Fortinet white logo
Fortinet white logo
7.2.0

Network Access Control Concepts

Network Access Control Concepts

Visibility

By integrating with and leveraging the entire network environment, FortiNAC is able to deliver end-to-end visibility of all users and devices on the network in real-time, as well as monitor and log all network activity over time for historical views and detailed reporting capability.

A close-up of a company's company's company's company's company's company's company's company's company's company's company's

Description automatically generated

With up to 21 different techniques, FortiNAC can then profile / classify each element based on observed characteristics and responses, as well as calling on FortiGuard’s IoT Services, a cloud-based database, for identification look-ups.

Classifying of endpoints can be done actively or passively and can utilize permanent agents, dissolvable agents, or no agents. Additionally, FortiNAC can assess a device to see if it matches approved profiles, noting the need for software updates to patch vulnerabilities. With FortiNAC deployed, the entire network is known.

Classification of state, users and endpoint devices on the network allows the FortiNAC Platform to make real-time policy decisions and to perform dynamic policy enforcement based on current conditions. FortiNAC develops a model representing every user and endpoint device in the network. It associates user information including identity, role, and state. For instance:

  • Is this a known user?

  • Is this an authorized user?

  • Is this a user who has been flagged as being “at risk” or non-compliant with security policy?

It also associates device information including device type, role, and state. For instance:

  • Is this a known device or a rogue?

  • Is it currently online or offline?

  • Has it been flagged as being “at risk” or non-compliant with security policy?

State data is maintained in the central database of the FortiNAC Platform to be leveraged by the Policy Engine and Enforcement Engine.

Graphical user interface, application

Description automatically generated

Figure 1 – FortiNAC Dashboard, Host Summary, Fingerprint and Compliance.

Control

Policy Engine

The Policy Engine enables the creation of security policies tailored to individual users and endpoint devices based upon a rich set of information residing in the central database of the FortiNAC Platform. The Policy Engine also functions as a centralized policy decision point responsible for making real-time policy decisions.

Enforcement Engine

Once a policy decision has been made, an automated response action is typically executed at one or more points of enforcement in the network. The Enforcement Engine leverages information from the Device, State, and Policy Engine to initiate policy enforcement actions.

For example, access policy might be enforced by dynamically changing the VLAN of a switch port or by setting Access Control Lists (ACLs) on a router or adjusting a Group Policy on a firewall, to isolate an endpoint device that is determined to be in an “at risk” state.

Act – Detect & Response

One of the greatest challenges facing today’s IT organization is that of trying to keep up with evolving network security challenges with very limited staff resources. FortiNAC enables automation of various configuration and management tasks performed by IT staff today, such as provisioning network access for different users and devices. This not only frees IT staff to be able to focus on more important things, but also enhances security and efficiency with the ability to dynamically adapt to network threats and changes.

Known or Unknown

When any device connects to the network FortiNAC checks to see if it is known or Unknown. Known devices are allowed to access the appropriate network. Unknown devices are placed in an isolation Network.

Security Systems

When the FortiGate appliance detects a threat, it will send the threat and endpoint information to FortiNAC. The FortiNAC policy engine will process the information and take the appropriate action based on policy. For example, if the endpoint is owned by an executive of the company, an email can be sent to IT and the executive.

A screenshot of a computer

Description automatically generated

Third party security systems including Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) and other Deep Packet Inspection (DPI) systems are typically in-line appliances placed close to the external firewall to monitor network traffic for suspicious activity or signs of attack. While useful, these appliances do not incorporate information from other areas of the network environment to determine the “full picture.” When the security systems are integrated with FortiNAC, FortiNAC has the knowledge of the identity of the user and endpoint and will apply the appropriate action based on policy.

Network Access Control Concepts

Network Access Control Concepts

Visibility

By integrating with and leveraging the entire network environment, FortiNAC is able to deliver end-to-end visibility of all users and devices on the network in real-time, as well as monitor and log all network activity over time for historical views and detailed reporting capability.

A close-up of a company's company's company's company's company's company's company's company's company's company's company's

Description automatically generated

With up to 21 different techniques, FortiNAC can then profile / classify each element based on observed characteristics and responses, as well as calling on FortiGuard’s IoT Services, a cloud-based database, for identification look-ups.

Classifying of endpoints can be done actively or passively and can utilize permanent agents, dissolvable agents, or no agents. Additionally, FortiNAC can assess a device to see if it matches approved profiles, noting the need for software updates to patch vulnerabilities. With FortiNAC deployed, the entire network is known.

Classification of state, users and endpoint devices on the network allows the FortiNAC Platform to make real-time policy decisions and to perform dynamic policy enforcement based on current conditions. FortiNAC develops a model representing every user and endpoint device in the network. It associates user information including identity, role, and state. For instance:

  • Is this a known user?

  • Is this an authorized user?

  • Is this a user who has been flagged as being “at risk” or non-compliant with security policy?

It also associates device information including device type, role, and state. For instance:

  • Is this a known device or a rogue?

  • Is it currently online or offline?

  • Has it been flagged as being “at risk” or non-compliant with security policy?

State data is maintained in the central database of the FortiNAC Platform to be leveraged by the Policy Engine and Enforcement Engine.

Graphical user interface, application

Description automatically generated

Figure 1 – FortiNAC Dashboard, Host Summary, Fingerprint and Compliance.

Control

Policy Engine

The Policy Engine enables the creation of security policies tailored to individual users and endpoint devices based upon a rich set of information residing in the central database of the FortiNAC Platform. The Policy Engine also functions as a centralized policy decision point responsible for making real-time policy decisions.

Enforcement Engine

Once a policy decision has been made, an automated response action is typically executed at one or more points of enforcement in the network. The Enforcement Engine leverages information from the Device, State, and Policy Engine to initiate policy enforcement actions.

For example, access policy might be enforced by dynamically changing the VLAN of a switch port or by setting Access Control Lists (ACLs) on a router or adjusting a Group Policy on a firewall, to isolate an endpoint device that is determined to be in an “at risk” state.

Act – Detect & Response

One of the greatest challenges facing today’s IT organization is that of trying to keep up with evolving network security challenges with very limited staff resources. FortiNAC enables automation of various configuration and management tasks performed by IT staff today, such as provisioning network access for different users and devices. This not only frees IT staff to be able to focus on more important things, but also enhances security and efficiency with the ability to dynamically adapt to network threats and changes.

Known or Unknown

When any device connects to the network FortiNAC checks to see if it is known or Unknown. Known devices are allowed to access the appropriate network. Unknown devices are placed in an isolation Network.

Security Systems

When the FortiGate appliance detects a threat, it will send the threat and endpoint information to FortiNAC. The FortiNAC policy engine will process the information and take the appropriate action based on policy. For example, if the endpoint is owned by an executive of the company, an email can be sent to IT and the executive.

A screenshot of a computer

Description automatically generated

Third party security systems including Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) and other Deep Packet Inspection (DPI) systems are typically in-line appliances placed close to the external firewall to monitor network traffic for suspicious activity or signs of attack. While useful, these appliances do not incorporate information from other areas of the network environment to determine the “full picture.” When the security systems are integrated with FortiNAC, FortiNAC has the knowledge of the identity of the user and endpoint and will apply the appropriate action based on policy.