Better security through software-defined perimeter know-how

James Thew - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Have newer security methods made NAC systems obsolete?

While newer security methods, like microsegmentation and software-defined perimeter, diminish the role of network access control, NAC systems can still help secure the network edge.

Network access control products were originally developed in an era when applications ran on servers located in enterprise networks and access was primarily from company-owned PCs. Much has changed since then.

In many cases, PCs are no longer the primary access device, and cloud-based applications have increasingly taken the place of enterprise-based applications. So does network access control (NAC) still have a role in the wake of newer security methods?

The goal of NAC systems was to prevent PC-resident malware from infecting enterprise servers and spreading throughout the network. PCs could easily become infected because employees often used them to cruise the web and sometimes brought in files on CDs or memory sticks.

The solution was to install a network access agent on each PC. The agent would communicate with firewall-based code, which would verify that the antivirus software on the PC was up to date and that the PC wasn't infected.

The situation became more complicated when PCs were no longer the only device in use. Employee-owned cellphones became a commonly used access device, and employees were often unwilling to install an employer-provided agent.

Cloud-based applications, such as SaaS, have also reduced the importance of NAC. These applications communicate with a variety of device types from across the internet, as well as other applications. Requiring an agent on all of the different device types and applications that access cloud-based applications is not feasible.

NAC systems were designed to protect the network at its edge, but doing so is no longer sufficient. Applications have become more complex, and they now often consist of multiple components executing on virtual machines that reside on different servers within a public or private cloud. Safeguarding the links between components has become vital, but NAC has no role within the network.

Security developments overtake NAC

New security methods have been developed to support complex applications. Microsegmentation groups all of the components and links that make up a single application. Zero-trust security works with microsegmentation to verify communication within the microsegment, and it reverses the assumption that any communication from within the network is free of threats simply because it was inspected at the network edge.

Instead, zero-trust assumes all communication must be blocked unless it is explicitly specified as acceptable. Zero-trust carefully checks the source of any attempted communication to a microsegment component against the list of other microsegment components and acceptable outside sources and verifies if it is free from malware.

Despite these newer security methods, NAC systems continue to prove valuable in some environments.

Despite these new developments, defense at the network edge is still important. The software-defined perimeter (SDP) concept was initially developed by the Defense Information Systems Agency. The agency recognized that any interface exposed to the internet would be constantly probed by attackers, and that the best means of prevention was to make the network as invisible as possible.

Unlike NAC, where clients connect to the network and then authenticate, SDP clients must authenticate before connecting to the network. An SDP controller external to the network authenticates each client and determines which applications the client is authorized to access.

The controller then sends the client an authorization, enabling it to connect to a network gateway. The gateway determines -- based on the authorization granted by the controller -- which applications are allowed for this client.

All network access is through the gateways, which are inaccessible except by authenticated clients. No domain name system entries are created for the gateways or for any other network component, so the network is invisible to hackers. Hackers have no way of learning the IP address of any network component, so they cannot attempt to connect to one.

NAC systems still valuable

Despite these newer security methods, NAC systems continue to prove valuable in some environments. While IoT is becoming increasingly important, these devices often do not contain antimalware software and have been used to spread malware and create denial-of-service attacks. IoT devices also do not typically have sufficient resources to support a NAC agent and, because so many different types of devices are available, requiring an agent is not realistic.

Agentless NAC products have been developed to deal with IoT device limitations while also enabling the devices to access networks. These NAC products evaluate the content of incoming communication and draw upon a library of device types to determine the type of device, its capabilities and its functions. Given information about the device, NAC systems can confine communication from the device solely to the appropriate applications. NAC tools can also block malware and denial-of-service attacks.

Each of these security methods -- NAC and software-defined perimeter for protection of the network edge and microsegmentation and zero-trust within a network -- can be used where appropriate. Many networks combine an edge technique with security within the network to provide multiple layers of protection.

This was last published in February 2019

Dig Deeper on Network Security