What Is Network Security?

Network security is any activity designed to protect the usability and integrity of your
network and data.
 It includes both hardware and software technologies

 It targets a variety of threats

 It stops them from entering or spreading on your network

 Effective network security manages access to the network

Secure your remote
How does network security work?
Network security combines multiple layers of defenses at the edge and in the network. Each
network security layer implements policies and controls. Authorized users gain access to
network resources, but malicious actors are blocked from carrying out exploits and threats.
How do I benefit from network security?
Digitization has transformed our world. How we live, work, play, and learn have all changed.
Every organization that wants to deliver the services that customers and employees demand
must protect its network. Network security also helps you protect proprietary information
from attack. Ultimately it protects your reputation.
Types of network security

Firewalls

Firewalls put up a barrier between your trusted internal network and untrusted outside
networks, such as the Internet. They use a set of defined rules to allow or block traffic. A
firewall can be hardware, software, or both.
Email security

Email gateways are the number one threat vector for a security breach. Attackers use personal
information and social engineering tactics to build sophisticated phishing campaigns to
deceive recipients and send them to sites serving up malware. An email security application
blocks incoming attacks and controls outbound messages to prevent the loss of sensitive data.

Anti-virus and anti-malware software

"Malware," short for "malicious software," includes viruses, worms, Trojans, ransomware,
and spyware. Sometimes malware will infect a network but lie dormant for days or even
weeks. The best antimalware programs not only scan for malware upon entry, but also
continuously track files afterward to find anomalies, remove malware, and fix damage.

Network segmentation

Software-defined segmentation puts network traffic into different classifications and

makes enforcing security policies easier. Ideally, the classifications are based on endpoint
identity, not mere IP addresses. You can assign access rights based on role, location, and
more so that the right level of access is given to the right people and suspicious devices are
contained and remediated.

Access control

Not every user should have access to your network. To keep out potential attackers, you need
to recognize each user and each device. Then you can enforce your security policies. You can
block noncompliant endpoint devices or give them only limited access. This process is
network access control (NAC).

Application security

Any software you use to run your business needs to be protected, whether your IT staff builds
it or whether you buy it. Unfortunately, any application may contain holes, or vulnerabilities,
that attackers can use to infiltrate your network. Application security encompasses the
hardware, software, and processes you use to close those holes.

Behavioral analytics

To detect abnormal network behavior, you must know what normal behavior looks like.
Behavioral analytics tools automatically discern activities that deviate from the norm. Your
security team can then better identify indicators of compromise that pose a potential problem
and quickly remediate threats.
Data loss prevention

Organizations must make sure that their staff does not send sensitive information outside the
network. Data loss prevention, technologies can stop people from uploading, forwarding, or
even printing critical information in an unsafe manner.
Intrusion prevention systems

An intrusion prevention system (IPS) scans network traffic to actively block attacks.
Cisco Next-Generation IPS (NGIPS) appliances do this by correlating huge amounts of
global threat intelligence to not only block malicious activity but also track the progression of
suspect files and malware across the network to prevent the spread of outbreaks and
reinfection.

Mobile device security

Cybercriminals are increasingly targeting mobile devices and apps. Within the next 3 years,
90 percent of IT organizations may support corporate applications on personal mobile
devices. Of course, you need to control which devices can access your network. You will also
need to configure their connections to keep network traffic private.
Security information and event management

SIEM products pull together the information that your security staff needs to identify and
respond to threats. These products come in various forms, including physical and virtual
appliances and server software.
VPN

A virtual private network encrypts the connection from an endpoint to a network, often over
the Internet. Typically, a remote-access VPN uses IPsec or Secure Sockets Layer to
authenticate the communication between device and network.
Web security

A web security solution will control your staff’s web use, block web-based threats, and deny
access to malicious websites. It will protect your web gateway on site or in the cloud. "Web
security" also refers to the steps you take to protect your own website.
Wireless security
Wireless networks are not as secure as wired ones. Without stringent security measures,
installing a wireless LAN can be like putting Ethernet ports everywhere, including the
parking lot. To prevent an exploit from taking hold, you need products specifically designed
to protect a wireless network.

What Is Access Control?

Access control is a data security process that enables organizations to manage who is authorized
to access corporate data and resources. Secure access control uses policies that verify users are
who they claim to be and ensures appropriate control access levels are granted to users.
Implementing access control is a crucial component of web application security, ensuring only
the right users have the right level of access to the right resources. The process is critical to
helping organizations avoid data breaches and fighting attack vectors, such as a buffer
overflow attack, KRACK attack, on-path attack, or phishing attack.

