A

Blog

NAC – Security at the Access Level

Daniel is a young man who started learning hacking as a hobby on the Internet. He learned how to launch a few attacks and would like to try it out in the real world to see the results. This will allow him to ascertain his training works and that he can actually do hacking.

He has a friend that he meets regularly at the bank where he awaits at the reception for him till the end of his shift before they can head home together. While sitting at the reception unattended, he quickly connects his Kali Linux computer to the network by cable and immediately receives an IP through DHCP. He then goes on to scan the network and run some exploits and was able to bring one of the bank’s internal servers down. The IT team on call starts running all over the place and Daniel feels a rush of accomplishment as he knows he is the cause of the issue. He disconnects his cable, packs his computer, and waits for his friend to come. They go home and Daniel enjoys his sleep that night having the assurance that he is getting better at hacking.

Here is what is most likely going to happen to the bank’s IT after this event. The server will resume responding to traffic again without help or after a simple reboot and they will attribute the issue to a bug in the system, and they will not look further. Because Daniel was not really trying to cause any damage the “glitch” might not happen again to them but they might never get to know what really happened. Now pause a little bit and imagine what would have really happened if Daniel was ill-intentioned and had planned an attack on the IT environment of that bank. Just take two minutes and think about it.

Pretty wild rights? They could have suffered a major incident on that day and spent hours finding the cause of the problem. Not just that the brand damage and the cost of having senior staff stay over or probably having to bring in a consultant to help resolve the issue would have been just the tip of the iceberg. If they were to realize that they were hacked they would have to clean up the systems and they may never know if some remnant malicious programs were left and could activate at any time in the future.

What could they have done to prevent something similar to this? Is it possible to securely allow access to your network on Wired, on Wireless, and on VPN? Is there a way you can record every network access, identify who was behind that connection, from what device they were operating, and ensure they were given access only to the portion of the network they would be authorized to access? Is there a way to check various components on their endpoint, to ensure they meet some level of compliance before allowing them onto the network? Such are the questions we will attempt to answer in this article.

Network Access in General

A typical access network would be made of various access switches segmented using VLAN technology. There could also be Wireless Access Points and Remote Access VPN available for the users of the organization. In order to make access seamless and simple, organizations provide DHCP service so the users would automatically get onto the network. Some level of security is provided at the gateway of the network for inter-VLAN traffic. The problem is more often than not, organizations are not able to secure access to their physical network appropriately. An ideal situation would be to have the capability to singularly authenticate every user and device before permitting them onto the network. It is easier said than done though. Let’s look at how NAC does that.

What is NAC?

Network Admission Control or Network Access Control is a way to protect your network from unauthorized access. It requires users and/or endpoints to authenticate before even giving an IP to the endpoint connecting. Because the authentication and authorization happen before the endpoint is given access to the network, any user or endpoint cannot easily compromise the network as the user/endpoint does not belong to any network.

NAC as a Fence Protecting your Access Layer

AAA

From Wikipedia: “AAA refers to Authentication, Authorization, and Accounting. It is used to refer to a family of protocols that mediate network access. Two network protocols providing this functionality are particularly popular: the RADIUS protocol and its newer Diameter counterpart.”

How does this work?

  • Visibility

The NAC devices are able to provide visibility onto what is connected at the access-network by using metadata provided by these devices when they come onto the network. This is achieved by activating some probes on the network access devices (Switches, Access-Points, etc.). So you can see how many iPhones, Windows PCs, or tablets are connected to your network. This allows you to create rules based on the type of devices that are connecting to the network and/or blocking an entire category completely depending on the policies of your organization.

  • Profiling

Using the visibility provided by probes, you are able to create rules that will automatically apply some rules to certain types of devices. This is usually great for Printers, IP Phones, Biometric Devices, IP Cameras, etc. Everything that may not really have the capability to authenticate on the network actively. This way of authenticating your devices is called Mac Authentication Bypass which allows the endpoints to authenticate but then provides security at the authorization level.

  • Authentication

Using a technology called 802.1X, NAC solutions are able to authenticate endpoints against an established database such as Active Directory. You would be able to not only authenticate the device, but also the user. When you combine this with MFA (Multi-Factor Authentication) you can be very sure you have the right person accessing the network.

