1
00:00:00,060 --> 00:00:00,900
In this lesson,

2
00:00:00,900 --> 00:00:03,840
we're going to discuss Network Access Control.

3
00:00:03,840 --> 00:00:07,440
Network Access Control, also known as N-A-C or NAC,

4
00:00:07,440 --> 00:00:09,150
is a method for increasing the security

5
00:00:09,150 --> 00:00:11,340
of a given network by inspecting devices

6
00:00:11,340 --> 00:00:12,870
as they try to connect to a network

7
00:00:12,870 --> 00:00:14,910
in order to determine if they're secure enough

8
00:00:14,910 --> 00:00:17,400
to be granted access to that network.

9
00:00:17,400 --> 00:00:18,630
Now, when it comes to NAC,

10
00:00:18,630 --> 00:00:19,560
I like to think about it

11
00:00:19,560 --> 00:00:21,690
like the passport and customs inspection point

12
00:00:21,690 --> 00:00:24,120
that I use when I fly home from another country.

13
00:00:24,120 --> 00:00:25,350
When I get up to the counter,

14
00:00:25,350 --> 00:00:27,780
the immigration official will ask to see my passport,

15
00:00:27,780 --> 00:00:29,670
and then they may ask the reason for my trip

16
00:00:29,670 --> 00:00:32,400
and if I have any items to declare based on a set of rules

17
00:00:32,400 --> 00:00:33,780
of what is and is not allowed

18
00:00:33,780 --> 00:00:35,760
to be brought back into my country.

19
00:00:35,760 --> 00:00:38,430
Basically, I am the network device in this example,

20
00:00:38,430 --> 00:00:40,020
and I'm trying to join the network,

21
00:00:40,020 --> 00:00:41,970
and in my case, I'm trying to reenter the country.

22
00:00:41,970 --> 00:00:44,760
Now, if my documentation meets all the requirements

23
00:00:44,760 --> 00:00:47,310
because I have a valid passport and an approved visa,

24
00:00:47,310 --> 00:00:49,860
and my declarations are acceptable to the customs official,

25
00:00:49,860 --> 00:00:52,200
I'm going to be granted access back into the country.

26
00:00:52,200 --> 00:00:54,150
Now for any reason my documentation

27
00:00:54,150 --> 00:00:56,310
or my declarations are not accepted,

28
00:00:56,310 --> 00:00:58,320
I'm going to be placed into a special holding area

29
00:00:58,320 --> 00:01:00,390
for additional screening or remediation,

30
00:01:00,390 --> 00:01:01,950
such as waiting for somebody from the embassy

31
00:01:01,950 --> 00:01:04,080
to come to the airport and help me clear customs

32
00:01:04,080 --> 00:01:07,140
in the case of a significant error in my documentation.

33
00:01:07,140 --> 00:01:09,900
So NAC is going to work in a very similar fashion,

34
00:01:09,900 --> 00:01:12,420
because each device is going to present itself for inspection

35
00:01:12,420 --> 00:01:14,640
when it first attempts to connect to the network.

36
00:01:14,640 --> 00:01:16,860
This device is logically going to be isolated

37
00:01:16,860 --> 00:01:17,940
from the rest of the network

38
00:01:17,940 --> 00:01:20,910
and then inspected based on your NAC configurations.

39
00:01:20,910 --> 00:01:23,640
This inspection can include the use of port security,

40
00:01:23,640 --> 00:01:26,760
MAC filtering or 802.1x authentication

41
00:01:26,760 --> 00:01:28,950
as part of your NAC inspection process,

42
00:01:28,950 --> 00:01:30,930
and if your device fails that inspection,

43
00:01:30,930 --> 00:01:32,880
it can be placed into a quarantine area,

44
00:01:32,880 --> 00:01:34,290
which is a digital holding area

45
00:01:34,290 --> 00:01:35,340
where that device will remain

46
00:01:35,340 --> 00:01:37,200
until it can update its security posture

47
00:01:37,200 --> 00:01:39,960
and pass the inspection to move from the quarantine segment

48
00:01:39,960 --> 00:01:42,360
out into the rest of the production network.

