Enabling a Zero Trust Security Posture Through Adoption of a Network Access Control (NAC) System

By Mitchell Hurd, Lead Solution Architect – Cybersecurity

What is Zero Trust Security?

If you have attended any of the large security conferences in the past couple years, you have likely heard this phrase repeated time and again by every security vendor out there. It’s actually become a bit of a cliché industry buzzword. So, why am I talking about it here? Because the thinking behind the Zero Trust approach is still a solid one, and for security professionals it is one of our loftiest of goals. Today, we will discuss what this approach is, and we’ll discuss a key component of any network level approach to a Zero Trust security model – the Network Access Control System (NAC).

You have likely also heard of Software Defined Perimeter (SDP) solutions. These solutions take a different approach to solving many of the security problems addressed by modern Network Access Control (NAC) solutions. At the time of writing we consider these two categories of solutions to be complimentary rather than redundant or successive. One is more focused on the application layer (SDP), and the other is more focused on the network layer (NAC). Of course, this may change at some point, as SDP solutions expand their feature sets, and networks naturally move to a more software defined architecture. However, that’s a discussion for another day and a different blog post.

Since the term Zero Trust is so overused, it is helpful to first describe what we are talking about here. I’ve heard it jokingly described as “exactly the amount of trust my children give me when I ask them to try a new type of food.” This is actually a decent example of this approach to network security – require everyone to prove themselves to you in every situation before they are trusted. Essentially, we are saying that there should be no implicit trust given to any user or device. Just because you are connecting from within the four walls of a particular office doesn’t mean you are automatically trusted. You should still be required to be authenticated and authorized and also to have your communications encrypted before being given access to services. Prove who you are (ideally through MFA), prove you are authorized, and prove your device is in compliance with corporate policy.

Do I Still Need a Firewall?

Even though most security professionals will tell you the perimeter is dead, firewalls and strong perimeter security are still very important. When we say, “The perimeter is dead,” we are saying that the inside of the network must also be protected. Access should be determined by the device, user, and context and not by the physical port they are plugging into. If a social engineer or Turncloak (malicious insider) were to plug a portable hacking device (such as a raspberry pi running malicious code) into one of your conference room or cubicle Ethernet ports, what would they be able to reach? Modern secure networks need visibility and enforcement not only at the perimeter but in the middle as well – and ideally as close to the endpoints as possible. This is where a NAC solution comes in. With Network Access Control all users and devices – whether local or remote; whether wired or wireless – must first prove who they are and show that they are in compliance before they are allowed to connect. Not only that, we will only give them as much access as they require to accomplish their job, and we will continuously monitor them and dynamically change their level of access at any time if they come out of compliance with policy.

What Services Can a NAC System Provide?

Once deployed and properly integrated, a Network Access Control system will take on a variety of important functions on your network. It can take over Authentication Authorization and Accounting (AAA) functions and serve as a robust and highly available RADIUS and TACACS+ server. It can serve as a stand-alone (or subordinate) Certificate Authority to facilitate internal PKI. It can host user databases, integrate with your current enterprise identify sources, act as a web server for hosting captive portal pages, and provide a variety of other functions. However, a modern NAC system really starts to become useful when you integrate it with external security systems and invest the time to define specific access policies that reflect your business security goals.

How Does a NAC System Protect My Business?

Let’s suppose that someone has infiltrated a computer on your network through a phishing email or a website drive-by download attack. The compromised machine has now provided a malicious actor with a pivot point into your network. The actor’s next order of business will be to use this machine to sniff around your network and to see what other systems can be reached from the compromised machine. They then figure out what vulnerabilities exist on those reachable systems, compromise those machines, and continue this process across the network. The actor can steal privileged admin account credentials from one of the machines that an administrator has logged into previously. From there, they can make some changes to critical network systems to secure their foothold, and now they own the network. As you may have noticed, this all started from a single trusted machine on the internal network. From that one computer, that one phishing email, the entire enterprise was compromised.

A NAC system properly implemented in this environment would help prevent this scenario in a number of ways. For starters, the compromised machine should only have access to the systems that the particular user needs to access to accomplish their job. The user should not be able to reach every other system on the network – or even other systems on the same subnet unless that is required for their job. For systems they do need to access, they should only be able to reach the specific ports required – for instance, only the printing ports on a printer or only the HTTPS port on a web server. These types of policies can be centrally configured on the NAC and automatically pushed down to the switchport or wireless AP to which the user device connects when they authenticate on the network. Additionally, the level of network access can be changed at any time. So, for instance if the computer was compromised and the endpoint protection software noticed an infection, the protection software can communicate this information to the NAC. The NAC can then immediately take action and change the compromised computer’s level of network access – perhaps putting them in a quarantine role with internet only access or have the device pop up a captive portal webpage to inform the user that the device has an infection and that the user should contact IT.

How Does Context Factor In?

In the scenarios described above the user account and the device being used were trusted devices that were compromised. They are still using valid credentials and would continue to be trusted by many systems, yet we were able to detect signs of compromise and take action to lock down access. How was this possible? The key here is context. The integration with external systems is providing context to the system, and context gives the system visibility and capabilities that by itself would not be possible. This is what makes it truly powerful.

For example, a firewall that sees an employee laptop communicating with a known command and control server on the internet, or an MDM/EMM system that detects a mobile device becoming rooted/jailbroken, or a UEBA system that detects abnormal activity coming from a network security camera are suspicious behaviors because of the context. This information is sent to the NAC system which can use context to identify the suspicious behavior and can then enforce security policies. Additionally, the information flow can go both ways. The NAC can send information back to these systems, so they can do their jobs better. For instance the firewall may only know the IP address for a system it is monitoring; however, the NAC may know the username (and associated attributes like group memberships, etc.), current role or level of access, device operating system, installed OS patch level, antivirus status, and a number of other user and system details which it can then pass on to the firewall. This allows the firewall to have more complete host information profiles, which then enables the firewall administrators to create more robust firewall policies.

What we are describing here is a combination of different network solutions working together to solve complex and dynamic security problems, and at the center of this is the modern Network Access Control system. This system allows you to act on all of the rich network intelligence that you are collecting, to enable new levels of system and network visibility, and to provide you with a powerful enforcement point in the middle of your network.

Conclusion

Of course, there are many other use cases and situations that we didn’t have time to get into here. What about BYOD? What about IoT? What about visitor and guest access? NAC systems enabling a Zero Trust security solution can help to address each of these concerns. In the category of, “oh, by the way,” NAC systems alone will not give you a full Zero Trust security solution, anyone that tells you a single product or service can fully deliver a comprehensive Zero Trust solution is not providing you the full story. However, I hope that I have conveyed the message that a modern NAC solution is an essential piece of a comprehensive defense-in-depth strategy that can help your company adopt a true Zero Trust approach to security.

If you would like the technical details on any of those subjects, would like advice or assistance on how to design and implement a Network Access Control system for your network, or would just like to chat about security and your own journey on the road to Zero Trust, feel free to reach out via our Contact Us page.