Network Access Control Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Abstract- Network Access Control (NAC) is an approach for enforcing an organization's security policies on all devices seeking network access. Network Access Control (NAC) allows only compliant and trusted endpoint devices, such as PCs, Laptops, and PDAs, onto the network, restricting the access of noncompliant devices, and thereby limiting the potential damage from emerging security threats and risks. NAC will provide a powerful, roles-based method of preventing unauthorized access and improving network resiliency.

Keywords- Network Access Control, Security, LAN, VPN, Computer Networks, Wireless Networks


Generic network access control at its core is a simple concept: Who you are should govern what you're allowed to do on the network. NAC, then, is simply the hardware and software that together let you enforce access control policies based on "who you are [1]."

When all of the parts are in place, NAC will be a way to apply a policy for network access across LAN, wireless and VPN infrastructures. The access-control policy in NAC could range from simple, such as a go/no-go decision on network access or a choice of virtual LANs, or it could be as complex as a set of per-user firewall rules defining which parts of the network are accessible.

Antivirus helps defend against threats and firewalls limit access from outside the network. However, neither can defend against all the malware created by unsecure devices connecting to a network. Network administrators are faced with increasingly sophisticated threats. At the same time, they have to provide network access for many sources, from highly mobile employees to contractors, vendors, and even customers. In the process, they face perhaps no bigger security challenge than keeping infected or unsecure laptops, PCs, PDAs, and other devices from accessing their networks.

The growing number of security threats is helping to drive increased NAC adoption, said Steve Hanna [2], co-chair of the TCG's Trusted Network Connect Work Group and a Juniper Networks distinguished engineer. Moreover, pervasive computing is becoming a reality, making network communications and its supporting infrastructure an attractive target for hackers, noted University of Tulsa assistant professor Mauricio Papa [2].

For example, he explained, companies often must give contractors and guest's access to corporate networks or the Internet while they are at corporate offices. They also must enable increased mobility and remote network access for employees, he added. And, he said, various types of organizations that handle sensitive data, such as those in the healthcare and financial industries, frequently must meet governmental requirements that they control and document which organizations have network access.


According to Forrester's Whiteley [2], there are three types of NAC systems. Host-based systems use firewall like software installed on a client that limits its ability to access network resources. Appliance-based systems, the most popular, work in specialized hardware. Infrastructure-based systems leverage existing switches, routers, network firewalls, VPN gateways, and so on.

According to Whiteley [2], NAC architectures feature three principal pieces: a host checker, a policy manager, and a policy enforcer.

Host checkers- which can be implemented in software run on servers or in appliances. They gather information about devices trying to connect to a network to enable a NAC system to make access-related decisions. For example, host checkers can profile a device by scanning traffic coming to or from it, explained Whiteley [2]. Some products automatically scan computers and networked devices throughout the day-not just when requesting access-to determine whether they still conform to security policies, Clark [2] added. This approach is known as posture compliance.

Policy managers- determine the level of network access a device will have based on its evaluation by the host checker, according to Whiteley [2]. For example, if a host checker reports that a laptop doesn't have the latest OS updates, the policy manager can deny access or quarantine it. In the latter case, the system can use a router or switch to send the device and limit its access to a restricted area of the network.

Policy enforcer- Various mechanisms, working with the NAC system, enforce the policy manager's decisions. For example, a firewall can keep a device from accessing a network altogether, while switches and routers can restrict access to specific areas. The system can also enforce decisions via appliances, as well as servers using the Dynamic Host Configuration Protocol, noted Whiteley [2]. DHCP assigns dynamic or static IP addresses to devices on a network. Because devices need an assigned address to connect to a network, NAC systems can link the DHCP server to the network infrastructure to make sure that only "safe" devices get them. The systems can also use DHCP to assign addresses that send devices with problems to a quarantine network. Authentication plays an important role in NAC by verifying that users trying to access a network are who they say they are and by identifying which levels of network access they should have. For example, a contractor working with a corporation could have access to parts of a network dealing with a project they're working on but not to the company's financial data. Among other approaches, NAC systems can leverage IEEE 802.1x, which provides network-access control by authenticating devices attached to a LAN port.

Fig.1 [2] Network-access-control products scan devices-and their users-trying to connect to a network for security threats and other problems. The systems then either deny or limit access by potentially insecure devices. This is designed to help defend networks from external and internal threats.


