Which NAC approach? Pre-Connect NAC vs. Post-Connect NAC

The ZTNA provider from Berlin has been on the market for 20 years, since 2003. With macmon NAC the company offers a manufacturer-agnostic network access control solution.

With over 1,800 installations of macmon NAC, macmon secure ensures high network security in many global companies in various sectors. About one third of macmon customers work within industrial environments.

macmon NAC can detect unknown foreign objects (UFOs) in the network.

A proof of concept (PoC) usually also detects unknown objects that belong to the company network, i.e. are not foreign. macmon NAC is a valuable tool for finding your own network devices and endpoints that you thought were lost and for obtaining a complete network overview, which of course also shows endpoints that do not belong to the company. Network Access Control from macmon secure allows you to assign and identify UFOs. You can also use it to control the time required to isolate a suspicious endpoint from the network and take countermeasures.

Pre-Connect NAC is based on the RADIUS protocol and can be mapped via MAC address authentication or 802.1X.

With the 802.1X standard in particular, this NAC approach offers a high level of security.

With 802.1X, the identity can be verified using certificates or computer/user accounts in combination with a password. The downside of this NAC approach is the high workload, as all clients must be configured accordingly.

Behavior of the solution in a failure scenario:

If the NAC server fails or is unavailable, re-authentication of all endpoints and users, which normally takes place periodically, is unsuccessful and exclusion from the network (blocking) occurs.

If a fallback VLAN is configured on the switches, users and endpoints are moved to a standard VLAN. Even this can only cover part of the problem, as a NAC system often increases the network dynamics by giving users exactly the access they need at each location, for example their required VLAN.

Post-Connect NAC works on a monitoring basis.

The major advantage of this NAC approach is that it is quick and easy to implement. Post-Connect NAC can be introduced quickly if, for example, there is pressure from upcoming audits. No new hardware needs to be purchased as long as the systems can be managed and the effort required for configuration is low. Post-Connect NAC can work with SNMP, REST-API and other management protocols. A gradual transition to a RADIUS-based approach to increase security is easily possible. Port by port can be moved and clients can be configured gradually so that there is no time pressure.

Behavior of the solution in a failure scenario:

In the event of a failure, the current state of the network remains in place.

This means that there are no interruptions in ongoing production. The system continues to run, even if there is a potential threat. You would temporarily lose the security provided by the NAC system, but all other processes continue to run as usual.

To decide on an approach, you should consider the following aspects:

Capabilities of the network components: Factories or hospitals sometimes operate with legacy systems, which could rule out a RADIUS-based NAC.

Urgency: If an audit must be passed promptly, a post-connect NAC can be implemented more quickly.

Effort: The existing personnel resources should be taken into account when selecting the NAC approach.

Failure behavior: While blocking may be desirable within a pure IT network structure, this is often unthinkable in OT networks. macmon NAC can act actively as well as reactively. You have the option of defining a different failure behavior for each port.

It can therefore make sense to operate both NAC approaches in the same network.

Recommendations for Network Access Control

• Manufacturer-agnostic NAC solution
• Monitoring right into the data center
• Periodic checks in addition to entry checks
• Connection of other security solutions
• Select a suitable NAC approach for the place of use
• Simple handling of the NAC solution