What is NAC (Network Access Control)?

NAC (Network Access Control)

NAC (Network Access Control) is a solution that controls access to the network. Although this is the main function of the NAC mechanism, it has different features than other network authentication and authorization servers. Traditional network authentication implements the IEEE 802.1x standard, which provides an authentication method to devices that want to join the local area network (LAN) or wireless (LAN) networks.

FortiNAC is a port-based network access control mechanism to control clients' access to the network through agent software running within client devices. Another way is to join the network via Captive Portal to connect to the network in public areas, for example, hotels. An example of a captive portal is in public areas such as the airport, after connecting to the network, before entering the web portal, before entering the identity information and the web page in which legal terms are accepted.

By adding the agent installed on the computers of the clients on the network, the conditions on the computers on the network are controlled (antivirus update, operating system update, user authentication via Active Directory) and the computers are included in the network. However, with the advent of handheld wireless devices, businesses began to allow their inclusion in network networks because BYOD (Bring Your Device) and BYOD devices were useful for business continuity. However, this situation brought some network risks as well as its advantages.

In parallel with all these developments, IoT (Internet of Things / Internet of Things) devices started to be included in network systems. IoT devices that collect information and can be controlled; Examples of temperature and humidity meter IoT devices in smart homes, smart refrigerators that help you in making a market list, control systems where you can lock and open doors over the network, and devices where you can make lighting and thermostat settings as examples. The fact that IoT devices make everyday life so easy has also made it popular. Although the number of automation devices that can be controlled over this type of network has increased, the lack of an authentication system in IoT devices and not supporting security software caused security weaknesses in the network.

When looking at the IoT ecosystem from an institutional perspective, many manufacturers offer different IoT automation devices. Users use these devices to analyze critical systems and gather information. IoT systems that we encounter in different business sectors; Air conditioning units that can be controlled over the network in the air conditioning sector, temperature, and pressure meter devices used in various factories and are of critical importance can be given as examples.

However, the lack of security standards for devices located in the Internet of Things, ie IoT ecosystems, and the inability to secure these devices make them a potential threat to the network. This means that IoT devices cannot be trusted, and they can be used by bad actors to attack networks.

Architecture, which we call security for purpose, as Fortinet; It aims to identify our users, functions, applications, and virtual assets on our network and to make the communication between them as secure as possible. BYOD and IoT devices should be controlled, monitored, and monitored to avoid any danger on the network side. This type of IoT and BYOD devices should be profiled in network access control and necessary access should be provided in the network so that they only depend on their function. For example, an IP Camera should be able to send and receive traffic from the NVR server on the network and not have access to any of the sales or finance servers. Limited and controlled access should support the benefits of IoT systems while minimizing the damage they can cause to a network. A device that violates security must be moved directly to quarantine and located in a virtual network isolated from the network.

Ideally, to identify all devices and all users in a network system with different manufacturers, all devices communicating with TCP / IP in the network should be displayed and all these devices displayed should be profiled according to their tasks. Profiling IoT and BYOD devices according to their roles is very important and necessary in terms of security. The FortiNAC solution must have a centralized architecture to effectively control large and multi-site networks. Devices should be classified only according to the resources it deems necessary and the network system should be scaled in this direction.