1 00:00:00,690 --> 00:00:02,810 Network Access Control 2 00:00:02,810 --> 00:00:04,620 Network Access Control or NAC 3 00:00:04,620 --> 00:00:06,060 is used to protect your network 4 00:00:06,060 --> 00:00:08,580 from both known and unknown devices. 5 00:00:08,580 --> 00:00:10,640 With NAC, a device is scanned to determine 6 00:00:10,640 --> 00:00:12,180 its current state of security 7 00:00:12,180 --> 00:00:15,190 prior to it being allowed access to your network. 8 00:00:15,190 --> 00:00:17,050 Now, NAC can be used for computers 9 00:00:17,050 --> 00:00:18,360 that are within your internal network 10 00:00:18,360 --> 00:00:19,940 that are physically located in your buildings 11 00:00:19,940 --> 00:00:22,310 and connected to it or it can be applied 12 00:00:22,310 --> 00:00:23,490 to devices that are connected 13 00:00:23,490 --> 00:00:26,220 into your network remotely through a VPN. 14 00:00:26,220 --> 00:00:28,300 When a device attempts to connect to the network, 15 00:00:28,300 --> 00:00:30,310 it's placed into a virtual holding area 16 00:00:30,310 --> 00:00:31,780 while it's being scanned. 17 00:00:31,780 --> 00:00:33,250 Now, the device here can be checked 18 00:00:33,250 --> 00:00:34,720 for a number of different factors, 19 00:00:34,720 --> 00:00:36,590 including its antivirus definitions 20 00:00:36,590 --> 00:00:37,900 to make sure they're up-to-date, 21 00:00:37,900 --> 00:00:39,700 the status of its security patching, 22 00:00:39,700 --> 00:00:42,220 and other items that might introduce security threats 23 00:00:42,220 --> 00:00:44,540 into the network if you allowed it to connect. 24 00:00:44,540 --> 00:00:47,130 Now, if a device passes this examination, 25 00:00:47,130 --> 00:00:49,010 it's allowed to enter and receive access 26 00:00:49,010 --> 00:00:51,140 to all of the organizational resources 27 00:00:51,140 --> 00:00:52,970 that are provided by your network. 28 00:00:52,970 --> 00:00:55,000 If the device fails the inspection, though, 29 00:00:55,000 --> 00:00:57,830 it's instead placed into a digital quarantine area, 30 00:00:57,830 --> 00:00:59,780 and it awaits remediation. 31 00:00:59,780 --> 00:01:01,380 While it's in this area, the device 32 00:01:01,380 --> 00:01:03,120 can receive its antivirus updates, 33 00:01:03,120 --> 00:01:04,890 it can get its operating system patches, 34 00:01:04,890 --> 00:01:07,960 and any other security configurations and services it needs. 35 00:01:07,960 --> 00:01:10,030 But it can't logically communicate 36 00:01:10,030 --> 00:01:11,770 with other portions of the network. 37 00:01:11,770 --> 00:01:14,040 That's why it's been placed in quarantine. 38 00:01:14,040 --> 00:01:16,930 Like a bad child, the device has been placed in timeout 39 00:01:16,930 --> 00:01:19,610 until it can be rehabilitated and meet the requirements 40 00:01:19,610 --> 00:01:21,980 of the initial NAC examination. 41 00:01:21,980 --> 00:01:24,320 Once it successfully meets those requirements, 42 00:01:24,320 --> 00:01:25,690 it's then moved into the network 43 00:01:25,690 --> 00:01:27,270 and receives full access, again, 44 00:01:27,270 --> 00:01:29,508 to your organizational resources. 45 00:01:29,508 --> 00:01:32,570 Now, NAC's solutions can be run either using Persistent 46 00:01:32,570 --> 00:01:34,350 or Non-Persistent Agents. 47 00:01:34,350 --> 00:01:36,470 Persistent Agents are a piece of software 48 00:01:36,470 --> 00:01:37,800 that's installed on a device 49 00:01:37,800 --> 00:01:40,030 that's requesting access to the network. 50 00:01:40,030 --> 00:01:41,800 This works well in a corporate environment 51 00:01:41,800 --> 00:01:43,940 because the organization owns all the devices 52 00:01:43,940 --> 00:01:46,240 and controls their software baselines, 53 00:01:46,240 --> 00:01:47,640 but it doesn't work really well 54 00:01:47,640 --> 00:01:48,660 if you're using an environment 55 00:01:48,660 --> 00:01:50,480 where people bring their own devices. 56 00:01:50,480 --> 00:01:51,840 Instead, you might want to use 57 00:01:51,840 --> 00:01:53,980 a Non-Persistent Agent for this. 58 00:01:53,980 --> 00:01:55,700 A Non-Persistent Agent solution 59 00:01:55,700 --> 00:01:58,510 was developed and is very popular in college campuses 60 00:01:58,510 --> 00:02:00,490 where people bring their own devices in. 61 00:02:00,490 --> 00:02:02,540 These solutions require the users to connect 62 00:02:02,540 --> 00:02:04,670 to the network, usually over Wi-Fi, 63 00:02:04,670 --> 00:02:07,270 and then they go to a web-based portal for log in, 64 00:02:07,270 --> 00:02:09,030 and they have to click a link. 65 00:02:09,030 --> 00:02:11,560 When they click that link, the link then downloads an Agent 66 00:02:11,560 --> 00:02:14,440 onto their computer, scans the device for compliance, 67 00:02:14,440 --> 00:02:17,870 and deletes itself from the user machine once it's done. 68 00:02:17,870 --> 00:02:19,530 Network Access Control can be offered 69 00:02:19,530 --> 00:02:21,970 as a hardware or a software solution. 70 00:02:21,970 --> 00:02:24,320 One of the most commonly used Network Access Control 71 00:02:24,320 --> 00:02:28,890 mechanisms is called the IEEE Standard 802.1x 72 00:02:28,890 --> 00:02:31,990 and it's used in port-based Network Access Control. 73 00:02:31,990 --> 00:02:33,560 Now, most NAC is actually built 74 00:02:33,560 --> 00:02:36,330 on top of this 802.1x standard. 75 00:02:36,330 --> 00:02:38,540 We're going to discuss the 802.1x standard 76 00:02:38,540 --> 00:02:40,653 in more detail in a future lesson, though.