What are the Components of Access Control?

At a high level, access control is about restricting access to a resource. Any access
control system, whether physical or logical, has five main components:
1. Authentication: The act of proving an assertion, such as the identity of a person or
computer user. It might involve validating personal identity documents, verifying
the authenticity of a website with a digital certificate, or checking login credentials
against stored details.
2. Authorization: The function of specifying access rights or privileges to resources.
For example, human resources staff are normally authorized to access employee
records and this policy is usually formalized as access control rules in a computer
system.
3. Access: Once authenticated and authorized, the person or computer can access the
resource.
4. Manage: Managing an access control system includes adding and removing
authentication and authorization of users or systems. Some systems will sync with G
Suite or Azure Active Directory, streamlining the management process.
5. Audit: Frequently used as part of access control to enforce the principle of least
privilege. Over time, users can end up with access they no longer need, e.g. when
they change roles. Regular audits minimize this risk.
How Does Access Control Work?
Access control can be split into two groups designed to improve physical security
or cybersecurity:
 Physical access control: limits access to campuses, building and other physical
assets, e.g. a proximity card to unlock a door.
 Logical access control: limits access to computers, networks, files and
other sensitive data, e.g. a username and password.
For example, an organization may employ an electronic control system that relies on
user credentials, access card readers, intercom, auditing and reporting to track
which employees have access and have accessed a restricted data center. This
system may incorporate an access control panel that can restrict entry to individual
rooms and buildings, as well as sound alarms, initiate lockdown procedures and
prevent unauthorized access.
This access control system could authenticate the person's identity
with biometrics and check if they are authorized by checking against an access
control policy or with a key fob, password or personal identification number (PIN)
entered on a keypad.
Another access control solution may employ multi factor authentication, an example
of a defense in depth security system, where a person is required to know something
(a password), be something (biometrics) and have something (a two-factor
authentication code from smartphone mobile apps).
In general, access control software works by identifying an individual (or computer),
verifying they are who they claim to be, authorizing they have the required access
level and then storing their actions against a username, IP address or other audit
system to help with digital forensics if needed.
What are the Types of Access Control?
The main types of access control are:
 Attribute-based access control (ABAC): Access management systems were
access is granted not on the rights of a user after authentication but based on
attributes. The end user has to prove so-called claims about their attributes to the
access control engine. An attribute-based access control policy specifies which
claims need to be satisfied to grant access to the resource. For example, the claim
may be the user's age is older than 18 and any user who can prove this claim will be
granted access. In ABAC, it's not always necessary to authenticate or identify the
user, just that they have the attribute.
 Discretionary access control (DAC): Access management where owners or
administrators of the protected system, data or resource set the policies defining who
or what is authorized to access the resource. These systems rely on administrators
to limit the propagation of access rights. DAC systems are criticized for their lack of
centralized control.
 Mandatory access control (MAC): Access rights are regulated by a central
authority based on multiple levels of security. MAC is common in government and
military environments where classifications are assigned to system resources and the
operating system or security kernel will grant or deny access based on the user's or
the device's security clearance. It is difficult to manage but its use is justified when
used to protected highly sensitive data.
 Role-based access control (RBAC): In RBAC, an access system determines who
can access a resource rather than an owner. RBAC is common in commercial and
military systems, where multi-level security requirements may exist. RBAC can be
distinguished from MAC primarily by the way it handles permissions. MAC controls
read and write permissions based on a user/device's clearance level while RBAC
controls collections of permissions that may include complex operations such as
credit card transactions or may be as simple as read or write. Commonly, RBAC is
used to restrict access based on business functions, e.g. engineers, human
resources.
 Rule-based access control: A security model where an administrator defines rules
that govern access to the resource. These rules may be based on conditions, such
as time of day and location. It's not uncommon to have some form of rule-based
access control and role-based access control working together.

What is a firewall? And what isn’t a firewall?

A firewall is a network security perimeter device that inspects traffic entering
and leaving the network. Depending on the security rules assigned specifically
to it, the firewall either permits safe traffic or denies traffic it deems as
dangerous.

A firewall’s main objective is to establish a barrier (or “wall”) that separates an

internal network from incoming external traffic (such as the internet) for the purpose
of blocking malicious network packets like malware and hacking.
When discussing firewalls, it is critical to clear up any confusion regarding what
constitutes a firewall and what does not. For instance, intrusion detection systems,
routers, proxy servers, VPNs and antivirus solutions are not firewalls. Many firewall
architectures are built into other security solutions, and many security solutions are
built into firewalls.