49
00:01:42,360 --> 00:01:44,250
Now, let's talk about each of these things.

50
00:01:44,250 --> 00:01:46,380
First, we have port security.

51
00:01:46,380 --> 00:01:47,610
Now, port security involves

52
00:01:47,610 --> 00:01:49,320
securing your physical network ports

53
00:01:49,320 --> 00:01:52,020
to prevent unauthorized access to those ports.

54
00:01:52,020 --> 00:01:54,300
Port security adds an extra layer of defense

55
00:01:54,300 --> 00:01:55,680
by limiting the number of devices

56
00:01:55,680 --> 00:01:58,170
that can connect to a network switch or hub.

57
00:01:58,170 --> 00:02:00,540
The port security mechanism can be configured to allow

58
00:02:00,540 --> 00:02:03,060
only a specific MAC address to access a port

59
00:02:03,060 --> 00:02:06,480
or some set of specified MAC addresses to access those ports

60
00:02:06,480 --> 00:02:08,370
or provide even more granular control

61
00:02:08,370 --> 00:02:10,800
over your network entry points if you need to.

62
00:02:10,800 --> 00:02:13,230
This brings us to our second area we need to discuss,

63
00:02:13,230 --> 00:02:15,150
which is known as MAC filtering.

64
00:02:15,150 --> 00:02:18,060
Now, MAC filtering is going to control access to your network

65
00:02:18,060 --> 00:02:20,550
by limiting which devices can gain access to the network

66
00:02:20,550 --> 00:02:22,950
based on their device's unique MAC address.

67
00:02:22,950 --> 00:02:25,140
By maintaining a list of approved MAC addresses,

68
00:02:25,140 --> 00:02:26,610
your network administrators can ensure

69
00:02:26,610 --> 00:02:28,170
that only recognized devices

70
00:02:28,170 --> 00:02:29,820
can connect to your network infrastructure,

71
00:02:29,820 --> 00:02:31,320
such as your switches.

72
00:02:31,320 --> 00:02:33,180
Now, this approach is also known as "allowlisting"

73
00:02:33,180 --> 00:02:35,610
and it's particularly useful in environments

74
00:02:35,610 --> 00:02:37,890
where device consistency is going to be high

75
00:02:37,890 --> 00:02:40,410
and unknown devices could pose a significant risk

76
00:02:40,410 --> 00:02:41,730
to your security.

77
00:02:41,730 --> 00:02:43,620
Alternatively, many devices allow us

78
00:02:43,620 --> 00:02:47,010
to configure MAC filtering by using a blocklisting instead.

79
00:02:47,010 --> 00:02:48,450
With a blocklist setting,

80
00:02:48,450 --> 00:02:50,430
every device is going to be allowed to connect to your network

81
00:02:50,430 --> 00:02:52,710
except those devices whose MAC addresses

82
00:02:52,710 --> 00:02:54,750
you added to the MAC filtering list.

83
00:02:54,750 --> 00:02:57,060
Basically, this is the reverse of allowlisting,

84
00:02:57,060 --> 00:02:59,340
and it's considered less secure than allowlisting

85
00:02:59,340 --> 00:03:01,590
because you're just blocking people who you know are bad

86
00:03:01,590 --> 00:03:04,350
instead of only allowing people who you know are good.

87
00:03:04,350 --> 00:03:05,610
Now with allowlisting,

88
00:03:05,610 --> 00:03:07,500
we're only going to allow devices that we specify

89
00:03:07,500 --> 00:03:09,180
and we're going to block everyone else.

90
00:03:09,180 --> 00:03:10,320
But with blocklisting,

91
00:03:10,320 --> 00:03:12,390
we're only going to block the devices you specify,

92
00:03:12,390 --> 00:03:14,940
and we're going to allow everybody else into the network.

93
00:03:14,940 --> 00:03:16,200
Now, the third thing we have,

94
00:03:16,200 --> 00:03:18,927
it's what's known as 802.1x authentication.

