What is the system most often used to authenticate the credentials of users who are trying to access an organizations network via a dial up connection?

Network access control is defined as an enterprise security solution used to assess, manage, enforce, and optimize security and authentication policies through different measures like endpoint security, user access authentication, and network security policies. This article explains network access control, its key components, and best practices. 

Table of Contents

What Is Network Access Control? 

Network access control is an enterprise security solution used to assess, manage, enforce, and optimize security and authentication policies through different measures like endpoint security measures, user access authentication, and network security policies. 

Essentially, network access control aims to build a security fortress through which unauthorized users, illegitimate device activity, and network-based threats cannot penetrate. At one point in time, network access control was all about computer and network security, ensuring that all traffic passing through was legitimate. 

However, with the rise of internet of things (IoT), multiple connected endpoints, software-as-a-service (SaaS) applications, and personal devices that double up for professional use, network access control has a much more vast and significant impact area. 

According to a 2020 survey by Nexkey, 44% of respondents felt access control was more important than ever in the aftermath of the pandemic. In the same year, Gartner announced that it would start to report on network access control as part of its forecast, also assessing revenue share by vendors in its Gartner Market Share reports. This indicates that network access control is poised to become an enterprise staple. 

Also Read: What Is Network Security? Definition, Types, and Best Practices

Several drivers are encouraging the adoption of network access control strategies and solutions: 

• • Strengthening security after an audit: As digital transformation accelerates, security audits are bound to reveal unmapped infrastructure, vulnerable access points, and IoT devices like wearables or building automation that leave enterprises exposed. Network access control can be an answer to this challenge. 
  • Coping with the rise in third-party vulnerabilities: Corporate network access by different types of stakeholders and devices, including guests, partners, contractors, consultants, etc., increases your security exposure. Network access control helps manage third-party access and keep data flow secure. 
  • Quarantining devices without interrupting business as usual (BAU): With a growing reliance on technology, it isn’t always possible to immediately retire a system once a vulnerability is detected. Network access control offers temporary solutions like sandboxing or a quarantine virtual local area network (VLAN) to carry on business operations until the issue is remediated. 
  • Integrating with other security essentials: Most network access control solutions come with extensive interoperability so that they can “play nice” with existing infosec components. This is a major driver for mature organizations with a well-established digital footprint. Also, it makes network access control easier to scale, adding to the overall security posture as the organization evolves. 

An associated concept that infosec professionals should remember when exploring network access control is zero-trust network access (ZTNA). 

ZTNA is a type of network access control policy that applies an identity and context-based access boundary around single or multiple applications. To the typical user, ZTNA-protected applications would remain hidden. A designated trust broker will verify the user against a list of named entities, based on identity and context, before allowing access to the applications. Zero Trust was a key network access control capability in 2020, prioritized by 72% of respondents in the 2020 Zero Trust Progress Report by Cybersecurity Insiders and Pulse Secure.

Let us now look at a typical network access control architecture and the components that make up network access control. 

Also Read: Operational Cost, Security-Related Risk: Quantifying the Value of Network Security Policy Management

Key Components of Network Access Control 

Network access control oversees a vast expanse of computing systems, both on-premise and remote. As a result, it comprises a carefully designed solution architecture with each component playing a role in security enforcement, maintenance, and remediation. Following are the components of an industry-standard network access control solution:

1. Client 

Endpoint systems or the clients are one of the key components of network access control. These are the most common windows for network access, data exchange, and generally any kind of computing activity. Endpoint vulnerabilities could cripple the entire enterprise network, as there are deep connections between devices and on-premise servers if you have them. Apart from physical endpoints like computers, laptops, connected printers, IP phones, etc., virtual machines where you could be hosting a workstation also count as clients. 

2. Client software 

Sometimes, it is a specific application or set of applications that are identified as an access gateway, in addition to the entire computing system. In these cases, the client’s software application is also considered part of the network access control architecture, actively participating in authentication and security enforcement processes. 

3. Authentication server 

The authentication server is one of the core components of network access control. It is typically a physical server of the remote authentication dial-in user service (RADIUS) variant that validates the credentials of the client device or client software requesting access. In most network access control solutions, these credentials are validated based on a list of named entities like usernames, passwords, and digital certificates. More advanced solutions apply context and behavior-based authentication as well. For a cloud-based network access control solution, this component is hosted on a public cloud. 

4. Authenticator 

The authenticator is responsible for facilitating the authentication between the client (device or software) and the authentication server. It comprises a managed switch or access point that securely relays credentials between components 1 or 2 and 3, ensuring that a port continues to be labeled as an unauthorized state until the authentication occurs. The authenticator is also responsible for changing the port’s state to “authorized” once the server has given a greenlight. 

Also Read: What Is a Virtual Private Network? Definition, Components, Types, Functions, and Best Practices

5. Authentication framework 

The authentication framework can be considered as the language in which credentials are shared among the client device, the client software, the authentication server, and the authenticator. It differs from one solution to another – for example, extensible authentication protocol (EAP) or EAP over LAN (EAPoL) can be used as the framework if you need to configure multiple authentication methods into the system.