How does firewall technology work?

Firewalls carefully analyze incoming traffic arriving on a computer’s entry point,
called a port, which determines how external devices communicate with each other
and exchange information.

Firewalls operate using specific firewall rules. A firewall rule will typically include a
source address, a protocol, a port number and a destination address.

Here’s an analogy to explain the components of a firewall rule. Instead of protecting

a network, think of a giant castle. The source address represents a person wishing to
enter the castle. The port represents a room in the castle. The protocol represents a
mode of transportation, and the destination address represents the castle.

Only trusted people (source addresses) may enter the castle (destination address) at
all. Or perhaps only people that arrive on foot (protocol). Once inside, only people
within the house are permitted to enter certain rooms (destination ports), depending
on who they are. The king may be allowed in any room (any port), while guests and
servants may only access a certain number of rooms (specific ports).

In this analogy, the firewall would act like an elaborate alarm system.

Types of firewalls and deployment options

Adding to the confusion of what constitutes a firewall, there are numerous firewall
types to be aware of.

First, firewalls are classified by what they are and where they reside. For example,
firewalls can either be hardware or software, cloud-based or on-premises.

A software firewall resides on an endpoint (like a computer or mobile device) and

regulates traffic directly from that device. Hardware firewalls are physical pieces of
equipment that reside between your gateway and network. Cloud-based firewalls,
also known as Firewall-as-a-service (FaaS), act like any other internet-based SaaS
solutions, performing their work in the cloud.

Next, and this is the most common distinction between types, firewalls are classified
by functionality.
The most common firewall types based on methods of operation are:

 Packet-filtering firewalls
 Proxy firewalls
 NAT firewalls
 Web application firewalls
 Next-gen firewalls (NGFW)
Packet-filtering firewalls

Packet-filtering firewalls, the most basic firewall type, examine packets and prevent
them from moving on if the specific security rule is not met. This firewall's function is
to perform a simple check of all data packets arriving from the network router and
inspecting the specifics like source and destination IP address, port number,
protocol, and other surface-level data.

Packet filtering firewalls don’t open data packets to inspect their contents. Any data
packet that fails the simple inspection is dropped.

Their main drawback is that they provide only basic protection and are therefore
more vulnerable to being bypassed.

Packet-filtering firewalls can either be stateful and stateless. Stateless firewalls only
analyze each packet individually, whereas stateful firewalls — the more secure
option — take previously inspected packets into consideration.

Proxy firewalls

Proxy firewalls, also known as application-level firewalls, filter network traffic at

the application layer of the OSI network model. As an intermediary between two
systems, proxy firewalls monitor traffic at the application layer (protocols at this layer
include HTTP and FTP). To detect malicious traffic, both stateful and deep packet
inspection are leveraged.

Proxy firewalls typically operate in the cloud or through another proxy device. Instead
of allowing traffic to connect directly, a connection to the traffic’s source is
established and the data packet is inspected.

NAT firewalls

Network address translation (NAT) firewalls work by assigning a public address to a

group of devices inside a private network. With NAT, individual IP addresses are
hidden. Therefore, attackers scanning for IP addresses on a network are prevented
from discovering specific details.
NAT firewalls and proxy firewalls both act as a go-between connecting groups of
devices with outside traffic.

Web application firewalls

Web application firewalls (WAF) are responsible for filtering, monitoring, and
blocking data packets as they travel in and out of websites or web applications. A
WAF can either reside on the network, at the host or in the cloud and is typically
placed in front of one or many websites or applications. WAFs are available as
server plugins, cloud services, or network appliances.

A WAF is most similar to the proxy firewall, but has a more specific focus on
defending against application layer web-based attackers.

NGFW firewalls

As the threat landscape intensifies, the Next-generation firewall (NGFW) is the most
popular firewall type available today.

Thanks to the major improvements in storage space, memory, and processing

speeds, NGFWs build upon traditional firewalls' features and add other critical
security functions like intrusion prevention, VPN, anti-malware, and even encrypted
traffic inspection. NGFW’s ability to handle deep packet inspection means that the
firewall can unpack the packet's data to prevent any packets with malicious data
from moving forward.