95
00:03:18,927 --> 00:03:22,620
802.1x authentication provides an authentication framework

96
00:03:22,620 --> 00:03:25,200
for networks that ensures only authenticated users

97
00:03:25,200 --> 00:03:27,060
can access network services.

98
00:03:27,060 --> 00:03:28,710
This protocol works by encapsulating

99
00:03:28,710 --> 00:03:30,660
the extensible authentication protocol,

100
00:03:30,660 --> 00:03:33,690
also known as EAP, within your network's frames

101
00:03:33,690 --> 00:03:36,240
to be able to enable more robust authentication mechanisms

102
00:03:36,240 --> 00:03:38,940
like the use of usernames and passwords, smart cards,

103
00:03:38,940 --> 00:03:40,740
or digital certificates.

104
00:03:40,740 --> 00:03:43,980
The 802.1x authentication process typically involves

105
00:03:43,980 --> 00:03:46,890
three components: the supplicant, the authenticator,

106
00:03:46,890 --> 00:03:48,720
and the authentication server.

107
00:03:48,720 --> 00:03:50,340
The supplicant is a user device

108
00:03:50,340 --> 00:03:52,350
that's seeking to access your network.

109
00:03:52,350 --> 00:03:54,000
The authenticator is the network device

110
00:03:54,000 --> 00:03:55,380
that the user wants to connect to,

111
00:03:55,380 --> 00:03:57,870
like your switches or a wireless access point.

112
00:03:57,870 --> 00:04:00,330
And the authentication server is a server on the network

113
00:04:00,330 --> 00:04:02,850
that's going to authenticate your user device's username,

114
00:04:02,850 --> 00:04:05,520
password, smart card, or digital certificate,

115
00:04:05,520 --> 00:04:08,310
to validate they are authorized to connect to your network.

116
00:04:08,310 --> 00:04:11,280
Most commonly, we're going to do this using a radius server,

117
00:04:11,280 --> 00:04:14,100
which is a remote access dialing user service server

118
00:04:14,100 --> 00:04:16,140
as the authentication server.

119
00:04:16,140 --> 00:04:18,450
Now, whenever a device attempts to connect to the network,

120
00:04:18,450 --> 00:04:20,459
the authenticator is going to act like a gatekeeper

121
00:04:20,459 --> 00:04:21,600
to block all traffic

122
00:04:21,600 --> 00:04:24,540
except the 802.1x authentication traffic

123
00:04:24,540 --> 00:04:26,820
that's being sent by the user's device.

124
00:04:26,820 --> 00:04:28,650
Upon successful authentication,

125
00:04:28,650 --> 00:04:30,660
that server is going to instruct the authenticator

126
00:04:30,660 --> 00:04:33,540
to open the virtual gate in order to allow the user's device

127
00:04:33,540 --> 00:04:36,360
to begin sending normal data traffic to and through

128
00:04:36,360 --> 00:04:37,470
that network.

129
00:04:37,470 --> 00:04:40,050
This method is going to strengthen your network security

130
00:04:40,050 --> 00:04:41,820
by ensuring that only authenticated devices

131
00:04:41,820 --> 00:04:43,080
can access the network,

132
00:04:43,080 --> 00:04:45,570
and it provides a scalable solution that can be integrated

133
00:04:45,570 --> 00:04:48,510
into modern and diverse network infrastructures.

134
00:04:48,510 --> 00:04:50,310
Now that we've covered the basics of NAC,

135
00:04:50,310 --> 00:04:51,990
let's take a look at how it can be implemented

136
00:04:51,990 --> 00:04:53,790
inside of your own networks.

137
00:04:53,790 --> 00:04:55,860
Now, let's pretend that you work for an organization

138
00:04:55,860 --> 00:04:57,390
that allows its employees to either use

139
00:04:57,390 --> 00:04:59,520
the company provided desktop in their office,

140
00:04:59,520 --> 00:05:02,100
or they could bring in their own smartphones and laptops

141
00:05:02,100 --> 00:05:04,260
to the office and connect those personal devices

142
00:05:04,260 --> 00:05:05,640
to the organization's network

143
00:05:05,640 --> 00:05:07,530
to perform their work functions.