If we look in a broader perspective, Network Access Control is a security related issue. So, the approach was to search about general computer network security. But as the paper is on a more specific issue of network security i.e. NAC, I started searching for journals and conferences about NAC on the IEEE and ACM database.

I came across a large number of papers and journals on NAC, but I only picked a handful of them. The following are the journals I used to annotate my research paper:


- Protecting Networks by Controlling Access, Sixto Ortiz Jr.

- THE KNACK OF NAC, Ruth Bowen

- Network Access Control Whitepaper, enterasys Secure Networks


- The Forrester Waveâ„¢: Network Access Control, Robert Whiteley and Usman Sindhu

- User-Friendly Access Control for Public Network Ports, Guido Appenzeller, Mema Roussopoulos and Mary Baker

- Identity-based Network Access Control for MANETs, Narges Aghakazem Jourabbaf and Ali Movaghar

- Securing Network Access in Wireless Sensor Networks, Kun Sun, An Liu, Roger Xu, Peng Ning and Douglas Maughan

- Network Access Control: User and Device Authentication, Intel


In this section, we first introduce Network Access Control and its requirements, various NAC architectures and then we present an overview of various NAC technologies present in the market.

A. NAC- Principles and Elements

Fundamental elements for implementing NAC could be determined as:

• Who is allowed to connect to the network?

• How are they allowed to communicate?

• What are they allowed to connect to?

• Where should they get access?

NAC generally is a process and can be separated into:

• Roles (who?)

• Rights (how?)

• Resources (what?)

• Location (where?)

A time component can also be added (when can one access?).

If "who you are" is how a policy for access gets picked, then the definition of "who" is more complex than a simple username. Within a NAC deployment, the IT manager uses three main elements to pick an access-control policy: authentication, endpoint-security assessment and network environmental information [1]. Effectively, these three things determine "who you are."

Authentication is the straightforward part of "Who are you." This is the basic identification (and authentication) transaction that users are accustomed to with other applications. As a concept, NAC doesn't have special requirements for authentication. A good NAC deployment would use the same authentication system as other applications. For example, if you're applying NAC to a remote access IPSec VPN tunnel, you should use the same authentication to bring up the IPSec tunnel as you do to authenticate a user. Some NAC products and architectures have skipped over the concept of user authentication in favor of the second part: evaluating the security posture of the end point.

Endpoint security assessment is the most complex part of selecting a policy in NAC, but it's also the driving factor for deploying NAC in the first place in many enterprises. The underlying idea is that the security posture of the connecting laptop, desktop or server should be a part of access control policies. For example, if a connecting system doesn't have the standard corporate anti-virus package, the user should get a different access control policy than if everything is installed and all the signatures are up-to-date.

The third part of "who you are" is environmental information. Only a few products really take this into consideration. Network environmental information is a small but important part of selecting access policies in a NAC scheme. Environmental information might be circumstantial data about whether you're connecting via a wireless network or through a VPN, or whether you're in the building or in another country. These circumstances play into the decision of what access control policy is assigned to the connecting system. For example, if you're coming in on a VPN, you might not be able to get to as many parts of the network as if you were in the building.

Fig .2 [3] Network Access Control Pyramid

• Detect - Detection and identification of new devices connecting to the network

• Authenticate - Authentication of users and/or devices

• Assess - Assessment of end systems regarding their compliance and/or vulnerabilities

• Authorize - Authorization to use the network based on the results of the authentication and the assessment

• Monitor - Monitoring users and devices once they are connected to the network

• Contain - Quarantine problem end systems and/or users to prevent them from negatively impacting the overall network environment

• Remediate - Remediation of problems with the end system and/or user

B. Requirements

To ensure effective implementation of a NAC solution several requirements should be met:

• Open architecture - Support of multi-vendor environments

• End-system inclusion - Support of any type of end system

• Multi-context authorization - Various attributes

• Policy enforcement - Role-based and quarantine

• Notification and remediation - User self-help

• Compliance reporting - Historical and real-time information [4]

For a NAC solution to be effective, it must be deployable as an open architecture. The NAC solution must be able to make out analysis of any type of device that may be connected to the network. Assessment and authentication for only computers running certain operating systems or security agent software is simply not logical enough to protect today's highly diverse enterprise environments. In order for the NAC solution to effectively secure a real-world network from threats and vulnerabilities originating from the variety of connected end systems, multiple assessment technologies must be incorporated. An assessment technology that is only suited for certain end systems leaves the network and the related services open to attack from end systems not included in the security posture. Multiple assessment technologies from separate software companies must be capable of integrating with the NAC solution. This allows the NAC solution to draw upon the required assessment technology for whatever type of end system is connecting to the network.

