Network Access Control – SY0-601 CompTIA Security+ : 3.3

Network access control (NAC) is an important part of IT security. In this video, you’ll learn about posture assessments, compare persistent and dissolvable agents, and agentless NAC.


There are a number of different ways to control access to your network. When we’re setting up a firewall on the edge of our network, we’re usually connecting our internal network to the internet. This edge connection is usually managed using rules that we put inside of that firewall. And generally, we set up rules inside the firewall. We test those rules and make sure they’re working. And at that point, we don’t tend to make a lot of changes to the rules inside of that edge firewall.

Access control approaches the idea of allowing or disallowing access to the network based on a number of different criteria and not just whether you’re on the edge of the network. You could be a user that’s on the inside of the network trying to access resources. Or you may be on the outside trying to access resources on the inside. These rules that we use for access control are also quite different than the rules we might have in a firewall.

These rules may be based on a username, perhaps a group the user belongs to, where the user may be located, or the application in use. And unlike a firewall rule where changes don’t occur unless we go through a change control process, the access control rules can change dramatically at any time. We can decide to allow or disallow access for a user or group of users and can change our security posture as needed.

One of the challenges with allowing people access to the network is sometimes they’re using equipment that we did not provide to them. This would be a BYOD environment where you are Bringing Your Own Device. So you might have your own phone. You might have your own tablet. And you are connecting your device to the corporate network. The security team knows that we’ll be using your equipment to connect to the network.

But we also want to protect what’s in the network already. So we’re concerned about malware that may already be on these devices. Or perhaps the devices aren’t even running any anti-malware software. Or it could be that the applications that are already installed on these devices are applications that we really don’t want to run inside of the corporate network. It would be useful, then, to know exactly what the status is of these devices.

So when someone connects to the network, we can perform a posture assessment. This will check the device to see if, perhaps, it’s already a device that we’ve configured and is trusted by our organization. We can see if it’s running anti-virus. If so, which type of anti-virus is it running? And what version of software is it running? Are there any corporate applications already installed on this device? Or will we need to install additional applications on that device? Is this a mobile device like a phone or laptop? And if so, is the information stored on this device stored with encryption?

This requirement is not specific to any particular operating system. Whether you’re running Windows or Mac OS, iOS, or Android, you need to perform some type of posture assessment when these devices are connecting to the network. To be able to perform these posture assessments, we need to run some type of software on these devices that are connecting to the network. Sometimes these are persistent agents. We would install software onto the laptop or the mobile device. And that software would always be on that device and run when we’re connecting to the network.

This also means that we have to maintain that software. And if there’s any updates, we have to push those updates out to all of those devices. An option that doesn’t require this much management overhead might be a dissolvable agent, which means we’re not installing a permanent piece of software. This means that when we connect to the network, the software will run on that local device and perform that posture assessment. When that assessment is done, the software terminates and is no longer located on that machine.

Some operating systems include network access control as part of the operating system itself. And no additional agent is required. In the case of Windows, for example, an agentless NAC is integrated with Active Directory. And it performs these checks when the system logs into the network and logs out of the network. But this also means that you’re not able to schedule any of these health checks. So if you need additional functionality, you may require a persistent or dissolvable agent.

Once the security team has configured the network access control system with the minimum configuration allowed on the network, it can then begin evaluating the user’s connection when they begin to log in. And it may be that a user is connecting to the network with a device that can’t meet the minimum requirements for these posture assessments. In that case, the device is not allowed access to the network and very often is put into a quarantine network that is specifically built for devices that don’t pass their health check.

This gives the user a chance to install the software that might be needed to update their system to meet the minimum requirements of that posture assessment. Once the user feels that they’ve fixed all of these problems, they can try reconnecting to the network. The posture assessment will run again. And if any problems are found, the process repeats itself. If all of the problems have been resolved, the user would then have access to the network.