Network Access Control and IoT Security

Network Access Control,  is an approach to computer security that attempts to unify endpoint security technology (such as antivirus, host intrusion prevention, and vulnerability assessment), user or system authentication and network security enforcement.

When a computer connects to a computer network, it is not permitted to access anything unless it complies with a business defined policy:

  • anti-virus protection level,
  • system update level
  • configuration.

While the computer is being checked by a pre-installed software agent, it can only access resources that can remediate (resolve or update) any issues and nothing else.

Once the policy is met (it has an antivirus, it is up to date, etc.), the computer is able to access network resources and the Internet, within the policies defined within the NAC system.


CISCO NAC and Microsoft NAP

Network Access Protection or NAP is a Microsoft technology for controlling network access of a computer host based on system health of the host, first introduced in Windows Server 2008. NAP includes client and server components that allow you to create and enforce health requirement policies that define the required software and system configurations for computers that connect to your network. It also enforces health requirements by inspecting and assessing the health of client computers, limiting network access when client computers are deemed noncompliant, and remediating noncompliant client computers for unlimited network access.

If you’re using Windows Server 2008 and above you have this built-in. How about workstations? There you need a NAP client (runs on XP Service Pack 2 and above, Vista, or Server 2003), a quarantine server (Microsoft Internet Authentication Services), and one or more policy servers. NAP works by controlling access via DHCP leases, VPN quarantine, 802.1x, or IPSec with x.509 certificates.
Network Admission Control or NAC is a Cisco’s hardware based solution that integrates with third party vendors. The key with NAC is all computers are “guests” until they are validated as compliant. Typically the only way to validate compliance is on “managed” computers. So this solution protects the corporate network from visitors’ computers, like consultants. These computers would only have access to the guest VLAN, which might have access to the Internet or a portal.
NAC also requires NAC-aware Cisco network access point equipment and the proprietary Cisco Secure Access Control Server.


During the NAC vs. NAP wars, a third option has emerged: The Trusted Computing Group TNC (Trusted Network Connect) initiative. TNC’s architecture theoretically functions in the same way the other two solutions do but without the proprietary requirements.


What about IoT security?

The tricky part with IoT is clearly the lack of policies like “has antivirus”, “is up to date”, etc. Why? Because there is nothing available for these devices. The security solution are just starting to emerge. But my guess is that once some vendor creates some smart-devices policies, which must not necessarily be the same as those of classical Network Access Control, the entire industry will boom.

Let me be (one of) the first to give it a name: IAC : IoT Access Control !


How can such a technology function?

Imagine you have a smart device like a watch, a fridge or a tv. They all need to access the network to do their updates and to get fresh content. They also might send some things about you, some logs and analytics. Today Network Access Control is only being used in enterprises and they all require specialized hardware. I think, however, that in a few years we will have a form of IAC in home routers or at least in smart docking stations.

I can think of possible policies of what you want to have:

  • don’t send private infos
    • Location
    • Too Personal information – however, thinking of fitness trackers makes me rethink what is personal and what not
  • enforce a high level of encryption
  • enforce patching of vulnerable libraries used
  • don’t download malicious content
  • don’t visit malicious URLs

Sounds very complicated, but in reality is not that complex. It requires though a lot of flexibility and openness from the producers of these IoT devices.

It is true that the policies above have to be considered at the design phase of the device. This is why a Secure Software Lifecycle is so important.

It is exponentially more expensive to add feature to fulfill these policies after the device is out there.

A certification like (ISC)2 CSSLP is going to become more and more important for the entire industry.

© Copyright 2016 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check for seeing the consulting services we offer.

Visit for latest security news in English
Besuchen Sie für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca
Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since over 20 years in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is CEO and owner of Endpoint Cybersecurity GmbH focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .
%d bloggers like this: