LAN Access Control

Network Security efforts are often focussed on preventing intrusions at the "front door", i.e. the Internet Firewall. Desktop security may be limited to an Anti-Virus. This approach assumes that security problems originate from the outside, thus resorting to hardening the outer perimeter, while allowing inside users to have easy access to network resources.

This is no longer sufficient in a world of roaming laptops, prevalence of LAN sockets in unprotected areas and increasing number of visitors, external contractors, personnel reorganisations etc.

The access to the Local Area Network should be limited to authorised PCs and end-devices. How do we authorise or block end devices? How do we enforce LAN access security policies?

FreeNAC NAC can help to:

  • Limit access to network resources
  • Provide tracking of what devices were on the network, where, when
  • Provide a live inventory of devices, and link it to static inventory
  • Provide compliance reports tying together Network, User, Device information.

How it works

The Switch detects a new PC and requests authorisation from the FreeNAC server, which checks its database and refuses or grants access - assigning an appropriate Virtual LAN(vlan).

How does authentication work?

  • VMPS mode: Network devices can be identified by MAC address. Users are not authenticated in this mode.
  • 802.1x mode: Devices can be authenticated by certificate, Users can be authenticated via a Windows Domain logon

Vlan assignment is based on an end devices MAC address. In VMPS mode the authentication/assignment takes place in one step. In 802.1x mode there is first either a user (Domain login) or a device authentication (certificates) and only then is the MAC address is used for vlan assignment.

Does FreeNAC access the security posture of end-device before allowing LAN access?

  • FreeNAC is currently designed to run without a "software agent" on end devices. Therefore security verification of end-devices can only be done via scan or by querying of server-side security assessment.
  • Concretely, this means that currently if you use McAfee EPO, or MS-WSUS, it may be possible to verify the security of end-device before allowing access.
  • FreeNAC is often installed on heterogeneous networks containing not just Windows but many different clients, and thus Epo/Wsus information is currently used as an indication/help to the security administrator, but not used to exclude end-devices from the network.