6. Quarantine 

Quarantine is a sandbox environment where traffic carrying non-authenticated credentials is placed, awaiting remediation. Note that quarantine is a network access control component only in post-admission network access control, where authentication and security policies are enforced within the network once the user or device has already obtained access. The quarantine allows for business activity within the environment without interacting with or damaging external files. 

7. Guest networks 

Organizations might implement a dedicated guest network to isolate all third-party traffic. This is relevant for enterprises operating with a large non-payroll workforce and multiple third-party stakeholders such as regulatory bodies, consultants, vendors, etc., from the same enterprise premise. Guest networks are a common component of cloud-hosted network access controls governing remote access by third parties. 

8. Corporate networks 

This is the primary channel for communication in the enterprise, allowing authorized traffic as validated by the authentication server. The corporate network could be secured by additional intermittent security policies such as time-bound access that revokes authorization once a specific time or access threshold is reached. Therefore, corporate networks are in no way outside the ambit of network access control or a security-policy-free zone. 

Also Read: Top 10 Virtual Private Networks (VPN) in 2021

9. Public internet 

In addition to guest networks and corporate networks, the public internet can also be used to access enterprise assets, subject to certain constraints and authentication protocols. Typically, public internet traffic flows only through guest gateways and not via the corporate network. 

10. Management console 

Network access control can be managed through a security dashboard hosted either on-premise or on the cloud. The dashboard enables device visibility, allows for security policy configurations, maps trends or analytics, displays security alerts, and essentially acts as an all-in-one governance hub for your infosec manager. The management console can be accessed as a web portal, a desktop app, a mobile app, or on a virtual machine, as required. 

11. Client agent 

Client agents are an optional component of network access control. If you want to empower employees to self-assess their security posture, act on vulnerabilities, and bring anomalies or suspicious behavior to your notice, you can install a network access control agent on the client device. But keep in mind that this isn’t a replacement for the centralized management console. 

At a high level, your network access control architecture will include some or most of these components – of which components 1, 3, 4, 5, 8, and 10 are mandatory, which can be considered as core components of network access solutions. The remaining components add extra value and align network access control for a diverse variety of implementation scenarios. 

Given this complexity of architecture, you might be wondering if there is an alternative to network access control. 

Network access control is typically recommended for multi-environment, on-premise digital ecosystems that regularly receive access requests from users or devices of different personas, identity privileges, contexts, data requirements, and network backgrounds, with a largely equal mix of IoT and traditional endpoints. 

On the other hand, if you have a growing reliance on IoT only, cyber-physical security solutions that focus on edge devices could be more suitable. For organizations looking to secure their remote ecosystems, secure access service edge (SASE) is an emerging solution, which is entirely cloud-based. 

Keeping these alternatives in mind, if network access control is what your organization requires, remember these seven best practices for getting started. 

Also Read: What Is Browser Isolation? Definition, Technology Components, and Vendors

Top 7 Best Practices for Network Access Control in 2021

2021 will be an important year for enterprise security, as you will have to take stock of your bring-your-own-device (BYOD) footprint, SaaS reliance, and unmapped access points, all the while focusing on minimizing touch-based access controls. The following best practices can help you maximize network access control solutions and fortify your enterprise perimeters. 

1. Couple pre-admission network access control with post-admission 

Network access control can be broadly classified into two types: pre-admission and post-admission. In the former, authentication policies are enforced before network access is granted, right at the moment when a user or device requests access. The network access control then assesses the origin of the request, its behavioral pattern, and the origin’s credentials to allow or deny access in compliance with corporate security policies. 

In contrast, post-admission network access control takes place within the enterprise perimeter once the user or device has gained preliminary access and is looking to venture inward further – for example while accessing a privileged data asset. Post-admission network access control policies can kick in to stop lateral movements inside the perimeter and mitigate the damage. The user or device must obtain fresh authentication every time they try to access enterprise assets protected by post-admission policies. 

Together, these two network access control types provide an end-to-end solution against cybersecurity threats. Unauthorized users are prevented from gaining access in the first place. Threats that penetrate pre-admission through some form of deceit must go through another authentication cycle before accessing your most sensitive information. This tactic is also effective against insider attacks. 

2. Choose your network access control solution wisely

When it comes to choosing a solution partner, you have several options. Pure-play network access control vendors have a dedicated solution for network access control, utilizing both open source and proprietary technologies. Network infrastructure providers offer network access control as an add-on to networking products, adding to the value proposition with seamless consolidation and tight integration. 

Apart from this, there are cyber-physical security solutions and SASE for IoT and remote environment security, respectively. In this market landscape, one must choose their network access control partner wisely, in sync with current use cases and future projections: 

• •  Focus on vendors targeting enterprises of your size and complexity, and if possible, your industry vertical. After all, access requirements in a digitalized healthcare scenario will be very different from a connected factory. 
  • Align network access control implementation with any zero-trust identity and access management (IAM) policy that is already active at your enterprise. Network access control can enable a “deny by default” approach that reinforces your zero-trust capabilities. 
  • Take stock of your endpoints and existing endpoint security to select a solution that is interoperable. Network access control must have a native integration with your unified endpoint management tools for cohesive visibility. 
  • Conduct a network inventory exercise before selecting a vendor. This will not only surface any unmapped endpoints, undetected access gateways, existing network switches, etc., but also give you an IP volume estimate for network access control budgeting. 

