NAC: Usability and Security for Users
Using NAC, organizations no longer have to choose between security or usability on their networks
It’s easy to assume that making something more secure automatically makes it more difficult to use. After all, if you add a lock to a door, that’s one more manual step every time you unlock it, right?
In another realm, everyone knows it’s safer to have a unique password for every login. But with the sheer number of websites and apps we all use, it can become so cumbersome to keep track of everything that we just give up out of frustration and default to using the same small handful of passwords everywhere.
We may take this situation for granted because vendors have historically focused on either usability or security. However, when it comes to the latest generation of network security, you can often have both!
Think about the example of passwords above. Innovative vendors have come up with products to make the process more intuitive and more secure. These days we have password managers and multi-factor authentication solutions that not only take the drudgery and confusion out of remembering those scores or hundreds of logins, but they also make it much more likely that our accounts remain secure. As long as you have your master password, or MFA token, you are good to go.
Let’s focus now on another example that might surprise you: network access control (NAC).
How NAC Can Increase Usability and Security
Automate Security Responses
With a wide open network, it’s much easier for bad actors or poorly secured endpoints to access your data or spread infections to other endpoints. In this case, it may fall on the information security team or the IT help desk to track users down to a switch port and manually shut off access and/or to guide users through standardized remediation steps.
One primary goal of a well-designed NAC is to make these tasks easier by automating the process of restricting network access and providing context sensitive remediation guidance (whether for out-of-date antivirus definitions, a DMCA notice or a ransomware infection) when appropriate. NAC can shut down an endpoint’s access at Layer 2, preventing it from talking off the network and from infecting its peers on the inside. At the same time, it can present users with a tailor-made web message explaining the nature of the incident, providing contact information and even remediation guidance.
For your security staff, this means no more worrying about that malware alert that comes in overnight or last thing on Friday as your staff is leaving for the weekend, and no more concerns about users who disable their antivirus or try to torrent content on your network. NAC can shut them all down and provide the appropriate guidance, automatically.
While this approach can help minimize frustration and fatigue for end users, network admins and help desk users, its benefits admittedly are much more visible to the latter!
Can NAC actually make it easier for end users to get onto the network in the first place?
Eliminate Captive Portal Fatigue
As mentioned above, the average user may be prompted for credentials many times during an average day. A well-designed NAC can gather identity from internal users without adding yet another login prompt, by processing single sign-on (SSO) from other services.
For example, on a WPA2E wireless network, RADIUS confirms user identify versus Active Directory or LDAP before the user associates. By forwarding RADIUS accounting to your NAC, you can gather end user identity organically with no extra steps for the user.
Similarly for your Active Directory Domain users, users already authenticate via Active Directory to access their desktops, and NAC can capture identity from that event without further end user interaction.
For BYOD on open networks, NAC can gather identity just once, at the first connection attempt, and then continue to track the same device for as long as it remains associated with your network, regardless of wired or wireless and no matter how many IP addresses the endpoint may obtain.
And even when users do need to use captive portal authentication, NAC can simplify the process by accepting credentials the user is already familiar with, whether from AD/LDAP, a SAML-compliant service such as Microsoft Azure or Google GSuite, or even a multi-factor authentication solution such as Duo or Okta.
Conclusion
These are only a few examples of how a well-designed NAC can make life easier for both you and your end users while making the network both safer and easier to use. Other examples include:
- Publish identity to your firewall and bandwidth shapers, or session information to your SIEM
- Transparently segment end users by pushing a custom ACL or VLAN per user class or per compliance state at Layer 2
- Automate handling of headless devices from VoIP phones to card readers to Amazon Echoes by automatically identifying them, placing them on the correct VLAN and even gathering identity if desired.
