The Purpose Of The Nac Device Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

In the recent years, usage of mobile users and the type of mobile devices are increasing rapidly. The Access for data can be requested from anyone and from anywhere. The access should be provided also the data should be protected. As the different ways of accessing the data increases (through mobile device) the risk in protecting the data also increases. All these accesses to the data produce many mal functions and viruses to the storage.

The NAC ensures that, when a computer is trying to connect to our protected network, it will not be permitted to access any data until and unless it satisfies with the set of pre defined policies. The policy includes the protection of anti-virus, OS update levels. Only when the policy is met the computer is allowed to access the data and the internet. Also while the computer is checked for the set of policies, it will only allow accessing the resources that can be resolved or updated if there is any issue.

Company's background:

It is a medium sized company which provides services and solutions for IT. The organization's infrastructure is likely to be distributed geographically, in which more than 5000 employees are working.

There are few projects in the company were the team members will be working from different sites (that are geographically separated). In those cases, the project details (all the information about the project) and its respective customer details will be placed in the SAN accessing storage network. The project members who are geographically distributed, will access this SAN storage network for their project details.

Critical asserts of the company:

The critical asserts of the company is the SAN storage which has many vital information regarding the company such as

Project details

Customer details

The company cannot afford to miss the information on the SAN storage; also the information should be secured. If any hacker got to know about the information on the database then the company will be missing many projects and that will be great loss for the company. So the SAN is the critical assert and that should be secured and also access should be provided for the employees.

Critical infrastructure of the company:

The Storage area consists of some tera bytes of storage space. If any malware that makes the hardware mal function cannot be affordable. The company has invested heavily on the storage space, also the Routers and the Switches that connects the different branch offices plays a vital role. All those Routers and the Switches should be taken care.

Issues with the current SAN architecture:

The current architecture of the company doesn't have proper device or software to monitor the users who are logging in and the device that will protect the database.

Some of the issues addressed by the Network administrator:

Because of the following issues the project details that is stored in the SAN is getting affected.

The key issue that can attack the database are the viruses; the architecture doesn't have any monitoring tool to monitor the virus malware tool of the employees who are connecting to the database.

The database should be maintained even after the employees log out of the database.

Affected employees are not indicated to the net admin and also to the employees; hence they are getting affected by their project work.

Recommended solution:

Keeping all the issues in mind, the NAC (Network Access Control) will be the more appropriate solution. Mainly the NAC ensures that the devices entering the protected network will not introduce viruses and any other malware that harms the data. Also the NAC continuously monitors the devices activity until it leaves the network. It also ensures the protection even after the device leaves the network. Also the NAC provides solution bellow the Data link layer, in which most of the networking devices work.

Functionality of the NAC:









Detection: It detects and identifies the new devices that are connecting to the network.

Authenticate: It authenticate the users and the devices connecting the network.

Assess: The end system will be accessed for their vulnerabilities

Authorize: The devices and the users will be authorized using the results of assessment and the authentication.

Monitor: the devices and the users will be monitored once they are connected to the network.

Contain: the affected devices and the users will be quarantine to prevent the entire network.

Remediate: it will solve the problems and provide access to the network.

Goal of the NAC:

The basic business benefits of implementing NAC is as follows

The NAC will provide the below given details:

WHO - who are all allowed to connect to the protected network (Roles)

HOW - how are they allowed to connect to the network (Rights)

WHAT - what are they allowed to connect (Resources)

WHERE - where should they get access? (Location)

All the above said business issues are very critical information used to maintain the companies critical asserts.

Implementation of NAC:

The implementation consists of four steps, they are explained below.

Pre - Admission in Network Access Control:

The Pre admission process is to identify the devices that try to login to the protected network for the first time itself. It will collect the following information before admitting it to access the network.

Whether it is a known user or the user trying to access for the first time.

Connecting through wired or wireless connection.

IP and MAC address of both the endpoints.

User's OS details like name of the OS, the security patch details.

Antivirus signature files.

By using some predefined parameters the NAC will make a decision to allow or deny access to the particular user. Devices that fail to the basic level of authorization will be flagged for the future purpose and NAC allows the network administrators to set the level of access to the devices that are logged in to the protected network.

Post - Admission in Network Access Control:

The post admission of the NAC is very important to keep the network protected by various threats. This module of the NAC take cares of the devices that log out of the network after logging in and processing are properly controlled. This mainly deals with the policy and threat monitoring.

The policy is the set of rules given by the network administrator, like the kind of processes that are allowed in the organization. Policies such as:

Instant messaging

File transfer

It also monitors and mitigates, port scanning

Mass mailer

Zero day threats.

