Download full-text PDF Join for free Login

Article PDF Available

Network Access Control Technology—

Proposition to Contain New Security
Challenges
January 2012 · International Journal of Communications,
Network and System Sciences 05(08):505-512
DOI:10.4236/ijcns.2012.58061
License · CC BY 4.0

Authors:

Abdelmajid Lakbabi

Citations (5) References (2) Figures (6)

Figures

+1

Figures - available via license: Creative Commons

Attribution 4.0 International
Content may be subject to copyright.

Discover the world's research

20+ million members
135+ million publications
700k+ research projects

Join for free

Public Full-text 1

Available via license: CC BY 4.0

Content may be subject to copyright.

Int. J. Communications, Network and System Sciences, 2012, 5, 505-512

http://dx.doi.org/10.4236/ijcns.2012.58061 Published Online August 2012 (http://www.SciRP.org/journal/ijcns)

Network Access Control Technology—Proposition to

Contain New Security Challenges
Abdelmajid Lakbabi, Ghizlane Orhanou, Said El Hajji
Laboratoire Mathématiques, Informatique et Applications, Faculté des Sciences,
Université Mohammed V-Agdal, Rabat, Morocco
Email: [email protected], [email protected], [email protected]

Received June 11, 2012; revised July 31, 2012; accepted August 12, 2012

ABSTRACT
Traditional products working independently are no longer sufficient, since threats are continually gaining in complexity,
diversity and performance; In order to proactively block such threats we need more integrated information security so-
lution. To achieve this objective, we will analyze a real-world security platform, and focus on some key components
Like, NAC, Firewall, and IPS/IDS then study their interaction in the perspective to propose a new security posture that
coordinate and share security information between different network security components, using a central policy server
that will be the NAC server or the PDP (the Policy Decision Point), playing an orchestration role as a central point of
control. Finally we will conclude with potential research paths that will impact NAC technology evolution.

Keywords: Threats; NAC; Identity; Security Posture; Policy Enforcement Point; Remediation; Coordination;
Orchestration.

1. Introduction sically of two types of assessment:

 User authentication.
Today’s networks are not closed entities with well-de-
 Device compliance evaluation.
fined security perimeters; mobile users bring their lap-
tops and mobiles devices in and out of the office. Re-
mote-access users connect from homes and public loca-
2.1. Network Access Control (NAC) Architecture
tions. Business outsourcing requires direct partner access Below, Figure 1 presents the NAC solution overview.
into the internal network. Onsite visitors, vendors, and This is the process of dynamically provisioning net-
contractors may need physical access to the internal net- work access for each user and endpoint device. NAC
work to accomplish their work. Even traditional, “in-the- solutions entail authentication (identity), endpoint com-
office” workers are subject to threats coming through pliance, remediation, and policy enforcement functions,
Internet access, e-mail use, instant messaging, and peer- in the process of validating user identity and the security
to-peer (P2P) activities. posture of host devices, before allowing access to the
Traditional security products acting independently, network.
such as intrusion detection and prevention (IDS/IPS)
technology, antivirus measures, and firewalls, are no 2.1.1. Security Products Selection Process
longer adequate—network traffic is too diverse to rely on With the idea to select the best security products and
these measures. According to a recent Cyber security tools to build the targeted network security platform,
survey [1], Insider Attacks Are More damaging; Conse- Gartner [2], with a set of technical and commercial criteria
quences include loss of intellectual property, disclosure for evaluating security products, it can help to approach
of confidential information, violation of privacy laws and the most secure solution for each technology layer.
loss of money. As to NAC solution, Gartner states that Cisco NAC [3]
In the following section, we will study the Network (Network Admission Control) and juniper UAC [4] (Uni-
Access Control technology, its architecture, its compo-
fied Access Control) are the best NAC offer at this mo-
nents and some top NAC products.
ment according to Gartner, as presented below in Figure
2.
2. The Network Access Control technology
In the following subsections, we will compare the two
Network Access control (NAC) mechanism consists ba- top NAC solutions according to Gartner classification,

Copy right © 2 012 S ciRes. IJCNS

506 A. LAKBABI ET AL.

Figure 1. NAC solution overview.

Figure 2. Gartner NAC products classification.

discuss their respective weaknesses, and then study how flow as described below in Figure 3
NAC can play a fundamental role, to improve network Cisco NAC access decision is based on:
security by extending its capabilities to administer net- Users, their devices, and their roles in the network
work access requests based on NAC capabilities, and Evaluate whether machines are compliant with secu-
integrating legacy security products, and existing net- rity policies
work infrastructure. Enforce security policies by blocking, isolating, and
repairing noncompliant machines
2.1.2. Technical Description of Cisco and Juniper Provide easy and secure guest access
NAC
Audit and report whom is on the network
2.1.2.1. Cisco Network Access Admission Overview Enforcement Points (where the access decision is ap-
Cisco NAC mechanism is based on the following process plied)

Copy right © 2012 SciRes . IJCNS

A. LAKBABI ET AL. 507

Figure 3. Cisco NAC process flow.

 Cisco Switches. other port configuration parameter.

