Network architecture for Network Access Control

Role of the network’s architecture in securing access

The basis for the correct implementation of a NAC-type system is a suitable network architecture. Particularly important is the network segmentation at Layer 3 (L3) level. Sub-networks included in the network (as well as the corresponding VLANs at L2 layer) should be limited to support only resources that are related to each other, or that perform a similar function, or users performing similar work or requiring access to the same resources. As a general rule, traffic filtering should take place as close as possible to the source of the traffic, not just on connections between networks. Users and end devices should only be granted access to the required parts of the network (network resources). The detailed partitioning depends on the specifics and requirements of the particular environment, but model network architecture could look like this:

  • Separated VLANs for employees (divided into sections, departments, floors - the division depends on the company structure).

  • Separated VLANs for employees’ computers (as above).

  • Separate VLANs for so-called VIP employees (management, production manager, persons with access to sensitive data).

  • Separate VLANs for IT administration.

  • Separate VLANs for employees - WiFi (as above).

  • Separated VLANs for network resources - network drives, print servers, IP telephony

  • Separate VLANs for managing network devices, WiFi, servers.

  • Separate DMZ network for Internet resource sharing.

  • Duplication of connections and elimination of possible weak points through, for example, a 3-tier or collapsed-core architecture.

A particularly important issue from the point of view of proper network architecture is to plan ahead and implement correct solutions in accordance with generally accepted good practices and standards. This will allow you to devote more effort and resources to network supervision and development, rather than troubleshooting, and will also allow you to avoid rebuilding your network (logical or physical) and to implement new systems more quickly. Implementing NV can not be seen as the operation creating secure environment. NV have to be introduced to properly designed network, in which in will be the key opening access to predefined, secure network segment.

Therefore, having a properly designed network is very important from an NV’s (NAC system’s) point of view.