NETWORK ACCESS CONTROL (NAC) APPROACHES TO ASSET DISCOVERY.
While Network Access Control (NAC) platforms provide valuable insight into networked devices, there are limitations when relying on them for cybersecurity asset management. Unlike NAC solutions, Axonius automatically aggregates and correlates asset data — regardless of where the asset is located — to deliver a comprehensive, credible asset inventory for security, IT, and risk management teams.
What's Network Access Control (NAC)?
As the name implies, NAC is a security solution that controls access to your network.
Many different devices connect to corporate networks, and employees and guests all need various levels of access. NAC solutions allow network access to the user accounts and devices that need it, while also ensuring the connections are secure, compliant, and known.
With the increase in IoT and OT systems, NAC solutions are also being leveraged to scan for these devices, profile them, and enforce policies.
What Are NAC Solutions & How Are They Used?
Some NAC solutions require the organization to conduct a comprehensive survey of all endpoints on the network to be deployed successfully. This survey is what the solution will go off of to enforce the user-defined set of compliance, and security protocols and policies.
Newer and more comprehensive NAC solutions use active and passive scanning techniques to identify and categorize endpoints on the network. After the inventory is complete, they use an agent-based or agentless approach to take action on any devices with outdated or insecure policies and protocols.
Three primary capabilities of a NAC solution are:
- Authentication: NAC solutions take a pre-connect, post-connect authentication approach. Pre-connect authentication doesn’t trust any new network connections or devices until it proves their level of access is correct and they’re compliant and safe to connect. A post-connect approach trusts connected devices until it finds a reason not to, like updated accesses, security issues, or new policies that need to be enforced.
- Network segmentation: If devices shouldn’t be on the network or are potentially infected, NAC solutions can restrict or deny their access, quarantine them, and enforce the policies they need to be compliant with. This keeps insecure or infected devices from spreading across the network.
- Security stack integration: These tools often have bi-directional integrations with other security tools to increase their reach, visibility, and accuracy. Insights from other tools like a SIEM can be fed into the NAC solution to enforce new security and policies standards. On the other hand, the data discovered by the NAC solution can also be used in deeper security investigations by the other security tools.
- Popular NAC Products: Forescout CounterACT, Fortinet FortiNAC, Cisco Identity Services Engine (ISE)
What Are the Limitations of NAC Solutions for Cybersecurity Asset Management?
While NAC solutions are a great way to enforce policies and control network access, there are three main limitations when solely relying on them for cybersecurity asset management:
- Asset discovery and visibility: NAC solutions rely heavily on manual endpoint surveys conducted by the organizations or their own scanning capabilities to identify endpoints. The survey is a time-consuming, dynamic process that needs to be updated frequently, allowing for gaps in visibility. Through scanning, NAC solutions aren’t able to see cloud devices and remote devices, since these assets aren’t on the network being scanned. With the surge in cloud migrations and remote work, this leaves a massive discovery and visibility gap that would require additional tools to accurately enforce policies across all company assets.
- Deployment and solution management: The initial setup is typically labor-intensive, intrusive, and time-consuming, making the time to value suffer greatly. Once set up, these solutions are also hard to keep updated and manage, especially in large, complex environments.
- Data correlation and integrations: Most NAC solutions lack direct integrations to all the tools you use, requiring in-house resources to build custom integrations. If integrations are available, they’re often provided at an additional cost. There’s no easy way to aggregate, correlate, and compare asset data with other valuable asset data sources. This means you’re forced to make decisions based on incomplete, outdated, and inaccurate data.
Why it’s Best to Combine NAC With Other Data Sources
- Some assets can’t be found from a single source: For example, NAC solutions likely don’t have visibility into remote employees or cloud instances, so you must rely on other sources to gain a complete asset inventory of all devices your organization owns or that enter your network.
- You can’t identify gaps without comparing two or more data sources: For instance, to find a device missing antivirus, you have to compare a source that knows about devices with another source that knows about all antivirus deployments. To find other gaps, you need numerous data sources. While NAC solutions sometimes have other data inputs, they’re often lacking a sufficient amount of data to answer all your questions.
- More data sources leads to stronger data integrity: The more data sources overlapping, the stronger correlation can occur to give you a single source of truth into any one asset.