This type of processes ensures that the protected network can accommodate new users and remote users with achieving high level of security.


The NAC solution is capable of isolating the device that fails in the policy and threat monitoring. The NAC solution can do the isolation without affecting other uninfected devices. For doing this process it doesn't require ant special hardware or agents. When a device is in quarantine state, it will be notified to the end user and the network administrator about the state and why it has been in that state. Once any device is identified and kept under quarantine state, it will be sent to remediation process.


The appropriate remediation process for the quarantine will be done by the NAC, some of them are:

Patch management

Anti-virus update

Anti-spyware update

Malware removal tools

Internet only access

Other services defined by the network administrator.

The network administrator have the authority to manually add or remove devices from or to, to the quarantine state. The steps in the remediation state will bring the devices back to the normal state and then it will be given access to the protected network.


The NAC solution is centrally monitored and it provides an interface of the administration, device software updates, threat auditing and maintenance. This interface will provide a limited configurable access to the network administrator. It will apply the permissions for groups rather than separate users. It will be sending the syslog data to the connected syslog servers and give support for the SNMP administration. The system should be having storage for storing 30 days of data.

NAC Architecture:

There are three types of NAC architecture as follows:

Software based NAC

Infrastructure based NAC

Appliance-based NAC

All the three has its own importance to speak about it, one of it can be selected based on the requirement and the policies and cost constraints of the organization.

Software based NAC:

The software based NAC can be directly installed directly on the devices. They are the easiest and this can be done regardless of the devices vendor. But for the better performance they need to be integrated with the third part appliance.

Infrastructure based NAC:

This type of NAC requires devices that already present in the network with NAC capability such as, NAC - enabled switches, routers, servers etc... They work with the endpoint agents for performing compliance checks, security updates and remediation. They are very complex to deploy but provide more scalable options.

Appliance - based NAC:

They are usually called as out-of band, i.e. the users are passed via the devices for inspection and this need not be done for every single data path. These appliances are excellent at the post admission checks in order to protect from the malicious activity. They are very easily deployable but less scalable in larger environment.

Recommended solution architecture:

The recommended architecture has an NAC appliance implemented in the SAN storage.

After implementing the NAC appliance, all the connections to the SAN network will be connected through the NAC. Hence the bellow listed things will be ensured.

Each and every connection will be authenticated before getting the access.

Before getting the authentication, all the policies given by the network administrator will be authorized.

The user will be checked whether they are logging in for the first time or an existing user.

OS patches will be checked and ensured that the user trying to connect is having latest security patch installed.

It will check for the Anti-virus software.

Type of connection, whether it is wired or wireless.

The users IP address and MAC address will be noted.

A log will be maintained for each user, with the list of the files accessed by the users.

The NAC will protect the network even the device has logged out of the network. A log will be maintained for the future purpose, which consists of WHO, HOW, WHAT, WHERE information's of the users. Minimum of 30 days information will be logged. The policies can be set by the network admin also; there is a provision for the network administrator to allow or deny a user who is in quarantine state. The quarantine state user will be remediated according to the state of quarantine and the access is given to the user. Thus the NAC solves the issues in protecting the SAN storage effectively.



For the above discussed issues the most appropriate solution for this type of network architecture will be NAC (Network Access Control). It is appropriate because a single NAC appliance can overcome all the issues mentioned earlier.

Recommendations / Steps to be followed:

The first step is to identify the type of NAC (Software, Infrastructure & Appliance) that best suits the organisations network architecture.

Choose a NAC product based on the type of NAC selected in step one.

Identify the type of vendor which is affordable and cost effective for the organization.

Based on various vendors the below table shows the products for different types of NAC.

Table 1: Product information on various vendors:



Software based

Infrastructure based

Appliance based

CISCO Systems

CISCO NAC appliance, NAC server, NAC Manager, NAC profiler, Guest server

Not licensed product

Full NAC solution

Not licensed product


Microsoft NAP for windows Vista, XP SP3, Server 2008

Full NAC solution

NAC functionality but no dedicated product

No solution


MNAC 3.0

Full NAC solution

No solution

NAC functionality but no dedicated product

Juniper Networks

UAC Infranet controller

Not licensed product

Full NAC solution

NAC capability is there but not primary focus

Still secure

Safe access

Full NAC Solution

No Solution

Full NAC solution

Bradford Networks

NAC Director, Campus manager

NAC capability is there but not primary focus

No solution

Full NAC solution

Install the NAC appliance.

Configure the Pre- admission and Post-admission access controls.

Check the Quarantine and Remediation processes.

Audit the NAC reports frequently for vulnerabilities.

On successful installation and implementation of the NAC appliance, we will be able to protect and maintain the SAN in a proper and better way.