Securing the Perimeter: What Attack Surface Does Network Access Control Really Protect?

Defending against unauthorized access is a key strategy in the modern cybersecurity toolbox. When security teams implement the concept of least privilege for access, they reduce the risk of compromise with any single user account. The idea is that reducing the number of privileges down to only precisely what is needed for each user means that threat actors stealing those credentials would have their pathways blocked. 

One of the key ways to reduce your organization’s attack surface is through network access control (NAC), one of the key permissions management technologies for cybersecurity teams. NAC can and often is used to protect Internet of Things (IoT) devices and operational technology (OT) systems, but it’s important to note that using NAC to manage permissions and limit what devices can access is not the same thing as a dedicated IoT security solution. 

Protecting IoT assets is often challenging at the best of times. The ease of deployment for net-new connected devices in corporate environments creates a higher attack surface, resulting in increased overall. As such, there’s a need for defensive tools that assist security teams with defending connected equipment no matter the environment. 

IoT devices also have other concerns, such as keeping them patched against possible vulnerabilities, understanding how they communicate with other systems, and tracking potential compromise through behavior monitoring. This is not the same as NAC. The rest of this blog post will examine the differences between NAC and IoT/OT security tooling, as well as why both of them matter. 

What Is Network Access Control? 

Network access control, also known as network admission control, is designed to improve the security, visibility, and access management of proprietary networks. NAC restricts the availability of network resources to endpoint devices as well as users that adhere to defined security policies. 

NAC is one of the core defensive methodologies within network security and is used in tandem with firewalls, intrusion prevention systems, SD-WAN security, and other network protection systems. It’s used to manage who accesses network resources and how thus reducing the likelihood of threat actors having unfettered network access should they compromise any relevant credentials. 

Network access control solutions do this in one of two ways: pre-admission and post-admission. In pre-admission, NAC evaluates users and devices and only allows access to those who are authorized in either class. Post-admission NAC is designed to re-authenticate users and devices as they try to access a different part of the network. Post-admission NAC restricts lateral movement, stymying one of the key goals of cyber attackers.   

A few of the general capabilities of NAC technologies include: 

• Policy lifecycle management: NAC can enforce policies for all possible scenarios without needing separate products or additional modules.
• Profiling and visibility: NAC solutions can identify and profile users and their devices before malicious code can cause problems.
• Guest networking access: NAC solutions empower security teams to manage guests through portals with guest registration, guest authentication, guest sponsoring, and a guest management portal.
• Security posture check: Evaluates security-policy compliance by user type, device type, and operating system.
• Incident response: Enforces policies that block, isolate, and repair noncompliant machines without administrator attention to mitigate network threats.

NAC is only one component of network security alongside firewalls and intrusion detection systems. Its goal is to apply permissions management for devices and users, controlling and denying access when devices and users don’t comply with security policies. NAC solutions help companies limit who and what can access their network, enforcing compliance and mitigating risk. 

How Does NAC Differ from IoT/OT Security Tools? 

Securing the corporate network is a vital component of defense in depth. Network access control solutions play a critical role in that effort by protecting against unauthorized devices and users. They are unfortunately limited in how effective they are at defending IoT and OT systems. 

NAC and other network security tools, by their very nature, depend on there being some sort of perimeter to defend. The software-defined perimeter (SDP) approach that focuses on identity does resolve something of concern in this regard, expanding the defensive perimeter for organizational security teams. However, the reality is that NAC enforces policies only regarding network access and resource provisioning. 

Effective IoT and OT security require a more expansive understanding of the individual devices. Network access control is useful in this context, but it can only define and manage policies based on broad asset classes. IoT/OT security tools go substantially deeper in their defensive actions, including pulling specific vulnerability information based on device intelligence, monitoring for anomalous behavior, and creating a continuously updated inventory. 

This isn’t to say that NAC tools are useless in an age of increasing IoT. Far from it. The ability to defend against unauthorized access and limit the impact on network resources can ensure that any damage from compromised IoT devices is extremely limited. 

That said, deploying NAC without a dedicated IoT/OT security solution will not result in a robust defensive strategy. There are too many IoT devices within enterprises and they are far too easy to add without central IT’s knowledge. NAC can only manage access when it knows that devices exist, and as such requires IoT solutions to discover new assets for provisioning. 

How Asimily Supports Network Access Control Strategies

The Asimily platform is designed with IoT and OT security in mind and integrates with NAC solutions to holistically reduce risk. Asimily uses passive scanning technology to identify all devices connected to corporate networks – even those within the bounds of the software-defined perimeter – without disrupting functionality. The Asimily platform does this while also ingesting data from other trustworthy inventory sources for high accuracy and faster inventory creation.

This ability to quickly and efficiently identify and classify connected devices down to the specific model, operating system, and software version is invaluable for NAC solutions as it provides critical context they might otherwise lack. The combined benefit of these two technologies ensures that the IT/IS and broader corporate security teams can build accurate device profiles that include:

• Operating system
• IP address
• MAC address
• Port numbers
• Hostname
• Version number

Collecting this information helps build inventories of IoT and OT technology connected to the network, which can simplify extending perimeter-based defenses like NAC – making automated segmentation based on device type much more achievable. Understanding what’s connected to the network means that it’s easier to define the permissions required for an effective NAC deployment. In the case of Asimily, it also means a better understanding of potential vulnerabilities and the ability to adopt a risk-oriented approach to resolve critical issues faster. 

NAC technologies play a crucial role in defending corporate perimeters against attack. In a security landscape made more complicated by IoT and OT systems, however, perimeter defenses aren’t enough. A dedicated IoT and OT protection option like Asimily is what’s needed. With the ability to protect IoT systems through behavior monitoring and traffic analysis, in addition to creating inventories, Asimily working with NAC can protect IoT and OT technologies against the worst cyberattacks. 

To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.