2 cissp ® Official Study Guide Eighth Edition

Secure Network Components 
487
necessary for a secure network, but they are all common network devices that may have an 
impact on network security.
Network Access Control
Network Access Control (NAC)
is a concept of controlling access to an environment 
through strict adherence to and implementation of security policy. The goals of NAC are as 
follows:
■
Prevent/reduce zero-day attacks
■
Enforce security policy throughout the network
■
Use identities to perform access control
The goals of NAC can be achieved through the use of strong detailed security policies 
that define all aspects of security control, filtering, prevention, detection, and response for 
every device from client to server and for every internal or external communication. NAC 
acts as an automated detection and response system that can react in real time to stop 
threats as they occur and before they cause damage or a breach.
Originally, 802.1X (which provides port-based NAC) was thought to embody NAC, but 
most supporters believe that 802.1X is only a simple form of NAC or just one component in 
a complete NAC solution.
NAC can be implemented with a preadmission philosophy or a postadmission philoso-
phy, or aspects of both:
The preadmission philosophy requires a system to meet all current security require-
ments (such as patch application and antivirus updates) before it is allowed to commu-
nicate with the network.
The postadmission philosophy allows and denies access based on user activity, which is 
based on a predefined authorization matrix.
Other issues around NAC include client/system agent versus overall network monitoring 
(agent-less); out-of-band versus in-band monitoring; and resolving any remediation, quar-
antine, or captive portal strategies. These and other NAC concerns must be considered and 
evaluated prior to implementation.

Download 19,3 Mb.

Do'stlaringiz bilan baham: