Network Access Control (NAC) is a security solution that manages and enforces policies for devices connecting to your network. It helps prevent unauthorized access and ensures only approved users and devices can connect. It's an important solution for adopting Zero Trust principles.

‍

EasyNAC is a Network Access Control solution specifically designed to be simple and easy to deploy, while providing stronger security than traditional NAC solutions. EasyNAC provides visibility and Zero Trust access control over all devices on the LAN and wireless network.  It enhances security by preventing unknown devices from joining the network, enforces baseline security, ensures BYOD devices are properly registered, and guest accounts are managed.  EasyNAC also integrates with Firewalls, EDR, XDR, and other security solutions so it can quickly quarantine suspicious or infected devices.

‍

Network Access Control has a reputation of being difficult, time consuming, and expensive to implement. EasyNAC is different; It is an agent-less NAC solution that is simple and secure, without requiring changes to the network. It works with both managed and unmanaged networking equipment. No switch, endpoint, or spanning port configuration is required. At the same time, EasyNAC provides granular access control, complete network visibility, and options to extend protection to remote sites, making it the simplest NAC solution for centralized or distributed organizations. 

‍

EasyNAC provides strong, practical Zero Trust security features designed to protect networks of all sizes. By enforcing strict access controls and continually verifying every device and user, it helps organisations reduce risk and maintain a secure, well-governed environment. Here are the key benefits it brings to your network:

·       Real-time Visibility of all network devices

·       Restricts untrusted devices from joining the network (LAN, WLAN, and VPN)

·       Prevents the lateral spread of malware  

·       Protects against MAC spoofing

·       Detects Hacking Activity (Deception feature)

·       Provides Guest and BYOD registration

·       Limits BYOD / Consultants devices to approved resources

·       Validates managed devices are joined to the domain

·       Validates Anti-Virus is enabled and managed

·       Validates patch management is enabled and managed

·       Optional agent for in-depth and continuous host integrity checks

·       Provides Automated Response features to quickly restrict high-risk devices

‍

The EasyNAC solution provides the following features:

Agentless Visibility

EasyNAC lets you see devices that join your network, without the use of agents. Visibility is immediate, with any untrusted device being immediately restricted, as desired.  Devices will be both passively and actively profiled to determine operating system and type of device.

Easy to Implement Enforcement

EasyNAC uses ARP enforcement with DNS and HTTP redirection to control which devices can access the network. ARP enforcement is an out-of-band enforcement method that doesn’t require network changes. It works with any network infrastructure, both managed and unmanaged switches. For Remote Access VPN protection, Inline enforcement can be used.

Simple LAN \ WLAN Protection

It is easy to control which devices are allowed to access the network. Untrusted devices, rogue infrastructure, and non-compliant devices that join the network will immediately be detected and automatically restricted in real-time. Devices can be allowed access with simple ON \ OFF controls or Auto Trust policies can be set for automated access.

Automated Auto Trust

EasyNAC will regularly check with your Active Directory server and other end point security solutions to verify which devices are trusted. Devices that are confirmed as domain-joined or trusted will automatically be granted full access to the network.  Devices that are not domain joined or managed by the organization can be manually tagged as approved. In addition, device profiling can also be used to automate the process of tagging approved devices.

Anti-Spoofing Protection

EasyNAC provides a fingerprint feature to protect against MAC address spoofing.  All devices on the network are profiled for their MAC address, IP type, Operating System, hostname, switch port, and other attributes. This information can then be used to set a unique fingerprint for each device.  Once a fingerprint has been set, the device(s) will be protected from spoofing.

Enforce Anti-Virus and Security Policies

EasyNAC integrates with enterprise Anti-Virus vendors, XDR vendors, and leading endpoint management solutions, to verify endpoint security is active and up to date. By integrating with leading security solutions, EasyNAC can enforce compliance with security policies. Devices out-of-compliance can be restricted at the point of network access.

Automated Threat Response

Security appliances that are designed to monitor devices and network traffic can send event-based alerts for administrative action.  EasyNAC can receive e-mail alerts or event-based syslog messages from Firewalls, XDR, IPS, SIEM, and many other types of security devices and then take immediate action when necessary. If EasyNAC receives an alert that a device has malware, we can restrict it immediately.

Malware Lateral Spread Protection– Zero-day Protection

EasyNAC unique layer-2 visibility of the network allows for the immediate detection of suspicious behavior, such as devices making excessive connections attempts to endpoints on the same network segment. This real-time detection provides immediate protection against zero-day malware propagating on the network.