144
00:05:07,530 --> 00:05:10,140
Now, if a user's going to use a personally owned device,

145
00:05:10,140 --> 00:05:11,587
they're going to have to follow the organization's

146
00:05:11,587 --> 00:05:13,320
"bring your own device" policy,

147
00:05:13,320 --> 00:05:15,540
because this will tell users what security requirements

148
00:05:15,540 --> 00:05:17,460
must be met in order for their devices

149
00:05:17,460 --> 00:05:19,950
to be allowed onto the organization's network.

150
00:05:19,950 --> 00:05:21,780
The organization may decide to use

151
00:05:21,780 --> 00:05:25,980
a combination of port security, MAC filtering, and 802.1x

152
00:05:25,980 --> 00:05:27,090
to ensure that each device

153
00:05:27,090 --> 00:05:28,950
meets its strict security requirements

154
00:05:28,950 --> 00:05:31,800
before it can access the organization's larger network

155
00:05:31,800 --> 00:05:34,710
after it's been inspected using network access control.

156
00:05:34,710 --> 00:05:37,110
In order to check each device that connects to the network,

157
00:05:37,110 --> 00:05:38,700
we're either going to use a persistent

158
00:05:38,700 --> 00:05:40,620
or a non-persistent agent.

159
00:05:40,620 --> 00:05:42,330
For the company-provided computers,

160
00:05:42,330 --> 00:05:44,220
we're usually going to install persistent agents

161
00:05:44,220 --> 00:05:46,470
on these devices because these persistent agents

162
00:05:46,470 --> 00:05:48,750
can continuously monitor and enforce compliance

163
00:05:48,750 --> 00:05:50,550
with our organization's security policies,

164
00:05:50,550 --> 00:05:52,500
and we own those devices, after all,

165
00:05:52,500 --> 00:05:54,180
so we can install whatever software we want,

166
00:05:54,180 --> 00:05:56,160
like a persistent agent on it.

167
00:05:56,160 --> 00:05:58,080
For the user's personally owned devices, though,

168
00:05:58,080 --> 00:06:00,420
we often aren't allowed to install software on those devices

169
00:06:00,420 --> 00:06:01,380
for legal reasons,

170
00:06:01,380 --> 00:06:05,070
so instead, we're going to opt to use a non-persistent agent.

171
00:06:05,070 --> 00:06:07,260
Now, a non-persistent agent allows users

172
00:06:07,260 --> 00:06:09,660
to connect to the network, such as a wifi network,

173
00:06:09,660 --> 00:06:11,730
and then access a captive portal.

174
00:06:11,730 --> 00:06:13,170
Once you're at the captive portal,

175
00:06:13,170 --> 00:06:15,330
it's going to ask the user to run a temporary agent

176
00:06:15,330 --> 00:06:17,130
that assesses the device's compliance,

177
00:06:17,130 --> 00:06:18,360
and then it removes itself

178
00:06:18,360 --> 00:06:20,730
after the compliance scan was completed.

179
00:06:20,730 --> 00:06:23,040
So when a device is connected to the network,

180
00:06:23,040 --> 00:06:25,830
the persistent or non-persistent agent is first going to check

181
00:06:25,830 --> 00:06:28,560
if the MAC address of that device is on the approved list,

182
00:06:28,560 --> 00:06:30,690
and then it will verify the device's identity

183
00:06:30,690 --> 00:06:33,120
using the 802.1x protocol.

184
00:06:33,120 --> 00:06:34,920
If either of those two checks fail,

185
00:06:34,920 --> 00:06:37,410
that device will either be denied access to the network

186
00:06:37,410 --> 00:06:40,080
or it'll be placed into a special quarantine zone

187
00:06:40,080 --> 00:06:41,970
for further remediation.