  • Posture

After ensuring you have the right devices connecting onto the network with the right people using them, you may have some additional requirements. It could be that you want to ensure the endpoint is running some antimalware or antivirus or is running some encryption software, etc; you could check the software are at the minimum version authorized before admitting them onto the network, or else you quarantine them and allow them to remediate before giving them full access.

  • Guest Access

Because you are able to have such granularity control over your network, you can now provide access to guests without compromising on your users’ security. The NAC solution provides an easy and simple way to ensure your guests and contractors only have access to the only things you want them to have access to.

  • Compliance

As your users, guests, and consultants are busily accessing the network and doing their work, the NAC system records everything, yes every authentication successful or failed, any authorization when it was given how long the session lasted. With this, you are able to tick that compliance box that has been sitting on your table for so long. Yes, am talking about the sentence: “All devices and users must be securely allowed access onto the network”. Not only that you have records that would come in handy during auditing and forensics analysis.

Solutions

There are many NAC solutions on the market that work in different ways and it could be difficult to choose the one that fits your organization. One of the important features that you need to look out for is CoA (Change of Authorization). CoA dynamically changes the Authorization of the user/device after it has authenticated. It particularly comes in handy when a quarantined device has now remediated itself or a user logs out and another user logs in and they have different authorization policies. There are two of them that are very great that I advise right out of the box. Aruba ClearPass and Cisco ISE are two of the great NAC solutions and they would easily meet all your requirements and provide additional features as well.

Summary

Complete security may be unattainable, but you can do your best by providing multiple layers of security to ensure if one fails there is a high probability another layer would protect your infrastructure and your users. NAC is an important component of your security strategy and the earlier you set it up the earlier you protect your organization from our fictitious friend Daniel.

Next Step

Apotica deploys a large portfolio of Next-Generation technologies and is uniquely positioned to advise on the next steps to help with your security strategy. You can request a free consultation here. To enquire about any equipment or software, call us on +233.54.431.5710 or write to sales@apotica.net.

About Apotica

Apotica, headquartered in Accra, Ghana and brings together the best information and communications technologies to help clients grow, compete and serve their customers better. Apotica is an ISO 27001 and 9001 Certified Organization.

Subscribe to our newsletter
The latest news, articles, and resources, sent to your inbox weekly.
© 2024 Apotica. All rights reserved.

Matilda Dzamenu

Director, Finance

Matilda, a Chartered Accountant, joined Apotica in May 2023. With over 12 years of experience in banking, insurance, pensions, accounting and finance, she is responsible for the company’s financial control, strategic planning, management reporting, and overall financial performance.

She holds a BSc degree in Business Administration (Accounting) from the University of Ghana Business School and an MSc in Accounting and Finance from the same institution. Matilda is also a member of the Institute of Chartered Accountants, Ghana.

Matilda has attended the Executive Education course in Strategic Management at the Maastricht School of Management in the Netherlands and participated in other leadership seminars around the world.

Peniel Korley

Head, Marketing

Peniel Korley is Head of Marketing for Apotica, designing and implementing comprehensive marketing strategies to create awareness of the company’s business activities.

Peniel joined Apotica in April 2019 and has helped build our market presence through an adept combination of traditional marketing and digital marketing techniques, executing and monitoring corporate promotion campaigns, and conducting market research to help us stay abreast of trends.

He earned a Bachelor’s degree in Economics from the University of Ghana and a Master of Business Administration degree in Marketing from the University of Ghana Business School. He’s a member of the Chartered Institute of Marketing, UK.

Sylvester Kyeremeh

Head, Projects

As Head of Projects, Sylvester Kyeremeh is responsible for coordinating people and processes to ensure that our client projects are delivered on time and produce the desired results. He leads this function within the confines of our quality management and information security management systems.

Sylvester joined Apotica in 2017 as a Systems Engineer, before moving on to join our project management practice a year later. His calm and collected approach to interpersonal engagements, impressive sense of planning, and excellent communication skills continue to receive the plaudits of our customers.

Sylvester received his B.S. degree in Computer Engineering from the Kwame Nkrumah University of Science & Technology. He’s a Certified Information Systems Auditor, a Cisco-certified professional, an ISO 27001 Lead Implementer, and a member of the Project Management Institute with PMP and Scrum Master qualifications.