In today's world, the diversity of network-connected end systems is increasing significantly. With the realization of converged networks hosting a wide variety of business applications, the types of connected end systems continue to evolve. In a modern business network today it is likely that you will find end systems such as IP phones, surveillance cameras, building controls and even vending machines along with the traditional desktops, laptops and printers. With such diversity of connected end systems, it is critical that a well-architected NAC solution includes all end systems. In a network with a variety of types of end systems, security processes must not be locked into specific device types, operating systems or software. A printer, copier, IP phone or security camera can easily be infected and are as likely to be a point of infection and propagation of a security threat as a desktop or laptop connected to the network. A NAC solution must be able to provide security for any end system. This includes technologies to assess, authenticate and authorize any end system, no matter what type of device or OS.

A strong NAC solution should be able to take into consideration many different attributes when determining the health, safety and purpose of an end system. Multi-context authorization of end systems allows for more specific security measures to be enforced and also for better-focused network and application usage. End-system assessment alone is not enough to determine the authorization of a device and user to access the network and specific applications and services. The NAC solution should take into consideration additional contextual attributes such as device type, location of the connection, time of day, user and machine credentials, and business role of the device and the user. End systems can be restricted from communicating to applications that are not relevant to the type of device or the user's role. Specific quarantine rules can be enforced allowing secure communication to critical services. The more contexts in the authorization process of a NAC solution, the more precise and efficient the network communications and security will be.

A critical aspect of any NAC solution is the process of policy enforcement. Enforcing network communication and security policy rules right at the network connection point of an end system is the best way to ensure that the right devices and people are communicating to the right business application at the right time. It also ensures this is happening in a safe and secure manner so as not to adversely affect other devices, people and applications on the network. If an end system is assessed to be dangerous or vulnerable, policy rules can be enforced to quarantine the end system so it does not endanger to the rest of the business environment. This enforcement of policy should be dynamic and fully distributed throughout the network infrastructure. Policy rules should be enforced by the network infrastructure itself, right at the point of end-system connection. This ensures a scalable and comprehensive policy framework as part of a NAC solution.

If an end system is determined to be threatening or vulnerable, notification and remediation become a critical part of the process. Enforcing a quarantine policy against an out-of-policy end system may prevent it from doing harm in the business network, but if the user of the end system does not understand that they have been put into this quarantine state (and why), they will likely assume that there is something wrong with the network or the application. A well-architected NAC solution will include a process of system-driven notification to the user of the end system. This is typically presented through the common Web browser, or may use other services such as Instant Messaging or e-mail. The actual notification should include not only an explanation of the quarantine policy that is in effect against the end system, but also a description of the reasons(s) for the quarantine action and how a user might safely remediate the problem. Once a user has attempted remediation, they can be allowed to reattempt end-system assessment in order to get out of the quarantine policy state and enter a productive state.

A well-architected NAC solution collects and uses a great deal of information about connected end systems, users and network communications. Much of this information can be instrumental in assisting with compliance reporting. Because a NAC solution should be involved in the authorization of every network-connected end system, data can exist that can give not only real-time visibility to what is connected to the network and where, but also historical views of connected end systems. This can be extremely helpful when dealing with a compliance issue where a historical record is needed to explain where an end system has connected to a network, and what services it had access to. Comprehensive NAC solutions should not only assess and authorize end systems and users, but also report on important compliance parameters.

C. NAC Architectures

All NAC solutions provide endpoint security that ties health, device, and identity information to your network. We must consider the three main NAC architectures [5]:

· Infrastructure-based NAC. This category includes gear already in your environment, such as NAC-enabled switches, routers, and servers. They integrate with endpoint agents to perform ongoing compliance checks, security updates, and remediation.

· Appliance-based NAC. Most appliance solutions are out-of-band, meaning users are passed to the devices for inspection without requiring hardware in every single data path. Out-of -band appliances leverage the same deployment modes but often add additional capabilities to control inline devices - such as sending SNMP commands to a switch. These appliances excel at post admission checks based with safeguards for malicious activity and ongoing compliance checks. They can be less scalable in a larger environment but tend to be less complex to deploy.