Compared to traditional firewalls, these firewalls provide extensive application control

and visibility, distinguish between safe and dangerous applications, and block
malware from entering a network.
Network Device Security:
Guide and Best Practices

What is network device security?

Network device security is the use of policies and configurations that a network
administrator sets to monitor and protect the network devices from any
unwanted or unauthorized access, changes, or use. It is vital for any organization
to have secure network infrastructure devices in order to limit disruptions or
data loss. Network device security enables organizations to better control access
to their network devices, and in turn better control access to their network.

What are the types of network security

devices?
There are many types of network devices, but these are some of the most
commonly used ones for securing a network.

Firewalls
For most networks, the firewall is one of the first lines of defense. Firewalls act to
isolate your network and protect it from unwanted network traffic. Depending
on your network, firewalls can be built into devices such as routers and switches
or implemented as standalone protection.
Firewalls can operate in two ways:

1. Whitelisting: The firewall blocks everything except specifically listed network

traffic.
2. Blacklisting: The firewall only blocks suspicious traffic from the network.
Deciding which of these policies to choose is part of determining how to manage
a network, but more often than not, you’ll want to take a Whitelisting approach.

Network access control (NAC)

Network access control (NAC) is a network security device that checks the
security settings of any devices trying to enter the network and either denying
entry if settings do not meet predefined policy requirements or allowing entry to
the network if settings match access requirements.

Intrusion Prevention and Intrusion Detection

Systems (IPS / IDS)
Intrusion prevention and intrusion detection systems scan and alert you of any
network attacks. They act in conjunction with the firewall and scan for anything
that may have cleared the firewall and entered the network.

While intrusion detection systems notify you of any intrusions and require action
on your part, intrusion prevention systems notify you and actively respond to
the intrusion without your intervention.
Proxy servers
Proxy servers provide network security by acting as a go-between for your
network computer’s web browser and the server on the other end of the
connection. Inappropriate and malicious websites are blocked by proxy servers
and access control policies are enforced.

These are only some of your choices when it comes to types of network security
devices, and no single one will do it all. Instead, it’s important to take a layered
approach and utilize as many types of security as your network needs to ensure
your network infrastructure devices remain protected and secure.

How do I secure a network device?

If you’re wondering how to secure network devices, there are actually several
ways to enhance the security of network infrastructure.

Take inventory
It’s important to keep up-to-date inventories of all your network devices and to
know exactly what security policies have been applied to each one. Taking
inventory can be a time-consuming task when done manually, so opt for a
network scanning tool that can do this for you like Auvik.

Identify devices at high-risk

By evaluating your devices and narrowing in on the ones with increased risk, you
can proactively take additional measures to ensure your network remains
secure. Be sure to also look at devices that contain sensitive information or are
lacking in strict access permissions and implement greater security measures
there as well.

Determine areas of device weakness

While you identify high-risk devices, also notice where these devices exhibit
weaknesses that need attention. By finding these areas of device weakness, you
can locate where patches are needed and deploy extra security to the device to
protect it and your network.
Use configuration and management tools
Manually performing network configuration and security tasks is a time-
consuming burden on your administrator, and these tasks can be done more
efficiently and accurately with configuration and management tools. Repetitive
tasks and standards maintenance are done automatically with configuration
management tools, and any changes to network configurations are detected and
flagged in real-time to ensure you know exactly what is happening when as well
as who is making the changes. Auvik‘s network management system provides
the tools you need with the security and privacy your network demands.

Routine reporting and audits

Regularly reviewing your devices is key to securing network devices. Utilize
reports that analyze your device’s security measures and keep tabs on whether
everything is working as it should or if you need to make any adjustments.

5 Security Best Practices for Network

Devices

1. Limit the IP ranges that can manage

network infrastructure
Do your users need direct access to switches or firewalls? How about the IP
phone subnet? For nearly every person I talk to the answer is a clear ‘no’.
Most network devices allow you to select management IPs or apply access
control lists (ACLs) to services such as SNMP and SSH. Use this feature to restrict
access to a couple of management servers you have on site.

This is especially important for perimeter devices. If you’ve enabled SSH access
to a firewall from the outside, it’s critical that access is locked down. Be careful
not to lock yourself out though.

2. Use SNMPv3 throughout the network

SNMP has gone through a few iterations over the years. SNMPv2c, the most
commonly used version, has been around for decades with little change.
SNMPv3 is a great option for those looking to manage devices over SNMP while
adding some network device security and encryption to that management.