Millicent Afranie

Head, Risk & Compliance

At 25, Millicent is currently the youngest head of department at Apotica, taking up this role in August 2020. She’s responsible for managing all aspects of risk to the organization, employees, clients, assets, reputation, and interests of stakeholders. Millicent also works with the leadership of the organization to embed and maintain a risk-aware culture in the organization.

Before joining Apotica, she worked as a broadcast journalist at Radio Universe – a popular media house in Accra. Millicent holds a Bachelor’s degree in Psychology and has attended the Executive Education course in Personal Leadership at the Maastricht School of Management, Netherlands.

She’s a Certified Governance, Risk, and Compliance Professional (GRCP) and a qualified ISO 9001 Lead Implementer.

Elom Kutsienyo

Director, Technology

Elom Kutsienyo is the Chief Technology Officer at Apotica. A technology enthusiast and Apple nerd, he is responsible for the development and maintenance of our excellent technical services capabilities and enabling our engineering teams to become adept at industry best practices relating to enterprise solutions design, deployments, and support.

Since taking up the CTO role in August 2019, he has strategically grown our product offerings through strong channel partnerships with leading ICT vendors. Elom’s extensive experience in product sales, project management, service delivery, and field engineering also helps as he oversees company webinars, product demos, proof-of-value activities, and technical proposals for clients.

He holds a Bachelor’s degree in Telecom Engineering from Ghana Technology University College and has attained several professional qualifications including the coveted Cisco CCIE certification as well as certifications from Microsoft, VMware, NetApp, HPE, and Nutanix.

Clifford Williams

Director, Customer Experience

Clifford leads the Customer Experience practice at Apotica which encompasses our consulting, technology, support, and learning services.

Prior to his position at Apotica, Clifford was the senior manager of IT Infrastructure at Stanbic, a leading commercial bank in Ghana. He has also previously held roles in field engineering, service delivery, and customer support at organizations including Huawei, IBM, Tech Mahindra, and Zenith Bank.

Clifford is PMP-certified and holds a Bachelor’s in Information Technology, as well as several industry certifications from Microsoft, VMware, and Amazon.

Dzigbodi Amekoudi

Country Manager, Benin

Dzigbodi Amekoudi oversees company business in Benin and the countries in French West Africa. As Country Manager, his primary responsibility is business development, which involves helping to define and introduce the right go-to-market strategies and making sure our business operates profitably in the territory. He’s also responsible for establishing operating budgets and managing company employees in his region.

During his tenure, Dzigbodi has led Apotica’s expansion into other countries including Burkina Faso, Guinea Conakry, Mali, and Niger. Additionally, he works with our technical services leads to ensure successful post-sales delivery of customer projects.

Dzigbodi started his career in engineering and project management, before joining Apotica as a key accounts manager in January 2020.

He earned a Bachelor of Engineering degree in Telecommunications from Ghana Technology University College and a Master of Science degree in International Management from Franklin University Switzerland. He’s a member of the Chartered Institute of Marketing, UK.

Emmanuel Nketia

Director, Business

Emmanuel Nketia is responsible for managing all sales functions at Apotica and oversees other departments, including marketing, operations, and client renewals. An excellent salesman and negotiator, he brings with him 20 years of experience in logistics, accounting, business development, and customer relationship management.

He earned a Bachelor of Science degree in Mathematics from Kwame Nkrumah University of Science & Technology. He’s also a member of the Chartered Institute of Marketing, UK, and an MBA Marketing candidate at the University of Ghana Business School.

Emmanuel has attended the Executive Education course in Strategic Management from the Maastricht School of Management in the Netherlands and participated in other leadership seminars in the USA.

Felix Nkansah

Chief Executive Officer

At Apotica, we are on a mission to help clients grow and serve their customers better. As CEO, Felix Nkansah works closely with our Sales, Services, and Operations leadership to identify customer and industry transitions and determine our strategies to address them.

Felix joined Apotica in January 2017 and brings more than 18 years of experience across executive leadership, systems engineering, customer support, and sales functions with some regional conglomerates and information technology companies.

He has a background in computer science and holds expert-level professional certifications in networking, security, and systems design.