For optimal network and data security Network Access Control or NAC is ideal.
It offers protection from unauthentic users connecting from a variety of sources like wireless devices and mobiles. However,
NAC is a broad concept as there are a number of affiliated aspects which network administrators need to consider before deploying it.
First factor is determining the perfect security policy enforcement type and then the type of NAC solution which appears most appropriate for a particular network.
There two dominant design philosophies in NAC available nowadays which are related to security policy enforcement.
NAC approach is dependent up on the fact that whether the policies are to be enforced before the end-station accessing begins or after.
If you want NAC to enforce security policy before the access begins then this will be called Pre-Admission NAC.
In such a mechanism, end-stations are checked before being allowed access on the network.
Typically, pre-admission NAC is used to prevent those users or clients who have out-dated versions of anti-viruses.
This is important because such anti-viruses are usually incompatible with sensitive servers.
If you want to deploy the version where security policy is enforced after the user access begins then Post-Admission NAC is the right mechanism.
It makes the decisions regarding policy enforcement after examining user actions once they are connected and provided access to the network.
There are basically three types of NAC: Reactive, Proactive and Prohibitive.
The figure below shows the differences between these three types.
Generally, Reactive NAC solutions function on a Negative Enforcement Model.
This means, all sorts of communication is allowed till the time a pattern matches any kind of negative and/or malicious pattern from the IDS.
Since reactive NAC doesn’t need client software at the end-point, therefore, it is easier to implement especially in larger networking environments boasting of diverse operating system platforms.
The drawback is that this is a reactionary solution and does not offer preventive measures for validating end-point status.
Moreover, the level of authentication offered by reactive solutions is lower than other NAC solutions.
This system is like a subdued conjoining of prohibitive and reactive NACs.
A majority of Proactive NACs offer both pre-connect and post-connect examination as well as light remediation features.
The biggest advantage of Proactive solutions is its enhanced visibility into the endpoint and for tracing certain users.
For enterprise environments, proactive solutions tend to be most feasible since the networks need to accommodate diversified types of users and operating systems.
In such a scenario, sustaining more visibility into and ensuring end-point’s integrity policies is fundamental.
One significant disadvantage of proactive NACs is that it demands configuration for remediation options as well as captive portals for authenticating the users or devices and installing the agents.
These are highly aggressive in the NAC’s trio of types usually require 2layer enforcement mode initiated through 802.1X for optimal port security.
Due to this feature, the control on security policy enforcement and users is more granular than those NACs which require MAC-based mechanism.
Prohibitive solutions are highly dependable and offer optimal security.
Therefore, these are very useful for sensitive and regulated industries where strict user auditing and enforcement of control policies is mandatory.
The only problem that is usually faced while deploying prohibitive solutions is of their complicated configuration and maintenance.
Its infrastructure is extensive such as it includes radius and directory servers too for 802.1X and thus, can be difficult to install and manage.