Deception – Hacking Detection

With its layer-2 protection, the EasyNAC solution will host fake services such SSH, Telnet, FTP, etc. on every VLAN or subnet it’s protecting, creating a distributed honeypot. These fake services serves no real business purpose, so if any person or bot tries to login to these fake services, it’s a strong indicator of hacking activity. With virtual honeypots on every VLAN, it provides early detection of hacking activity before hackers reach the core of the network.

BYOD Registration

EasyNAC provides a self-registration portal to automate the BYOD registration process. Policies can be set, by groups, to limit the number and type of BYOD devices. It improves security by tracking device ownership, restricting the locations, and assigning least privilege access policies.

Guest Access

EasyNAC lets sponsors register guest accounts or authorize guests to create their own accounts via the captive portal. Sponsors can authorize individual registrations or register groups for classes or meetings with configurable expiration times.

Role-based Access Control

EasyNAC enhances security by limiting devices to only the resources required. Guests can be limited to internet only access. BYOD and consultant devices can be limited to specific resources for least privilege access control.

‍

During its normal operation, the EasyNAC appliances are listening to broadcast traffic on the end-user segments.  With this layer-2 visibility, EasyNAC is in a unique position to detect devices making unusual connection attempts to other devices within the same segment.  If an end-user device suddenly attempts to connect to an excessive number of devices on the same subnet or trying to connect to Dark IPs, IPs not active on the network, this is very suspicious behavior. This behavior is indicative of a network scan being performed or malware performing recognizance to detect other devices it could spread to. EasyNAC can detect this behavior and immediately quarantine this device so it can’t spread malware laterally on the network.

‍

EasyNAC is a third generation NAC solution designed to be simple to deploy while providing stronger security. Competitive NAC solutions are significantly more complex to setup and manage, especially when enabling quarantine functionality. 

EasyNAC provides immediate visibility and control, without network changes or agents. The use of ARP enforcement is easier to implement and provides stronger and more granular enforcement.  With ARP Enforcement, infected devices on the LAN will not be able to communicate with other workstations on the same VLAN, and thus not be able to spread the infection.  A wealth of other security features makes EasyNAC not only simple but also offers stronger security. 

‍

EasyNAC uses ARP Enforcement to provide network access control functionality without requiring any changes to the existing network infrastructure. Address Resolution Protocol (ARP), is a basic and well-understood TCP/IP standard. EasyNAC leverages ARP in a way that does not interfere with other authorized devices on the network.

It works with any network infrastructure, both managed and unmanaged switches.

‍

·      Detection and Initial ARP Reply: When an unauthorized device is detected, the EasyNAC appliance will automatically and regularly send out ARP REPLY packets to update the ARP table of the unauthorized device whenever it attempts to communicate. This process ensures that any device the rogue device tries to communicate with will also have its ARP table updated to prevent communication with the rogue device.

·      Traffic Diversion: As a result of these ARP REPLY packets, traffic to and from the unauthorized device is diverted through the EasyNAC appliance. This immediate action restricts the network access of the untrusted device. An Access Control List (ACL) can be configured so the appliance will only forward packets permitted by the assigned ACL

·      Directed ARP REPLY: EasyNAC uses directed ARP REPLY packets rather than ARP BROADCAST. This approach ensures that only unauthorized endpoints are redirected via ARP without introducing unnecessary traffic to the network. Authorized endpoints continue to use the network without experiencing any slowness or delay in network performance.

·      Static ARP Entries: Unauthorized endpoints cannot bypass this enforcement mechanism using static ARP entries. EasyNAC will still monitor the attempted communication and send ARP updates to the devices the rogue endpoint tries to reach.

‍

EasyNAC has layer-2 visibility on the subnets that it protects and will detect new devices immediately. When devices join a network, they typically send DHCP and ARP requests to initiate communications. EasyNAC will see these broadcast messages and will quarantine the device immediately. Devices are tracked and profiled by MAC addresses, with known trusted devices being provided access to the network.

‍

Yes, iPv6 is supported. EasyNAC is compatible with endpoints running dual stack IPv4 and IPv6. IPv4 is required for management and most key features. EasyNAC would not be recommended for IPv6 only environments.