Using SNMPv3 instead of v2c over public networks is obvious, but security-
conscious service providers have increasingly been using SNMPv3 within private
networks as well. That’s because v3 reduces the amount of management data
traversing the network in clear text—in case someone is listening in who
shouldn’t be.

3. Rotate network device credentials

It’s that time of year: Time to change your firewall password from Fall2019 to
Winter2019, am I right?

While some may rightfully question your choice of passwords, good on you to
rotate your credentials on a quarterly basis. We typically see teams rotating
network device credentials at least annually. Credentials are an important
method of securing network devices.

Already rotating regularly? You’re well ahead of the curve.

Credential rotation isn’t on your regular calendar yet? Start the habit now by
setting a recurring ticket in your PSA.

4. Disable unused network ports

Helpful employees, malicious actors, shadow IT—these are all people who would
love to plug something into an open Ethernet port on your switch. Trouble is,
they can cause a broad range of issues, from broadcast storms to security
breaches and unsanctioned hardware on your network.

If you have extra ports on routers, switches, and firewalls after completing the
initial configuration, disable them. If they’re ever needed again, you can log back
in and re-enable them.

5. Secure SSH on network devices

First of all, thank you for having SSH configured and not Telnet. (You do have
Telnet disabled, right?)

There are a few things to consider when securing SSH:

1. Disable SSHv1. Version 2 is newer and more secure.

2. Enable an idle timeout so that any idle sessions are closed down.
 3. Ensure the network device software is up-to-date. Many network devices use
OpenSSH, and over the past few years there have been many OpenSSH bugs
identified and fixes put in place.

6. Bonus! Add a warning banner

Consider implementing a warning banner sanctioned by the legal team that
users will see when they log in. While this won’t prevent access and won’t stop
malicious actors, it may give an accidental hacker second thoughts.

It’s important to keep in mind that the steps to implement each of these
recommendations will be different between network device vendors. You may
also find that some settings discussed aren’t available on your network
infrastructure devices. That’s OK—implement what you can and manage the risk
around the others. What is network management without an individual
approach to each network?

Achieving a secure network is a constantly moving target that relies heavily on

network device security. If you’re not being proactive and continually re-
evaluating and managing the risks, you’ll be behind before you know it. Auvik’s
network monitoring and management software helps you prevent, detect, and
resolve network issues quickly. Our cloud-based secure network management
ensures you always know what’s on your network.
What is Multi-Factor Authentication
(MFA)?
Multi-factor Authentication (MFA) is an authentication method
that requires the user to provide two or more verification
factors to gain access to a resource such as an application,
online account, or a VPN. MFA is a core component of a
strong identity and access management (IAM) policy. Rather
than just asking for a username and password, MFA requires
one or more additional verification factors, which decreases the
likelihood of a successful cyber attack.

Why is MFA Important?

The main benefit of MFA is it will enhance your organization's
security by requiring your users to identify themselves by more
than a username and password. While important, usernames
and passwords are vulnerable to brute force attacks and can be
stolen by third parties. Enforcing the use of an MFA factor like a
thumbprint or physical hardware key means increased
confidence that your organization will stay safe from cyber
criminals.
How Does MFA work?
MFA works by requiring additional verification information
(factors). One of the most common MFA factors that users
encounter are one-time passwords (OTP). OTPs are those 4-8
digit codes that you often receive via email, SMS or some sort of
mobile app. With OTPs a new code is generated periodically or
each time an authentication request is submitted. The code is
generated based upon a seed value that is assigned to the user
when they first register and some other factor which could
simply be a counter that is incremented or a time value.
Three Main Types of MFA
Authentication Methods
Most MFA authentication methodology is based on one of three
types of additional information:

 Things you know (knowledge), such as a password or PIN

 Things you have (possession), such as a badge or smartphone
 Things you are (inherence), such as a biometric like fingerprints or voice
recognition

MFA Examples
Examples of Multi-Factor Authentication include using a
combination of these elements to authenticate:

Knowledge
 Answers to personal security questions
 Password
 OTPs (Can be both Knowledge and Possession - You know the OTP and you have
to have something in your Possession to get it like your phone)
Possession
 OTPs generated by smartphone apps
 OTPs sent via text or email
 Access badges, USB devices, Smart Cards or fobs or security keys
 Software tokens and certificates
Inherence
 Fingerprints, facial recognition, voice, retina or iris scanning or other Biometrics
 Behavioral analysis

Other Types of Multi-Factor

Authentication
As MFA integrates machine learning and artificial intelligence
(AI), authentication methods become more sophisticated,
including:
Location-based
Location-based MFA usually looks at a user’s IP address and, if
possible, their geo location. This information can be used to
simply block a user’s access if their location information does
not match what is specified on a whitelist or it might be used as
an additional form of authentication in addition to other factors
such as a password or OTP to confirm that user’s identity.

