Features > Security
Network Access Control for Network Security

– A to Z Security Consulting with LG CNS (8) –

Conventional IT security focused on exterior threats such as viruses and hacking. With the advancement of IT and changes in business environments, mobile devices including laptops, smartphones and PDAs are also a major focus in the field of security. What is being developed and used to keep them safe? Let’s take a look.

네트워크_접근_제어__main

Definition

Network Access Control (hereafter NAC) is designed to examine whether a terminal (such as a PC) is abiding by a given security policy before it accesses and/or controls a network. The NAC system gathers information from the terminal connected to the network, and sorts them out according to collected data. Each terminal is controlled differently according to which group it was classified into and how much of a security threat the group holds.

The NAC market has grown rapidly since 2005 when world class consulting company Gartner Group suggested it as a new network security model. The issue back then was that they couldn’t stop internal security incidents no matter how many great vaccines including the Windows security patch and anti-virus programs they had install and running and were running.

It was impossible to protect in-company networks from viruses and worms, especially when mobile computing devices like laptops get infected outside and then access these networks.

Even when a network is well equipped with security patches and vaccines for all PCs connected to the system, viruses and worms could not be taken care of quickly enough, because they start spreading as soon as they access to the network. The IT industry started thinking about how to solve this issue and their conclusion was to perform an ‘inspection’ on all connected device, which the market enthusiastically agreed with.

This is how the ‘inspection’ goes: all devices connected to the in-company network are sent to a ‘quarantine station’ for a number of security tests. Once they are confirmed clear they are authorized to use the network. The tests consist of checking what the device is and who owns it as well as conducting a software security examination.

If there is something problematic, an automatic patch solution installs the necessary software and patches it immediately before clearing it to access the network. This is what NAC does to protect an in-company network.

A New Way

네트워크_접근_제어__03

Major security related incidents and the responses in 2013 (Source: KISA)

*Click image to enlarge

Common IT security has been about responding to exterior threats like worm viruses, malignant codes, and hacking. This is why their strategy focused on adopting and arranging network security systems like firewalls, virus walls, and Intrusion Prevention Systems (IPS).

However, preventing network intrusion at an internet gateway began to show its limits due to advanced wired/wireless network technology, diversified terminals, and expanding corporate business environments.

What we have been facing lately is harmful traffic persisting regardless of various protection systems the IT and security administrators configure to keep networks safe. Having personal security systems with anti-virus programs and firewalls didn’t change the situation either.

The problem was that the work systems and internal resources were continuously attacked internally because of a lack of security management such as the installing of security patches from the operating system and program updates.

The DDos crisis in July, 2009 is a good example of this: malignant codes that triggered a DDos attack (Distributed Denial-of-service attack) was activated in one user’s PC in the network, and ended up paralyzing the entire work system and then attacking random exterior networks.

As we can see from this case, intrusion-blocking systems (firewalls) and intrusion prevention systems (IPS) blocking exterior threats at the gateway can block neither viruses and worms introduced/spread by internal users or access to essential informational assets exceeding internal users’ authority.

For this reason, a technology was require to stop the spread of viruses and worms as well as unnecessary access to informational assets by applying a strong user verification and access control policy as soon as internal users connect to the network. In other words, an aggressive security architecture which both prevents and blocks security threats was needed.

In 2005, the Gartner Group suggested a new network security model called NAC as an answer to security demands.

Internal

네트워크_접근_제어__04

Unidentifiable internal network terminals and users (Source: Case conducted by LG CNS)

*Click image to enlarge

NAC is a ‘user access control system’ which only lets authorized users with verified and safe terminals connect to network resources. NAC blocks access from users who generate abnormal traffic and mobile terminals such as PCs, laptops, PDAs, and smartphones infected with malignant codes and worm viruses.

Inspec

네트워크_접근_제어__05

Inspection record on in-company network use (Source: Case conducted by LG CNS)

*Click image to enlarge

User’s authority accessing the network and security status (installed and operating virus vaccine software, OS patch, and system configuration) of the connected terminals, as well as their access to the authorized network are monitored and controlled in real time.

Unlike existing security systems which focused on reacting to security threats, NAC prevents, detects, controls, and treats possible security threats over the entire procedure of network access from beginning to end.

Regulation

네트워크_접근_제어__06

Regulations for internal network protection (Source: Case conducted by LG CNS)

*Click image to enlarge

Numerous industries are calling for legislation for internal corporate security protection. An effective response to such demand is necessary.

How to

So far we’ve looked at NAC’s definition and its emergence. To find the best application model and product suited for business environments, Benchmark Tests (BMT) on the NAC product family is conducted. Evaluation categories are also defined for BMT to find the best kind. Let’s take a closer look.