‍

EasyNAC has layer-2 visibility on the networks that it protects, and automatically profiles devices using both passive and proactive profiling methods.  Passive methods include listening to ARP requests, DHCP requests and captive portal.  Proactive methods include: NMAP scanning, SNMP, SMB NetBIOS scans, LLTD, PoF, UPnP, WMI scans, AD integration, optional agents, and integration with 3^rd party endpoint solutions.

‍

EasyNAC uses MAC-based authentication, so MAC address spoofing can be a concern.  EasyNAC provides a fingerprint feature to protect against MAC address spoofing.  All devices on the network are profiled for their MAC address, IP address type, Operating System, Hostname, open ports, and other information. This information can then be used to set a unique fingerprint for the device.  Once a fingerprint has been set, the device(s) will be protected from spoofing.  For example, a printer can include the host name and printer as its OS type.  If a Windows, Apple, Android or Linux device tries to spoof its MAC address, the spoof would be detected,  and the device can be restricted.

‍

EasyNAC can protect the entire network or only specific subnets.  If the requirements are to protect only the end-user segments on the LAN, then the license should be large enough cover all the devices that are expected to be seen on these end-user segments.  This may include end-user devices, printers, switches, etc. Licenses should be enough to cover each subnet that EasyNAC will be configured to protect. Licenses are not required for subnets that will not be monitored.  For example, if VoIP or server segments will not be monitored, then it is not necessary for the license to cover these segments.

‍

EasyNAC integrates with cloud or on-premises enterprise AV servers to check the status of the endpoints. EasyNAC supports integration with enterprise AV, XDR, and endpoint management vendors. By leveraging the integration at the management server, EasyNAC can enforce compliance with security policies, without the use of agents. Devices out-of-compliance can be restricted, and an administrator(s) alerted.

‍

EasyNAC version 3.2 integrates with the following endpoint solutions:

Bitdefender

Carbon Black Endpoint Standard

CrowdStrike Falcon

Cybereason

Elastic Open XDR

ESET Antivirus

FireEye HX

HCL BigFix

Ivanti Security Controls

Kaseya VSA

Kaspersky Antivirus Integration

ManageEngine Desktop Central

ManageEngine Patch Manager

Microsoft Active Directory \ Entra ID

Microsoft Defender

Microsoft Intune

Microsoft SCCM \ WSUS

Moscii StarCat

OKTA Verify

Palo Alto Cortex XDR

SentinelOne

SolarWinds Observability

Sophos Central

Symantec Endpoint Protection Manager

Tenable Vulnerability Management

Trend Micro OfficeScan

Trend Micro Apex Central, Vision One

Trellix ePolicy Orchestrator

Webroot

42 Gears SureMDM

‍

For other endpoint security solutions, optional Agents or Windows Management Instrumentation (WMI) can be used. WMI can be used to check the endpoint’s Windows Security Center and report the status of AV on that endpoint(s).

‍

Yes, security appliances that are designed to monitor devices and network traffic can send event-based alerts for administrative action.  EasyNAC can receive these event-based syslog messages and /or e-mail alerts from all types for security solutions and take immediate action. For example, if EasyNAC receives an alert that a device has malware, the appliance can restrict it immediately.

Solutions that can send event-based syslog or e-mail alerts can be configured to work with EasyNAC.

‍

EasyNAC was designed to be agentless, and agentless deployments are common.  Agents are not required for typical compliance checks like Anti-Virus and Patch compliance.  However, for more in-depth compliance checks agents can be used.  A hybrid approach can also be used where the agent is deployed on laptops, with agentless checks for other devices. Key Advantages of agents include:

Real-time and in-depth Compliance checks

Compliance checks can be customized to Include but not limited to the followings:

·      Running Process \ version info

·      Registry values

·      Files and locations

·      Machine names and OS check

·      Agent-based authentication

‍Real-time Wi-Fi adapters control

When connected to the corporate wired network, the wireless network adapter can be disabled automatically and re-enabled once wired NIC is disconnected

‍Automatic Remediation

When a compliance check fails, a remediation action can be initiated. It includes running scripts or executables on the host that has the agent installed. For example, If AV out-of-date, the remediation script can start the AV update process.

‍

Yes, EasyNAC appliances support inline enforcement that can be used to control what devices are allowed to connect via the VPN. The EasyNAC appliance is placed in bridge-mode between the remote access VPN server and the protected resources. Endpoints auditing with the appliance, using agents, are allowed to send traffic thru the appliance. While devices not auditing (untrusted) or devices failing a compliance check will have their traffic blocked.