188
00:06:41,970 --> 00:06:43,770
Our network access control systems

189
00:06:43,770 --> 00:06:45,960
can be tailored for specific requirements as well,

190
00:06:45,960 --> 00:06:48,660
such as time-based, location-based, role-based,

191
00:06:48,660 --> 00:06:50,700
or rule-based access controls.

192
00:06:50,700 --> 00:06:52,920
This type of flexibility allows organizations

193
00:06:52,920 --> 00:06:55,950
to create a more dynamic and robust security environment.

194
00:06:55,950 --> 00:06:57,750
Time-based access control and NAC

195
00:06:57,750 --> 00:06:59,820
is used to limit a device's network access

196
00:06:59,820 --> 00:07:02,190
to specified hours based on the organization's

197
00:07:02,190 --> 00:07:03,630
operational schedule.

198
00:07:03,630 --> 00:07:05,310
This is particularly effective in environments

199
00:07:05,310 --> 00:07:06,780
with predictable working hours,

200
00:07:06,780 --> 00:07:09,780
like a business that operates daily from nine to five.

201
00:07:09,780 --> 00:07:11,640
For example, if somebody's trying to log in

202
00:07:11,640 --> 00:07:13,290
and access the network at 2:00 AM,

203
00:07:13,290 --> 00:07:16,050
which is clearly a time outside of the regular 9:00 AM

204
00:07:16,050 --> 00:07:17,790
to 5:00 PM business hours,

205
00:07:17,790 --> 00:07:20,490
this access request will automatically be denied

206
00:07:20,490 --> 00:07:22,920
in order to reduce the risk of unauthorized access

207
00:07:22,920 --> 00:07:25,920
during this more vulnerable off-hours time period.

208
00:07:25,920 --> 00:07:28,140
Now, if you're using time-based access controls,

209
00:07:28,140 --> 00:07:29,880
I want you to remember that flexibility

210
00:07:29,880 --> 00:07:31,920
has to be kept in place if you're operating

211
00:07:31,920 --> 00:07:33,630
with a global diverse workforce

212
00:07:33,630 --> 00:07:35,760
that has employees spread out across different time zones,

213
00:07:35,760 --> 00:07:39,180
or if you have a lot of employees who travel a lot for work.

214
00:07:39,180 --> 00:07:40,230
In these cases,

215
00:07:40,230 --> 00:07:42,300
time-based controls should be configured to adapt

216
00:07:42,300 --> 00:07:43,890
to various regional working hours,

217
00:07:43,890 --> 00:07:45,810
so that secure and uninterrupted access

218
00:07:45,810 --> 00:07:47,760
for legitimate users across the globe

219
00:07:47,760 --> 00:07:49,800
is going to be maintained even while providing

220
00:07:49,800 --> 00:07:51,510
additional off-hour restrictions

221
00:07:51,510 --> 00:07:53,760
to increase your overall security.

222
00:07:53,760 --> 00:07:55,560
Location-based access control is another one

223
00:07:55,560 --> 00:07:56,580
we have to think about,

224
00:07:56,580 --> 00:07:58,560
and these are used to enhance network security

225
00:07:58,560 --> 00:08:00,780
by utilizing geolocation technologies

226
00:08:00,780 --> 00:08:02,880
to verify the physical location of the device

227
00:08:02,880 --> 00:08:05,010
that's requesting access to your network.

228
00:08:05,010 --> 00:08:07,380
This method is particularly useful in preventing

229
00:08:07,380 --> 00:08:10,380
unauthorized access from unexpected locations.

230
00:08:10,380 --> 00:08:12,810
For example, if an employee is assigned to work normally

231
00:08:12,810 --> 00:08:14,820
out of New York and they try to log in

232
00:08:14,820 --> 00:08:17,160
from a distant location like London or Paris,

233
00:08:17,160 --> 00:08:19,170
that system can be configured to flag this

234
00:08:19,170 --> 00:08:20,640
as a potential security risk

235
00:08:20,640 --> 00:08:23,460
or to simply block that access completely.