Adaptive Authentication or Risk-based Authentication

Another subset of MFA is Adaptive Authentication also referred
to as Risk-based Authentication. Adaptive Authentication
analyzes additional factors by considering context and behavior
when authenticating and often uses these values to assign a
level of risk associated with the login attempt. For example:

 From where is the user when trying to access information?

 When you are trying to access company information? During your normal hours
or during "off hours"?
 What kind of device is used? Is it the same one used yesterday?
 Is the connection via private network or a public network?
The risk level is calculated based upon how these questions are
answered and can be used to determine whether or not a user
will be prompted for an additional authentication factor or
whether or not they will even be allowed to log in. Thus another
term used to describe this type of authentication is risk-based
authentication.

With Adaptive Authentication in place, a user logging in from a

cafe late at night, an activity they do not normally do, might be
required to enter a code texted to the user’s phone in addition
to providing their username and password. Whereas, when
they log in from the office every day at 9 am they are simply
prompted to provide their username and password.

Cyber criminals spend their lives trying to steal your

information and an effective and enforced MFA strategy is your
first line of defense against them. An effective data security
plan will save your organization time and money in the future.

What Does Wireless Local Area Network Security

(WLAN Security) Mean?
Wireless local are network security (WLAN security) is a security system
designed to protect networks from the security breaches to which wireless
transmissions are susceptible. This type of security is necessary because
WLAN signals have no physical boundary limitations, and are prone to
illegitimate access over network resources, resulting in the vulnerability of
private and confidential data. Network operations and availability can also
be compromised in case of a WLAN security breech. To address these
issues, various authentication, encryption, invisibility and other
administrative controlling techniques are used in WLANs. Business and
corporate WLANs in particular require adequate security measures to
detect, prevent and block piggybackers, eavesdroppers and other
intruders.
Wireless Local Area Network Security (WLAN Security)
Security has remained a major concern in WLANs around the globe. While
wireless networks provide convenience and flexibility, they also increase
network vulnerability. Security threats such as unauthorized access,
denial of service attacks, IP and MAC spoofing, session hijacking and
eavesdropping can all be problems for WLANs. To counter these threats,
various standard authentication and encryption techniques are combined
with other access control mechanisms. These protocols, devices and
techniques collectively secure the WLAN a level that equals and even
exceeds wired LAN security.

Some of the technologies employed in WLAN security include:

 Wired Equivalent Privacy (WEP): An old encryption standard used to
overcome security threats. WEP provides security to WLAN by
encrypting the information transmitted over the air so that only the
receivers with the correct encryption key can decrypt the
information.
 WPA/WPA2 (WI-FI Protected Access): Improved on WEP by
introducing Temporal Key Integrity Protocol (TKIP). While still using
RC4 encryption, TKIP uses a temporal encryption key that is
regularly renewed, making it more difficult to steal. In addition,
data integrity was improved through the use of a more robust
hashing mechanism.
 Wireless Intrusion Prevention Systems/Intrusion Detection
Systems: Intrusion detection and prevention focuses on radio
frequency (RF) levels. This involves radio scanning to detect rogue
 access points or ad hoc networks to regulate network access.
Advanced implementations are able to visually represent the
network area along with potential threats, and have automatic
classification capabilities so that threats can be easily identified.

What Is Network Admission Control

(NAC)?
The NAC solution implements security control over access users to provide end-to-end
security. The solution allows only authorized users and secure terminals to access the
network, isolates unauthorized and insecure users and terminals, or allows only
authorized users and terminals to access limited resources. In this way, the security
protection capability of the entire network is improved.

Contents

 What Is the Purpose of NAC?

 What Are the Capabilities of NAC?

 How Does NAC Work?

 NAC Applications

What Is the Purpose of NAC?

