Seven important reasons to use Portnox NAC

News | 18.01.2019

We live today in the world of devices. In almost every enterprise, the number of devices exceeds the number of employees. Today everything is connected - IP phones, a conference room, smart TV, air conditioning systems, lighting infrastructure and coffee machines. Rule of IP.
These connected resources have very simple security mechanisms that are easy to hack. In fact, in terms of security, they are where Windows products were 20 years ago. IoT manufacturers use passwords by default, there are no mechanisms for enhanced blocking and there is no centralized firmware update. In short: zero cyber security awareness.
Obviously, people who are responsible for network security must now be ready for a new set of threats. The most natural approach is understanding which assets are online, and then take the necessary measures to protect them. Both phases entail deploying a solution to control network access.


Here are the seven most important points that agencies should look for when choosing a NAC solution.

1. Network and endpoint visibility in real time.

This means the visibility of the endpoints of all managed devices — BYOD or IoT — as well as the ability to detect in real time, inside and outside the enterprise perimeter. There should be universal coverage for any endpoint in the network with detailed information about the endpoints. This includes employee workstations, security cameras, printers, smart TVs, smart devices, private employees or anything else. This visibility will show which endpoints connect to the network, from which location, device and OS types, if they have the latest security patches and software updates, what processes are currently running, their installed applications, services, certificates, open ports, configuration and more. All these features should be available online - without blocking the device.

2.Continuous monitoring of risks - indoors and beyond.

Modern enterprises have a virtual perimeter that includes all end users who connect to the network, regardless of whether they are indoors or outside. Continuous monitoring of device risks is a critical function because it provides a risk assessment for each device at any time, and also monitors the endpoints in real time as they connect to the network.

3.Simplicity and centralized management.

An agency that cannot easily deploy and manage a NAC solution with minimal training and configuration cannot afford it, no matter what a large IT budget may be. Consider a solution in which all management functions are managed through one simple web interface without the use of external applications. This in itself makes things easier and saves time.
Also look at features that help simplify NAC, such as the ability to deploy from a central location without having to change anything in the network architecture, without having to send traffic through the device and without having to mirror traffic to be able to analyze it.

4.The non-agent solution.

A fundamental aspect of simplicity can be achieved with the use of agentless technology. The presence of an agent helps control the complexity of the driver, but many endpoints, such as IoT devices, do not involve the use of an agent. Therefore, it is important to have a solution that can still provide full visibility and control, but does not require the participation of the agent.

5.Flexible / detailed execution and control.

An effective NAC solution will not simply block or allow universal network access. IT security teams must have detailed management settings for a wide range of situations that include the ability to isolate, segment, and constantly profile endpoints. Ideally, the NAC solution will also help restore devices and return them to a healthy state of security. For example, NAC should be able to restart endpoint detection and response software, as well as other actions. At the same time, these actions should not interfere with performance.
Agencies should implement NAC gradually, starting with the monitoring mode, continuing with the enforcement mode in certain parts of the network and for certain security events, such as detecting a fraudulent endpoint. Gradually, agencies can move to full application and add an option to pre-connect if necessary.
Once the IT security team is able to establish policies and automatic responses to handle fraudulent and incompatible devices, it can use automation to control risks before and after connecting the endpoint. This will save a significant amount of manpower and help solve one of the most common problems in the field of IT security - a shortage of skilled labor.


Agencies should be able to continue working with any vendor of any firmware version (new or old) if SNMP or SSH management is included. The result: no vendor linkage and the ability to use existing network infrastructure and third-party security solutions. Ensure that the NAC provider works with or without 802.1X authentication to support any hardware and any scenario.
It is unrealistic to expect that the company will reveal the basic infrastructure for security, but often an attempt to find a solution to the existing infrastructure can be a difficult task. It is clear that solutions that work with the existing infrastructure will simplify implementation and improve usability for everyday use.

7.Confirmation of the concept.

Some suppliers promise all sorts of functions, but after the start of implementation, the customer discovers that some of its endpoints and network segments are simply not supported. The IT team should always strive to have a proof of concept, to ensure that the supplier can provide what is required by the organization.

All of these points will help to cope with the ever-increasing difficulties of network security and the use of unmanaged connected endpoints in their networks. Having a complete and comprehensive overview of all endpoints on the network, combined with the ability to take action, will make the decision invaluable. These capabilities are a response to new and future threats that IT security teams must face. It is time to regain control of the network and all the “IP objects” that it contains.