2.4. Wireless Networks and NAC
Mobility is attractive. It promises hassle-free, anytime, anywhere access that enables employees to connect to the network, around the clock and around the world. Companies also deploy wireless local area networks (WLANs) because these networks are simple to install and expand the work environment, providing a localized type of mobility, and lead to increased productivity.
A wireless LAN doesn't need much wiring, which can make deploying it more cost-effective than traditional wired networks. A WLAN is also more flexible for implementing physical office changes, which can also save cost and time. However, although mobility and WLAN access are both desirable and increase productivity, maintaining network security for mobile or WLAN users and devices is a concern. The more wireless LANs your company deploys, the greater the risk that someone can hack, breach, or attack your network and its resources. The open nature of WLAN access brings additional security concerns. Without the proper credentials, security, and controls in place, a hacker can snoop or steal sensitive user information and corporate data while a user establishes a wireless connection and even after a user is connected to the WLAN.
NAC can address WLAN access — without impeding the openness of the WLAN network or its accessibility — by applying strong authentication controls to check the authenticity of the user, and his or her device, before granting that user and device access to a network by WLAN. After authenticating the user and device credentials, the NAC solution can apply the appropriate security and access policies against the user device, making sure the device meets a baseline of security and access capabilities before it's allowed onto the company's network. With a NAC solution protecting their WLAN, the company can ensure that
The user, and his or her device, are authorized to access the LAN (although no solution is perfect or a panacea)
The device's antivirus and anti-malware software is active and up to date, and meets a minimum baseline of security and access policy
The user and device gain access only to the areas of the company's LAN and to sensitive resources that the user is authorized to access.
NAC can also allow companies to limit network access to specific areas of the LAN based on access type; in other words, if a user, and his or her device, access the LAN through a WLAN, he or she may be granted access to a limited set of corporate network resources and applications. But if that user accesses the network directly over wired Ethernet, the user and device may be allowed greater access.
NOTE
Some companies deploy a NAC solution supplying limited access to the network and resources when accessed by a device over a WLAN because they fear WLANs are easier to hack than wired LANs. But this concern is unfounded, particularly if the organization has deployed the IEEE standard for port-based access control, 802.1X. The 802.1X standard requires and implements powerful, government-grade, standards-based encryption methods between the device and the network resources, ensuring the security of data in transit. Many NAC solutions implement the 802.1X standard because of its strong authentication and data security features.
Whether or not a NAC solution uses the 802.1X standard, you can both maintain the openness of the WLAN and ensure protection and privacy for vital corporate assets by using NAC to effectively segment a network, allowing authorized WLAN users appropriate access rights while keeping unauthorized WLAN users from peering into sensitive corporate data.