On a traditional enterprise network, the intranet is typically considered secure and
security threats mainly come from external networks. Therefore, various security
measures, such as deploying firewalls, are taken to defend against external attacks.
However, many major security vulnerabilities often occur on the intranet. For example,
when employees on the campus browse some websites, malicious software such as
spyware and Trojan horses may be downloaded to computers and spread on the intranet,
causing serious security risks. On a campus network, the security status of any terminal
affects the security of the entire network. The security status refers to
the antivirus capability, patch level, and system security settings. In addition, when a large
number of unauthorized access users exist on the campus network, the service system
may be damaged and critical information assets may be leaked.
The NAC solution can effectively manage network access rights, update system patches
in a timely manner, and upgrade the antivirus database. This allows administrators to
quickly locate, isolate, and repair insecure terminals, meeting intranet security
requirements of the campus network.

What Are the Capabilities of NAC?

NAC provides the following capabilities.

Identity Authentication
Access users need to be authenticated, and only authorized users are allowed access to
the campus network. This is a basic requirement for campus network security. Identity
authentication for terminals such as PCs on the campus network need to meet the
following requirements:

 After a user with a secure terminal enters the correct user name and password,
the user can be normally connected to the network.
 A user with an insecure terminal can only be connected to the network
isolation domain and then connected to the network after terminal security is
repaired.
 Unauthorized users are not allowed access to the network.

Access Control
Users can be precisely matched based on the user identity, access time, access location,
terminal type, terminal source, and access mode (5W1H for short) to control the
resources available to users. The following explains 5W1H:
Who are connected to the network (employees or guests)?
Whose devices (enterprise devices or BYOD devices)?
What devices (PCs or mobile phones) are used?
When is the access initiated (during working hours or non-working hours)?
Where is the access initiated (in the R&D area, in a non-R&D area, or at home)?
How do devices access the network (through wired or wireless networks)?

Terminal Security Check and Control

The NAC solution checks the security of terminals to allow only secure and healthy
terminals to connect to the network. Security check must meet the following
requirements:

 Scans terminals before they are connected to the network to obtain their
security status, for example, antivirus software installation, patch update, and
password strength.
 Associates with the NAC device to block the terminals that do not pass security
check. This prevents damages to the service system and helps terminals
complete automatic security issue repair.
 Denies network access of terminals whose security problems cannot be
repaired in a timely manner.

System Repair and Upgrade

The NAC solution provides automatic and manual system repair and upgrade functions. It
can automatically download and upgrade system patches, trigger antivirus database
updates, and enforce security measures such as killing illegal or violating processes.
How Does NAC Work?
The NAC solution consists of three key components: security terminal, NAC device, and
server system.

Components of the NAC solution

 Security terminal: is the software installed on the user terminal system. It

authenticates user terminals, evaluates the security status, and implements
security policies on user terminals.
 NAC device: enforces security policies, that is, allowing, rejecting, isolating, or
restricting the access of users based on the security policies customized for
enterprise networks.

The Huawei NAC solution supports multiple authentication modes,

including 802.1X authentication, MAC address authentication, and Portal
authentication. In these authentication modes, the NAC device assists
authentication between a user terminal and NAC server. The NAC device can be
a switch, router, access point (AP), or other security device. It authenticates
access users forcibly, rejects the access of unauthorized users, and isolates
insecure terminals to provide network services only for authorized users and
secure terminals.

 Server system: consists of the NAC server, antivirus/patch/software server, and

service server.

The NAC server is the core of the NAC solution. Users can access the NAC
server before passing identity authentication and security check. The NAC
server authenticates users, performs security audits on users, implements
security policies on users, and associates with the NAC device to deliver user
rights. If a user passes identity authentication but fails terminal security check,
the user usually accesses the antivirus/patch/software server to automatically
update the antivirus database on the terminal and install as well as update the
patches of the operating system and application software to meet the terminal
 security check requirements. The service server is used for enterprise service
management. Only authenticated and authorized users can access the service
server.
For example, on an enterprise network, users are classified into employees, partners, and
guests. The NAC solution allows customizing network access and permission control rules
for different user roles.

 Employees: refer to those who have fixed office locations and long-term work
contracts. Employees typically use company devices as office devices. Company
devices often have security terminals installed before employees obtain the
devices. After passing authentication, employees have sufficient access rights
to the company network.
 Partners: refer to those who frequently move and are under few enterprise
constraints. These personnel are connected to the enterprise network for a
certain period of time and access some servers on the network. Partners usually
use the company devices that have security terminals installed. However, the
rights of partners must be strictly controlled because their terminal security is
low.
 Visitors: refer to those who are connected to enterprise networks temporarily.
Typically, visitors are wirelessly connected to the enterprise network and can
only access the Internet through the enterprise network. Visitors are strictly
isolated from employees and partners to prevent enterprise information asset
leakage.