· Software-based NAC. Software-based solutions require that agents be installed directly on the endpoint - usually as part of a client security suite. They are the most scalable and easy-to- deploy but often provide just basic host-based enforcement; for a richer set of enforcement options they need integration with a number of third-party infrastructure and appliance components. However, a persistent presence on the end point often means superior compliance checks and automatic remediation.

D. NAC Technologies

Cisco, Microsoft and the Trusted Computing Group are battling to control the keys to locking un-trust­ed endpoints out of networks. Whether you call the approach network access control, network admission control, network access protection, network node validation or trusted network con­nect, the premise is identical - systems should grant access to the network based on factors such as anti-malware protection level, personal fire­wall assessment, host and user authentication, location, and even time of day [6].

Fig.3 [7] These are the IETF terms for each piece. TCG/TNC, Microsoft, and Cisco all have their own similar ones.



Microsoft NAP

Cisco NAC

Network Enforcement Point: Component within the network that enforces policy, typically an 802.1X-capable switch or WLAN, VPN gateway, or firewall.

Policy Enforcement Point

NAP Enforcement Server

Network Access Device

Posture Collector: Third-party software that runs on the client and collects information on security status and applications, such as 'is A/V enabled and up-to-date?'

Integrity Measurement Collector




Posture Plug-in Apps

Client Broker: "Middleware" that talks to the Posture Collectors, collecting their data, and passes it down to Network Access Requestor








Network Access Requestor: Connects the client to network, such as 802.1X supplicant. Authenticates the user, and acts as a conduit for Posture Collector data

Network Access Requestor

NAP Enforcement Client




Posture Validator: Receives status information from Posture Collectors then validates it against policy, returning a status to the Server Broker

Integrity Measurement Verifier


Health Validator


Vendor Server

Server Broker "Middleware" acting as an interface between multiple Posture Validators and the Network Access Authority



NAP Administration Server

Access Control Server

Network Access Authority: Validates authentication and posture, then passing policy to the Network Enforcement Point.

Network Access Authority




Access Control Server

Fig.4 [6] Evaluation of various NAC technologies.


Information Technology Services has implemented intrusion prevention systems at the network perimeter to prevent potential threats from outside intrusions. While this remains a valid and essential approach, we realize that a large number of threats may also originate from within our network. It is increasingly likely that end point devices will introduce virus, worms or malicious threats that are capable of causing significant harm to business critical networks and systems, especially those originating from unknown sources such as guest devices. Protecting the network from these threats is an overwhelming challenge.

Thus, Network Access Control comes into picture. NAC provides automated enforcement and remediation of end point security and is essential in minimizing threats and ensuring policy compliance for network access.

Although, I have tried to explain NAC to the best of my capabilities, there are some areas which still need to be addressed. In this paper, I have discussed NAC in general and introduced some of the present NAC technologies in the market. This was the major challenge I came across while developing my paper, that should I discuss NAC in a general or should I take it to an another level such as discussing NAC for LAN's, Wireless Networks, MANET's etc.

NAC is a gray area in today's network security issues, which needs to be addressed carefully. There are still many things that could have been included in this research paper. As I said before, I could have taken another approach for presenting NAC by discussing it in the context of various kinds of networks, such as LAN's, Wi-Fi, MANET's (Mobile ad-hoc networks), MAN's etc.

Future Work

Network Access Control is being used in every major organization, every college and universities etc. for protection against malware and unauthorized access. This research paper discusses NAC in general, which can be extended to implementing NAC policies on various types of networks such as LAN's, MANET's, and Wireless Sensor Networks etc.

We are facing a growing user demand for ubiquitous Internet access. As a result, network ports and wireless LANs are becoming common in public spaces inside buildings such as lounges, conference rooms and lecture halls. This introduces the problem of protecting networks accessible through these public ports from unauthorized use. Thus, we can extend this paper for discussing the problem of access control through public network ports [8].

Also, security in mobile ad hoc networks (MANETs) is an active research topic. A lot of prior work in this area focused on secure routing without addressing an important pre-requisite: network access control, the problem of admission of ad hoc nodes. Thus, we can make another approach towards this paper by discussing various policies and issues required to implement NAC in MANET's [9].

And, in wireless sensor networks, it is critical to restrict the network access only to eligible sensor nodes, while messages from outsiders will not be forwarded in the networks [10]. Therefore, we can discuss the design, implementation, and evaluation of a secure network access system for wireless sensor networks.