236
00:08:23,460 --> 00:08:25,410
This approach is invaluable in identifying

237
00:08:25,410 --> 00:08:27,450
any compromised credentials that may be used

238
00:08:27,450 --> 00:08:29,250
from an unfamiliar location.

239
00:08:29,250 --> 00:08:31,140
For example, if you're configuring a network

240
00:08:31,140 --> 00:08:32,970
that's used by a local doctor's office,

241
00:08:32,970 --> 00:08:34,320
it should probably be configured

242
00:08:34,320 --> 00:08:36,450
so it only allows requests from within that city,

243
00:08:36,450 --> 00:08:38,700
that state, or maybe even that country,

244
00:08:38,700 --> 00:08:41,070
but anything else would be flagged or denied

245
00:08:41,070 --> 00:08:42,450
if they're trying to access the network

246
00:08:42,450 --> 00:08:44,400
from someplace like England or France

247
00:08:44,400 --> 00:08:46,080
instead of from their local doctor's office,

248
00:08:46,080 --> 00:08:48,480
which might be located in Florida, for example.

249
00:08:48,480 --> 00:08:51,180
Now, if you're going to set up location-based access controls,

250
00:08:51,180 --> 00:08:52,380
you have to make sure you consider

251
00:08:52,380 --> 00:08:54,870
how legitimate remote access is going to be provided

252
00:08:54,870 --> 00:08:55,770
to your users,

253
00:08:55,770 --> 00:08:58,260
especially users like salespeople or consultants

254
00:08:58,260 --> 00:09:01,350
who tend to travel and work remotely a lot of the time.

255
00:09:01,350 --> 00:09:03,300
Now, role-based access control in NAC

256
00:09:03,300 --> 00:09:05,520
is going to be another way that we can provide dynamic methods

257
00:09:05,520 --> 00:09:06,780
of regulating access,

258
00:09:06,780 --> 00:09:08,760
but this time it's based on the user's role

259
00:09:08,760 --> 00:09:10,260
within the organization.

260
00:09:10,260 --> 00:09:12,750
This role-based system is designed to grant permissions

261
00:09:12,750 --> 00:09:14,790
according to the specific needs and responsibilities

262
00:09:14,790 --> 00:09:17,130
associated with each job role.

263
00:09:17,130 --> 00:09:20,010
For example, a network administrator may have broad access

264
00:09:20,010 --> 00:09:22,110
to various network segments and resources,

265
00:09:22,110 --> 00:09:23,970
while an employee working in the marketing department

266
00:09:23,970 --> 00:09:26,193
may only need access to a few portions of the network

267
00:09:26,193 --> 00:09:27,660
that are considered more pertinent

268
00:09:27,660 --> 00:09:29,610
to their specific job functions.

269
00:09:29,610 --> 00:09:31,770
This ensures that users have the necessary access

270
00:09:31,770 --> 00:09:33,450
to perform their duties effectively

271
00:09:33,450 --> 00:09:35,220
while minimizing the risk of unauthorized

272
00:09:35,220 --> 00:09:37,830
or inappropriate access to the more sensitive areas

273
00:09:37,830 --> 00:09:38,970
of the network.

274
00:09:38,970 --> 00:09:41,730
Role-based access control is really powerful,

275
00:09:41,730 --> 00:09:42,840
and it's a way for us to enforce

276
00:09:42,840 --> 00:09:44,340
the principle of least privilege,

277
00:09:44,340 --> 00:09:46,740
because our users are granted only the access they need

278
00:09:46,740 --> 00:09:48,810
for their specific roles.

279
00:09:48,810 --> 00:09:50,790
Rule-based access control, on the other hand,

280
00:09:50,790 --> 00:09:53,400
is going to operate using a set of predefined rules

281
00:09:53,400 --> 00:09:55,470
to methodically grant or deny access

282
00:09:55,470 --> 00:09:57,570
by assessing logical conditions and statements

283
00:09:57,570 --> 00:10:00,660
based on the specific user's identity and context.

