Network Access Control
Network Access Control (NAC) is based on a fundamental concept of who can do what with what in the network.

NAC is the mechanism to apply network policies across LAN, VPN, wired or wireless layout.

Why NAC?
The benefit of managing access with NAC is straightforward, any device connecting to the network is checked for network security compliance, automatically brought into compliance if policy violation/s are detected and continually monitored throughout the connection session to ensure the device remains compliant.

Access Control by Identity
Integrating identity-based information with the device inspection enables IT managers to ensure only the users with compliant devices are granted access to network resources allowed by job function, providing a virtual, dynamically-segmented network with role-based access control for corporate users and network guests.

Three Key Functionality Criteria of NAC
1. Detection and Interrogation of Endpoints
All connecting devices must be detected before enforcement of any network security policies can be enabled.

2. Policy Creation and Enforcement Actions
Factors to consider:
- The ease of creating policies
- Any disruptions to network or users when policies are enforced?
- The level of granularity required for effective device inspection and enforcement actions

3. Deployment and Integration
To maximize the benefits of a NAC solution, it has to be seamlessly integrated into the network infrastructure without causing network disruptions. Therefore, multiple approaches to deployment must be considered to determine the potential impact and level of disruption a deployment method will have on the overall infrastructure.

Another factor would be on the NAC's ability to leverage on the existing investment into network infrastructure and equipment without requiring costly upgrades or causing network downtime.

We recommend: ForeScout Technologies

Product: CounterACT
CounterACT is a clientless NAC solution designed to prevent unauthorized network access while ensuring all connecting devices are compliant with network security policies. CounterACT is unique because it is completely clientless, works seamlessly with the existing infrastructure, and is available for deployment today. CounterACT users can easily set up policies to ensure devices connected to the network are authorized, running anti-virus software with the latest virus definitions, properly patched, and are free from vulnerabilities.

Example of a typical CounterACT deployment
Example of a typical CounterACT deployment

Features (Click on each feature to find out more)

- Clientless
CounterACT does not require a persistent or downloaded software agent/client to be installed on any connecting devices in order to perform its indepth interrogation for compliance with network policies. This also ensures universal discovery of all endpoints, including non-OS devices, such as network printers, VoIP phones, and PDAs.

- Manage the Unmanaged
Because CounterACT is clientless, unmanaged devices, including guests and contractors or unmanaged employee devices, are subject to the same policy enforcement as managed endpoints.

- Works with Existing Infrastructure
CounterACT does not require network upgrades and works within a heterogeneous network environment, with or without 802.1x.

- Non Disruptive Deployment
Provides NAC in a way that ensures compliance of networked devices without disrupting the ability of legitimate users to conduct business.

- Not Inline
CounterACT is not an inline solution (typically spanned from a distribution layer switch) and will not introduce network latency or new points of failure into the network.

- Wide Range of Policy Options
With CounterACT you can create policies based upon the device or user properties. For example, you can ensure that endpoints entering the network have the latest Microsoft Security updates or anti-virus definition files, and are not running unauthorized peer-to-peer software.

- Wide Range of Enforcement Options
In case a violation does occur, Counter- ACT takes appropriate action to secure the network from potential threats, and can either inform the end user of a problem, present self remediation options, or notify the appropriate IT staff to mitigate the issue. If the violation is severe enough, it can quarantine the device, or completely block access.

- Integrated Signatureless IPS
CounterACT features the only integrated signatureless IPS that does not require manual updates of pattern files or definitions.


Find out more...

Download Datasheets | Make an enquiry