with a reliable VPN alternative. It increases your scalability, enabling fast onboarding for remote workers. Citrix Secure Private Access securely supports BYOD and unmanaged devices, improving your security posture. This solution enables zero trust network access (ZTNA) delivery to all applications, such as web, SaaS and client-server, on premises or in the cloud. Thus, this tool is essential to prevent network-level attacks.

Additional resources