 Cisco Routers with NAC modules. Juniper UAC introduces Coordinated Threat Control
 Cisco VPN concentrators. with the ability to leverage Juniper’s Intrusion Detection
Cisco NAC Weaknesses. & Prevention (IDP) and Unified Threat Management
 Cisco is ignoring TNC [5] the Trusted Computing’s (UTM) products to deliver dynamic network protection,
proposed standard. and dynamic User Quarantines as well.
 It is a closed solution that may introduce interopera- Juniper’s UAC enables to leverage the deep packet,
bility issues with third party software and networking application level threat intelligence of Juniper Networks
equipments. standalone Intrusion Detection and Prevention (IDP)
 The OOB (out-of-band) [6] deployment model, re- platforms as part of its framework. When a standalone
quires support for communication between the switch Juniper IDP detects a network threat of a particular
and the Cisco CAM (the Manager need to send and type—policies can be configured on several attributes
receive SNMP messages to/from Switchs). This is including attack category, attack protocol, attack strings,
supported only on selected Cisco products. actions taken, destination or source addresses/ports—it
 Bring security enforcement deeper into the core of the can signal the Infranet Controller, which after receiving
network, but with limited integration with others the signal and information from the IDP can narrow the
Cisco network systems, and with no integration with threat to a specific user or device; UAC can then imple-
different security products than Cisco. ment a configurable policy action, including the follow-
ing flexible options:
2.1.2.2. Juniper UAC Overview  Quarantining the user (or device) by placing them in a
Juniper NAC mechanism is based on the following proc- restricted VLAN;
ess flow as detailed below in Figure 4  Changing roles and denying access to certain applica-
Juniper dynamic access control is based on: tions;
User identity  Terminating the user session; or even disabling the
Device security state user session until an administrator can re-enable it.
Location Juniper NAC Weaknesses
Enforcement Points  Juniper’s license is restrictive. If a user logs in at two
 Policy enforcement provided by EX-series switches different connections, that will count as two seats in-
and SSG/ISG Firewalls. stead of one.
 IC can push policy name to EX-series switches for  Juniper supports only limited use cases. It does not
dynamic configuration based on user or device. support routers as an enforcement device.
 Policy on EX-series can enforce specific QoS queu-  It needs an inline firewall for wireless coverage. Ju-
ing or scheduling policies, VLAN assignment, or any niper’s non-802.1x implementation is supported only

Copy right © 2012 SciRes . IJCNS

Citations (5) References (2)

Analysis of Current Preventive Approaches in the

Context of Cybersecurity
Conference Paper
Sep 2022
Mimi Enakome Oka · Martin Hromada

View

A Comparative Study of Network Access Control and

Software-Defined Perimeter
Conference Paper Full-text available
Sep 2020
Rami Omar · Tawfig Abdelaziz

View

A Log Management System of Removable Storage

Devices Based on Blockchain
Article
Jul 2020
Jun-Hyung Ko · Gyu-Seong Lee · Heeyoul Kim · Namgi
Kim

View

Value Roadmap Development for Telecommunication

Industry
Chapter
Oct 2019
Tuğrul U. Daim · Zahra Faili

View Show abstract

Network Access Control and Collaborative Security

Against APT and AET
Chapter
May 2018
Ghizlane Orhanou · Abdelmajid Lakbabi · Nabil
Moukafih · Said El Hajji

View Show abstract

Recommended publications Discover more

Article Full-text available

Cloud Multidomain Access Control Model Based on

Role and Trust-Degree
April 2016 · Journal of Electrical and Computer Engineering

Lixia Xie · Chong Wang

In order to solve the problem of access control among

different security domains in cloud networks, this paper
presents an access control model based on role and trust-
degree. The model combines role-based access control and
trust-based access control. The role assessment weights are
defined based on the user’s role classes, and the trust-degree
is calculated according to the role assessment ... [Show full
abstract]

View full-text

Article

Establishment of improved business security systems

December 2010

W. Cha · D. Won

Many of recent security systems are used in linkage with

previously defined security systems. In particular, access
control functions are used in all security systems. Network
access control systems have now become the basics of
security systems. In this paper, an improved business security
system using network access control will be proposed. The
improved security system will be established to ... [Show full
abstract]

Read more

Article

Access Control List Provides Security in Network

July 2015 · International Journal of Computer Applications

Chate A.B. · Vanajaroselin Chirchi

Read more

Article

Node-to-Set Disjoint-Paths Routing in Recursive

Dual-Net
January 2011 · International Journal of Networking and
Computing

Yamin Li · Shietung Peng · Wanming Chu

Recursive dual-net (RDN) is a newly proposed interconnection

network for massive parallel computers. The RDN is based on
recursive dual-construction of a symmetric base-network B. A
k-level dual-construction for k > 0 creates a network RDNk(B)
containing N = (2n0)2k/2 nodes with node-degree d0 + k,
where n0 and d0 are the number of nodes and the node-
degree of the base network, respectively. The ... [Show full
abstract]

Read more

Company

About us

News

Careers

Support

Help Center

Business solutions

Advertising

Recruiting

Advertisement
© 2008-2023 ResearchGate GmbH. All rights reserved.

Terms · Privacy · Copyright · Imprint

Searching for qualified biologists?