• Table of Contents

Introduction

This lecture begins with the discussion of network security, focusing on network access control. We begin with an overview of network access control systems, summarizing the principal elements and techniques involved in such a system. Next, we discuss the Extensible Authentication Protocol and IEEE 802.1X, two widely implemented standards that are the foundation of many network access control systems.

Network Access Control

Network access control (NAC) is an umbrella term for managing access to a network. It is all about managing network access. It verifies user identities, controls data access, and assesses the health of devices connecting to the network. NAC involves:

• Supplicants/Access Requestor (AR): Devices seeking network access.
• Policy Server: Determines access based on device health and defined policies.
• Network Access Server (NAS): Controls access for remote users, often with its own authentication or relying on a separate service.

A variety of different ARs seek access to an enterprise network by applying to some type of NAS. It validates the AR's identity to determine access privileges. Session keys may be established for future secure communication.

Figure 6.1 Network access control context.

The policy server assesses ARs for compliance with organization security standards before granting access.

• Checks include antivirus updates, OS patches, and ownership verification.
• Non-compliant devices may be denied access or placed in a quarantine network for security updates.
• If an AR passes authentication but fails health checks, it may be placed in a quarantine network for remediation.

Network Access Enforcement Methods

Enforcement methods are the actions that are applied to ARs to regulate access to the enterprise network. The following are common NAC enforcement methods:

1. IEEE 802.1X: This link layer protocol enforces authorization before assigning an IP address to a port. It utilizes the Extensible Authentication Protocol (EAP) for authentication.
2. Virtual Local Area Networks (VLANs): Enterprises segment their networks into VLANs based on security requirements. ARs are directed to specific VLANs depending on their security status and access needs.
3. Firewall: Firewalls control network traffic between enterprise hosts and external users, allowing or denying access based on predefined rules.