284
00:10:00,660 --> 00:10:02,790
This rule-based access control mechanism

285
00:10:02,790 --> 00:10:04,950
can be as simple or as complex as you want,

286
00:10:04,950 --> 00:10:05,790
with rules like:

287
00:10:05,790 --> 00:10:08,160
Allow access to financial records only for users

288
00:10:08,160 --> 00:10:10,800
in the finance department, which makes a lot of sense.

289
00:10:10,800 --> 00:10:14,520
Or: Deny internet access for devices in the production area.

290
00:10:14,520 --> 00:10:15,960
Both these are things you can configure

291
00:10:15,960 --> 00:10:17,940
using rule-based access.

292
00:10:17,940 --> 00:10:20,130
Another example of rule-based access control

293
00:10:20,130 --> 00:10:21,810
is one in which the organization requires

294
00:10:21,810 --> 00:10:23,760
that any device that connects to their network

295
00:10:23,760 --> 00:10:26,370
has to have a certain type of antivirus installed on it

296
00:10:26,370 --> 00:10:28,620
that has a certain level of security patches installed

297
00:10:28,620 --> 00:10:30,150
and other things like that.

298
00:10:30,150 --> 00:10:31,710
When rules like this are configured,

299
00:10:31,710 --> 00:10:33,300
the devices can be scanned for compliance

300
00:10:33,300 --> 00:10:34,500
when it first attempts to connect

301
00:10:34,500 --> 00:10:35,850
to your organization's network

302
00:10:35,850 --> 00:10:38,850
by using either a persistent or non-persistent agent.

303
00:10:38,850 --> 00:10:40,440
By applying rules like these,

304
00:10:40,440 --> 00:10:42,930
organizations can create a tailored access environment

305
00:10:42,930 --> 00:10:44,370
that responds to various scenarios

306
00:10:44,370 --> 00:10:45,750
and ensures that our network resources

307
00:10:45,750 --> 00:10:49,140
are being used appropriately and securely by our users.

308
00:10:49,140 --> 00:10:50,640
This approach is quite effective

309
00:10:50,640 --> 00:10:52,500
in large and diverse organizations

310
00:10:52,500 --> 00:10:54,390
where access needs will vary greatly

311
00:10:54,390 --> 00:10:56,760
across different departments and user groups.

312
00:10:56,760 --> 00:10:59,700
This allows for more nuanced control over who accesses what

313
00:10:59,700 --> 00:11:01,260
and under what circumstances,

314
00:11:01,260 --> 00:11:02,610
because we can create any rules

315
00:11:02,610 --> 00:11:05,250
that we might need based on our organization's use case

316
00:11:05,250 --> 00:11:06,630
and requirements.

317
00:11:06,630 --> 00:11:08,640
So remember, network access control

318
00:11:08,640 --> 00:11:11,310
is a method for increasing the security of a given network

319
00:11:11,310 --> 00:11:13,890
by inspecting devices as they try to connect to the network

320
00:11:13,890 --> 00:11:15,870
in order to determine if they're secure enough

321
00:11:15,870 --> 00:11:17,580
to be granted access.

322
00:11:17,580 --> 00:11:19,380
NAC, or network access control,

323
00:11:19,380 --> 00:11:20,760
will allow us to control access

324
00:11:20,760 --> 00:11:23,790
based on the device's health, user identity and compliance

325
00:11:23,790 --> 00:11:26,190
with our organizational security policies.

326
00:11:26,190 --> 00:11:29,280
NAC is not just about denying unauthorized access though,

327
00:11:29,280 --> 00:11:30,780
it's about ensuring that every device

328
00:11:30,780 --> 00:11:32,580
and every user that connects to your network

329
00:11:32,580 --> 00:11:35,850
has been verified, is compliant, and is secure.

330
00:11:35,850 --> 00:11:37,800
This proactive stance on network security

331
00:11:37,800 --> 00:11:39,990
is really indispensable in an era where threats are

332
00:11:39,990 --> 00:11:43,323
ever-evolving and rapidly increasing in sophistication too.