● Example of NAC product BMT evaluation categorization

151014_cns_5

NAC product evaluation categories (Source: Case conducted by LG CNS)

As you see in the table above, BMT evaluation categories and points are defined to find the best product.

Next are examples of the common requirements for an NAC system as well as key factors for constructing a new NAC system.

Requirements for NAC systems
1. Unauthorized users’ illegal network access attempts and hacking require aggressive blocking.
2. System failures caused by temporary IP change/issuance should be prevented while cutting off malicious users from the source to the end-point level.
3. Stratified network access authority should be given based on an accurate user identification process.
4. Unnecessary access to services must be prevented by limiting access to authorized areas only.
5. Security for mainstay work systems should be strengthened against worm virus.
6. Data breaches should be prevented by forcing treatment on or isolating PCs infected through various methods and channels before they access the network.

Notion for NAC and NAC system construction
1. Necessity and application method of the network blocking system must be examined.
2. Security vulnerabilities must be improved by networking with already-existing security systems.
3. Accurate control and security policies are necessary as user identification security framework.

Goal

NAC products selected by the standards mentioned above are implemented according to their construction goals as seen below.

NAC Construction Goals

151014_cns_6

NAC Construction Goals (Source: case conducted by LG CNS)

NAC not only controls the network access on network devices, but also manages reports on network device assets and mandatory software/security configuration status.

The following is an example of the NAC control policy and operation plan.

NAC control policy and operation plan

네트워크_접근_제어__09

NAC control and operation plan (Source: Case conducted by LG CNS)

*Click image to enlarge

There can be diverse control policies according to users of network devices and types of organizations. Different control policies are configured as well depending on who the user is (executive, staff member, visitor, and subcontractor).

Effects of NAC

네트워크_접근_제어__010

Effects of NAC (Source: Case conducted by LG CNS)

*Click image to enlarge

Today, we took a look at what Network Access Control (NAC) is all about. As IT advances and business environments are changing with diverse devices as well as wired/wireless networks, network related security incidents are become more common. I look forward to seeing how NAC will change the field in the near future.

Countermeasures to Card Security Issues Focusing on Access Card Duplication
– A to Z Security Consulting from LG CNS (1) –
(http://www.lgcnsblog.com/features/countermeasures-to-card-security-issues-focusing-on-access-card-duplication/)

Security Information and Event Management Solution
– A to Z Security Consulting from LG CNS (2) –
(http://www.lgcnsblog.com/inside-it/security-information-and-event-management-solution/)

How Well Is Your Medical Data Secured? – A to Z Security Consulting from LG CNS (3) –
(http://www.lgcnsblog.com/features/how-well-is-your-medical-data-secured/)

When Will Our Office Be Completely Secure? (Approaches to Security Risk Analysis)
– Security Consulting A to Z with LG CNS (Part 4) –
(http://www.lgcnsblog.com/features/when-will-our-office-be-completely-secure-approaches-to-security-risk-analysis/)

Physical Security and Information Security into Convergence Security
– A to Z Security Consulting from LG CNS (5) –
(http://www.lgcnsblog.com/features/physical-security-and-information-security-into-convergence-security-a-to-z-security-consulting-from-lg-cns-5/)

How to Adopt a Security Management System – A to Z Security Consulting with LG CNS (6) –
(http://www.lgcnsblog.com/features/how-to-adopt-a-security-management-system-a-to-z-security-consulting-with-lg-cns-6/)

Our Position on Removing Risk from IoT Security!
– Security Consulting A to Z with LG CNS (Part 7)
(http://www.lgcnsblog.com/features/our-position-on-removing-risk-from-iot-security-security-consulting-a-to-z-with-lg-cns-part-7/)

Written by Jin hwan Kim, Security Advisory at LG CNS Security Consulting Team

Post navigation

'Features > Security' Category Post
  • bankjob

    MAKE MONEY ONLINE HERE
    ……………………………….
    DUMPS/ DUMPS+ATM PINS / Fullz Cvv/ Bank Logins & Hacked Paypal Logins Available .

    * BANK TRANSFER AVAILABLE
    * WESTERN UNION TRANSFER AVAILABLE
    * PAYPAL TRANSFER AVAILABLE

    We Also Help You To Transfer Money From Your Hacked Paypal Logins With No ChargeBack.
    INBOX ME ASAP

    Contact me ICQ : ( 695307276 )
    Gmail : superdp23@gmail.com
    Telegram : @bankdeals

    JOIN OUR CHANNEL https://t.me/joinchat/AAAAAFY2cuvWpMN7_QcAmQ FOR ALL YOUR CARDIG GUIDES & FRESH DUMPS/ DUMPS+ PIN / CC / FULLZ / PAYPAL LOGS& BANK LOGINS .

  • IoT
  • Cloud
  • Big Data
  • Security
  • Data Center
  • e-Government
  • Transportation
  • Energy
  • Manufacturing
  • Finance