What’s Better: NAC or Software-Defined Perimeter?
Written by Jason Garbis on November 03, 2017
We see far too many breaches and successful attacks, and those of us who have experienced it know just how disruptive and expensive it can be. A lot of this has to do with traditional Network Access Control (NAC) solutions not meeting today’s business, security, technical and compliance requirements.
Historically, network security solutions accepted the myth of the trusted user. Companies would build a perimeter around their internal network, verify that a user was who they said they were, and once in the door, that user received full access to the network or at least a large portion of the network. Perhaps our latest Nobel Prize winner would agree, “The times they are a changin’.
According to Forrester, there is a movement to redesign network security:
Perimeter-based network security models fail to protect against today’s threats. The trust model is broken; there are four critical pitfalls with today’s approach to network security: It’s impossible to identify trusted interfaces, the mantra “trust but verify” is inadequate, malicious insiders are often in positions of trust, and trust doesn’t apply to packets. Get the report.
In another complementary Forrester report, the firm says that “Vendors didn’t design existing enterprise security controls to thwart the types of threats common today. Current attacks are multistage, multi-OS, and multi-application, and enterprise security teams struggle to adapt to morphing attack patterns… A Zero Trust (ZT) network abolishes the idea of a trusted network inside the corporate perimeter. The entire network is untrusted. Instead, security teams create microperimeters of granular control around an enterprise’s sensitive data assets that also provides visibility into how the firm uses this data across its entire business ecosystem.”
In spite of this warning from Forrester many security professionals have stuck with traditional NAC solutions that are failing them. Here’s why.
Network access control, or NAC, is a pretty mature technology. However, based on the IEEE Standard for port-based Network Access Control (PNAC), 802.1X, the market is growing relatively slowly.
With NAC, there are several components. There is the client piece of software that runs on the device, a supplicant, that when plugged into the network, negotiates with the network access control point, a piece of network hardware that runs on the network. Through this access point, authentication is performed using a user name and password and/or multi-factor authentication. This access point then connects with a radius server that validates the user’s credentials. If the user passes this credential test and passes the appropriate device checkers, then the access point will allow the user to gain access to one or more of the virtual LANs or VLANs. The VLAN defines a group of servers on the network in a way that’s enforced at the network infrastructure level, but allows you to logically group together servers based on risk or business function.
A NAC solution allows you to look at a certain set of attributes on the client device, validate credentials and provide access to the VLAN. But VLANs introduce complexity:
The result? If organizations are using cloud-based resources, they need an alternative or additional solution to NAC to manage user access.
And that’s the biggest thing that's changing today – perimeter based solutions just don't work.
Rather than attempting to improve traditional NAC solution deployments, many organizations are considering replacing them with a Software-Defined Perimeter solution that offers an individualized, dynamically adjusted network segment – a segment of one to:
This individualized network segment approach dynamically adjusts based on user and network attributes. It takes the principle of least privilege and enforces it allowing users, through a set of policies, to gain access to only the resources on the network that they need.
Key Facts about a Software-Defined Perimeter solution
Software-Defined Perimeter solutions overcome the challenges of NAC.