These four steps can help you make the right call when assessing network access control and implement a solution that’s the best fit for your enterprise. 

Also Read: What Is a Firewall? Definition, Key Components, and Best Practices

3. Train IT staff in network access control 

Network access control comes with its own technical lexicon, and an IT generalist may not be able to maximize its value to the fullest. Even if a vendor takes full or co-ownership of network access control implementation and maintenance, its on-premise nature means that your IT staff will have to get involved in day-to-day maintenance and upkeep. 

Further, interpreting network access control alerts and data trends is another important skill. Reading network access control alerts in time and acting on them can prevent severe security damage caused by unauthorized access. As network access control covers the entire gamut of your on-premise device and user footprint, there’ll be a wide variety of alerts to assess and interpret. 

Depending on the number of endpoints, you might want to appoint a dedicated network access control administrator to keep a watch on alerts, filter out false positives, and keep the enterprise secure without interrupting workflows or inconveniencing legitimate users. 

Some of the key skills in which IT staff might require training are: 

• • Data analysis, interpretation, and trends mapping 
  • Familiarity with cyber-physical systems and non-traditional endpoints 
  • Security integration and interoperability for end-to-end visibility 
  • User experience and technology dependencies in workflows 

Apart from IT staff, you might want to inform guest users and third-party stakeholders about network access control implementation. 

4. Watch out for prime use case candidates 

In a digital enterprise, there are many use cases ideal for network access control implementation – but they frequently pass under the radar. If you have any of the following scenarios at your enterprise, consider implementing network access control: 

• • A large third-party ecosystem: Third-party users and non-employees are regularly present on your enterprise premises. Some even have access privileges to the corporate network. 
  • Bring your own device policies: Employees bring their personal laptops to work or take their work devices home, interchangeably using them for personal and professional purposes. 
  • Internet of things (IoT): There are several connected endpoints on your premises, ranging from biometric-enabled smart doors to IP-enabled printers. 
  • Sensitive data stored on edge: Distributed devices like healthcare wearables or manufacturing sensors constantly collect sensitive data and relay them to your network. 

Network access control can help address the above issues, which are becoming increasingly common across enterprises and verticals. 

Also Read: Top 10 Firewall Security Software in 2021

5. Adopt network segmentation for post-admission security 

Network segmentation lets you bucket users and devices dynamically and automatically, based on pre-configured security policies. An infected or illegitimate asset is isolated via segmentation, which reduces your attack surface. 

There are several ways to customize network segmentation – based on the identity of users or the device, their risk levels, the location of access requests, time of connection, or any other business rule. Devices prioritized as high-risk within your network environment can be isolated and placed in quarantine until further approval. 

It is also advisable to centralize your network segmentation policies so that the same protocols are followed across the organization, with a consistent response to threats. This will help standardize your security posture and ensure that no errors slip through the gaps amid fragmented security policies, different ways of segmenting, etc. 

6. Break down the network access control implementation process into simple, manageable steps 

Network access control architecture can seem overwhelming at first, as there are several components and close dependencies with existing IT infrastructure. That’s why it is so important to break down network access control implementation into five simple steps: 

• Assess endpoints: Conduct an exhaustive endpoint inventory to surface every hardware device, virtual appliance, server, networked equipment, and digital interface with access to your digital resources. 
• Isolate identities: User identities and profiling are central to authenticating and authorizing access. List all relevant identities based on your existing directory systems and then progress to the next step. 
• Personalize permissions: Based on endpoint characteristics and identity details, configure access policies tailored to an individual’s unique duties, workflows, and access requirements. Factor in guest permissions as well. 
• Initiate execution: Register user directories, apply permission systems and integrate network access control components within your existing IT landscape. The solution vendor will oversee the execution to ensure that the network access control aligns with your business requirements as specified in the service level agreements (SLAs). 
• Update regularly: Aided by internal training, your IT staff must look after day-to-day operations, tweak permission policies, and request vendor intervention as your organization evolves. The hardware components of network access control might also require changing due to wear and tear. 

Also Read: What Is Application Security? Definition, Types, Testing, and Best Practices

7. Explore optional integrations for value addition 

In addition to core capabilities like network visibility, guest access management, compliance, and device security, you can also explore integrations with your network firewalls, security information and event management (SIEM), IAM, and advanced threat prevention systems. This consolidates your security posture into a unified whole, establishing a single line of accountability and control. 

As your enterprise perimeter stretches outwards, network access control will prove vital to maintaining visibility into user and device activity on corporate and guest networks. The advent of cloud-based network access controls is the next frontier, simplifying its management and enabling opportunities for remotely managed network access control services. 

Did this article help you understand the basics of network access control? Tell us about your experience on LinkedIn, Twitter, or Facebook. We are eager to hear from you!