The Fingerprinting feature further enhance the protection with a transparent multi-factor authentication. User credentials will be captured, and then associated with a specific device.  Using the device’s fingerprint, EasyNAC can provide 2FA (Something you know (password) and something you have a (specific device).  Each agent has a unique serial number providing strong verification the authenticated user is connecting from their unique corporate-issued laptop.

‍

Yes, EasyNAC offers a High Availability option to provide redundancy in the event an appliance or virtual appliance was to fail or be offline. HA is provided using a two-box design, where the Primary appliance syncs its database and configuration with a passive Backup appliance.  If the Backup appliance determines the Primary appliance is offline, it will become active.

When the Primary appliance comes back online, the Backup will sync the configuration and database back to the Primary, and the Primary will become active again.

‍

There are no special networking requirements to deploy EasyNAC. It works with any brand of switches, hubs, wireless infrastructure or remote access VPNs.  This includes:

·      Enterprise and consumer routers and switches

·      Enterprise and consumer wireless network equipment

·      Unmanaged switches

·      VPN Concentrators

‍

‍

The EasyNAC appliances are placed anywhere there is layer-2 connectivity for the subnets to be protected. There are three ways to connect a subnet to an appliance:

Method 1 – Physical connection: Using multiple network adapters, plug-in to a standard switch access port to extend protection to an additional subnet.

Method 2 – 802.1q trunk: Use 802.1q trunk ports so multiple VLANs can be protected with a single ethernet adapter.

Method 3 – vLinks or Enforcer Sensors (software): For remote sites without either 802.1q or direct ethernet connections, place a vLinks or Enforcer Sensor at the remotes sites to provide visibility and control back to the appliance.

‍

The EasyNAC solution uses appliances for visibility and protection of the network. To provide visibility and protection, the EasyNAC appliance requires an IP address for layer-2 visibility of the subnets it’s protecting.  At the remote sites, the Enforcer Sensor (software) can be deployed on Windows or Linux platforms to provide visibility and enforcement at remote sites.

At remote sites, the Enforcer Sensor software is installed on a Linux, Raspberry Pi, or Windows 64-bit OS.  The agent would then communicate back to the EasyNAC appliance to report in real-time what devices are on the network. The EasyNAC appliance would then profile these devices and tell the Enforcer Sensor what access should be assigned. The Enforcer Sensor would then apply the ARP enforcement.

Adding Enforcer Sensors to extend EasyNAC protection to remote sites is a simple process that consists of installing the Enforcer Sensor (software) and then accepting this sensor in the EasyNAC management interface.

‍

EasyNAC is typically sold with a perpetual license for virtual appliances or hardware appliances.  Software subscription options are also available.  The licensing depends on the number of network devices and number of remote offices that need protection. From a licensing perspective, EasyNAC uses a concurrent device (unique MAC addresses) license model and only counts devices seen in the past 5 minutes. Agents, if desired, are purchased separately.

‍

Each deployment will vary depending on the number of locations, network segments to be protected and the number of devices on the network.  Deployments can be as fast as a few days, but a more conservative deployment would be two to four weeks.  Larger distributed networks may take 1 to 3 months.  Because there will be no changes to the existing network, operations will not be affected during the deployment, and after-hours work is not normally required. Typically, a three-stage deployment is recommended:  

Phase 1 – Infrastructure setup (1-2 days)

• Installation of EasyNAC appliances
• Configure trunk ports with VLANs to be protected
• Setup integration with Active Directory and e-mail

Phase 2 – Policies Defined (1 week)

• Configure integration with AV and patch management solutions
• Configure Agentless Configurations policies
• Fine-tuning Device Profiling and auto trust rules
• Enable Deception

Phase 3 - Protection Enabled (2-3 weeks)

• Enable Enforcement on a VLAN-by-VLAN basis (HQ first)
• Remote deploy Enforcer Sensors
• Fine-tune consultant and other ACLs
• Setup Automated Threat Response with preferred solutions (if desired)
• Other fine-tuning

‍

EasyNAC uses a concurrent license model and keeps track of each unique MAC address it has seen in the past 5 minutes. Each MAC address will use a license, except for untrusted devices. Untrusted devices don’t consume a license. If the license is exceeded, a warning indicator will be shown on the management interface, but the solution and protection will continue to work as per normal.  

If the license is exceeded by more than 10%, enforcement and protection will be disabled for any trusted device that is exceeding the 10% grace amount. Untrusted devices don't consume a license and will continued to be blocked.

‍