Subex’s Micro-segmentation module uses an inbuilt Network Access Control (NAC) that leverages 802.1X technology. The NAC starts by checking whether a device is permitted to connect to a network. Based on this, a device may be allowed or denied access.
The different aspects of NAC can be divided conceptually into functions that occur before the point of network connection, and after network connection.
Pre-Connect: Pre-Connect refers to operations performed before the endpoint is connected to the network and normal communication is established. When an endpoint attempts to connect to a network, the endpoint is identified and authenticated using identity information such as a username/password/certificate / MAC address provided by that endpoint. If this process does not confirm that the device is authorized, the network connection will be denied. This process can be provided via 802.1X through a device such as a switch or a wireless LAN access point, or ARP control.
Post-Connect: If the endpoint meets the requirements of the Pre-Connect phase, it will be given access to the network with a certain level of authorization. At the time of connection, the NAC begins continuously monitoring the endpoint for compliance to policies set by the administrator. If and when the policy is violated, the network privileges of the endpoint may be reduced or revoked to isolate the endpoint. An agent can be used to monitor the state of the endpoint. Upon change, the NAC policy server is notified and network access can be controlled if a violation has occurred.
Challenges addressed through network access control
Entry by unauthorized devices: networks that do not implement NAC may be accessed by any device that is plugged into a switch port or connects to a wireless access point. Even if password protection is enabled, a user may still log into the network with an unapproved device.
Lack of detailed IP tracking: most security systems leave an IP address in the audit trail but may not associate that IP with a user, or a device. This means that in environments with changing IP addresses, it is difficult to determine which device or user may be responsible for a security violation tied to an IP. NAC can keep track of all the connected endpoints through continuous network monitoring.
Disorganized asset management: it is difficult for administrators to accurately identify IT assets. To reduce the administrative burden, NAC can provide endpoint details such as the manufacturer, product name, name, location (switch port or physical location), username, network connection / disconnection time, etc.
Poor WLAN Security: as mobile devices such as smart phones spread into business environments, they expand the usage of wireless LAN. In many networks, a shared password is used. Shared passwords can be easily exposed and it is difficult to trace because they can not be linked to a specific user. To solve this problem, an 802.1X system is required to allow authentication using a personal password when accessing a wireless LAN. By default, NAC supports 802.1X, allowing for better wireless security.
Unauthorized Access Points
As the network technology develops, the user endpoints can access various types of external networks in addition to the network provided by the company to which the user belongs. Problems such as leakage of internal data may be caused by if a user connected to the internal network creates an access point to the network on their device that is available to outside entities. Data leaks may also occur if a device with sensitive data connects to a public network. NAC monitors WiFi that can be accessed from inside the company, and manages and controls which users are connected. Therefore both rogue access points and the use of non corporate networks can be identified and blocked.
Insecure Operating Systems
NAC continuously monitors the endpoint and isolates unpatched endpoints from the network. Through network control, administrators can make strong regulations that users cannot bypass.