Network Access Control – CompTIA Security+ SY0-501 – 2.1

The introduction of BYOD (bring your own device) has required much more secure network access controls. In this video, you’ll learn about NAC and how it can be used to perform health checks to secure your network from unmanaged devices.

<< Previous Video: Data Loss Prevention Next: Mail Gateways >>


Many organizations will put security controls at the edge of the network. This is the part where your network is connecting to the internet. Usually this is a firewall and you’re configuring firewall rules to allow or prevent certain kinds of traffic. These firewall rules are initially implemented, and then it’s a formal process to make any changes to this centralized firewall.

Access control provides more flexibility than an edge-based control system. With access control, you can control people whether they are inside the network or outside the network. It can be based on a number of different rules, including who the user might be, what department they belong to, or where they might be located. And this access can be easily enabled or disabled. If someone leaves the organization, you can immediately disable all of their access.

In many organizations there is a BYOD policy where you can bring your own device and use that on the corporate network. Unfortunately this policy means that someone could bring in a device that’s already infected with malware or is not running antimalware software, or this device may be running applications that are not allowed on the corporate network. For these reasons, a security team will require a posture assessment when a device first connects to the network. They can then determine if this device is already trusted; if it’s running antivirus; which antivirus it is running; is it updated with the latest signatures; does it have the corporate applications installed on the device; is the device a mobile device or a laptop; is the storage encrypted on the device? And of course this could be any operating system, so we have to be able to perform a posture assessment on Windows, Mac OS, Linux, iOS, Android, and any other kind of device someone might bring onto the network.

The posture assessment agent that performs this health check may be executed in a number of different ways. One way is through a permanent or persistent agent. That would be installed just as any other type of software is installed onto that device. Since this agent would be installed locally on this device, we need some type of management process to be able to install software updates if necessary.

Another type of posture assessment agent is the dissolvable agent. This is one that does not require an installation or software to be installed onto the device. Instead this health check executes when the user authenticates initially. And then once the health check is over, the software terminates and is no longer located on that device.

And another type of health check can be done without an agent. This is an agentless network access control. It’s integrated inside of Windows Active Directory. This is an access control that only occurs when someone logs in or someone logs out. There’s no way to schedule this posture assessment. But that’s another way that you can integrate this overall health check with the devices connecting to your network.

Let’s say you’re authenticating to the network, but for some reason one of the components within your system doesn’t meet the minimum requirements that were set by the security team and you fail the posture assessment. Your system has been designated as too dangerous to let on to the network. You will probably be presented with a series of messages that explain what parts of the health check did not pass. And you’re usually put onto a quarantine network that doesn’t allow you access to the inside of the network, but it does give you enough access to be able to download and install all of the different components you need.

Once you’ve made those changes, you can reauthenticate to the network and run through another posture assessment. If everything matches, you are then allowed access to the network. If anything else fails, you can be put into the quarantine network again where you can then work on resolving those problems before trying again.