NAC Applications
The Network Admission Control (NAC) solution can be applied to many network
scenarios, such as enterprise campus network, bring your own device (BYOD), Internet of
Things (IoT), and public Wi-Fi network scenarios.

Enterprise Campus Network

The NAC solution strictly differentiates network access rights of employees and non-
employees based on user roles on an enterprise network.

BYOD(Bring your own device)

To meet employees' pursuit of new technologies and personalization and improve their
work efficiency, many enterprises start to consider allowing employees to connect to the
intranet using their own smart devices (such as mobile phones, tablets, and laptops). This
is called BYOD. Generally, no security terminal is installed on employees' own devices.
Accessing the enterprise intranet through these devices may bring security risks. The NAC
solution uses the terminal type identification technology to automatically identify the
types of devices that employees use to connect to the enterprise intranet. This
implements authentication and authorization based on user information, device type, and
device operating environment.
IoT
Most IoT devices do not support traditional authentication protocols or security
certificates. The NAC solution automatically identifies IoT devices based on their
electronic identity information (including the device version, vendor information, version
number, product name, and terminal type), and completes network access authentication
for the IoT devices based on the configured security policies.

Public Wi-Fi Network

Public Wi-Fi networks are widely used. Almost all cafes, shops, airports, hotels, and other
public places provide public Wi-Fi access for their customers and guests. A completely
open public Wi-Fi network has low security. This is because anyone can log in to the
network without identity authentication. Therefore, exercise caution when connecting to
the network. NAC provides WeChat authentication and SMS authentication. When a user
accesses a public Wi-Fi network, the user can scan the QR code through WeChat or enter
the mobile number on the web portal page to access the network using the real name.

What Is Identity and Access Management

An Identity and Access Management (IAM) system defines and
manages user identities and access permissions. Users of IAM
include customers (customer identity management) and
employees (employee identity management). With IAM
technologies, IT managers can ensure that users are who they
say they are (authentication) and that users access the
applications and resources they have permission to use
(authorization).

4 Key Benefits of Identity and Access

Management Systems
1. Eliminating weak passwords—research shows over 80%
of data breaches are caused by stolen, default, or weak
passwords. IAM systems enforce best practices in credential
management, and can practically eliminate the risk that
users will use weak or default passwords. They also ensure
users frequently change passwords.
2. Mitigating insider threats—a growing number of breaches
is caused by insiders. IAM can limit the damage caused by
malicious insiders, by ensuring users only have access to the
systems they work with, and cannot escalate privileges
without supervision.
 3. Advanced tracking of anomalies—modern IAM solutions
go beyond simple credential management, and include
technologies such as machine learning, artificial intelligence,
and risk-based authentication, to identify and block
anomalous activity.
4. Multi-factor security—IAM solutions help enterprises
progress from two-factor to three-factor authentication,
using capabilities like iris scanning, fingerprint sensors, and
face recognition.
Top 5 Benefits of Identity and Access
Management
Improved security

IAM solutions help identify and mitigate security risks. You can
use IAM to identify policy violations or remove inappropriate
access privileges, without having to search through multiple
distributed systems. You can also leverage IAM to ensure
that security measures are in place to meet regulatory and audit
requirements.

Information sharing

IAM provides a common platform for access and identity

management information. You can apply the same security pollies
across all the operating platforms and devices used by the
organization. IAM frameworks can help you enforce policies
related to user authentication, privileges, and validation, and
attend to “privilege creep”.

Ease of use

IAM simplifies signup, sign-in and user management processes

for application owners, end-users and system administrators. IAM
makes it simple to provide and manage access, and this promotes
user satisfaction.

Productivity gains
IAM centralizes and automates the identity and access
management lifecycle, creating automated workflows for
scenarios like a new hire or a role transition. This can improve
processing time for access and identity changes and reduce
errors.

Reduced IT Costs

IAM services can lower operating costs. Using federated identity

services means you no longer need local identities for external
uses; this makes application administration easier. Cloud-based
IAM services can reduce the need to buy and maintain on-
premise infrastructure.

What IAM Means for Compliance

Management
If identity access management processes are not effectively
controlled, you may be in noncompliance with industry standards
or government regulations. Also, if your organization is audited,
you may not be able to show that company data is protected
against misuse.

IAM systems are instrumental in compliance efforts. It can

provide many of the safety controls required by security
standards and can demonstrate to auditors that corporate
information is appropriately controlled.