The document summarizes the limitations of Network Access Control (NAC) solutions for securing networks and controlling access in modern IT environments where resources are distributed. It argues that a Software-Defined Perimeter (SDP) model provides better security by establishing encrypted, individual connections between each user and only the specific applications and resources they are authorized to access, rather than relying on trust-based access inside the network perimeter. Key benefits of SDP include zero-trust authentication, dynamic identity-based policies, encryption of all traffic, simplicity, and consistency across cloud and hybrid environments.

1. How to Overcome
NAC Limitations
Why a Software-Defined
Perimeter delivers
better network security
for today’s enterprises

2. Enterprise technology
has changed.
DYNAMICSTATIC
IDENTITY CENTRIC
NETWORK
CENTRIC
SOFTWAREHARDWARE
INTERCONNECTEDISOLATED

3. Work habits have
changed.
Home Mobile Contractors Third-party
partners

4. The network perimeter
has dissolved.
Enterprise resources –
applications, databases, and
infrastructure – are increasingly
outside the perimeter.
And people are constantly
working outside the
perimeter.

5. Network security
must change
to keep up with enterprise
technology and work
habits.

6. There’s a fundamental
shift in network security
happening right now.

7. The philosophical difference
is centered around trust:
Network Access
Control (NAC) Trusts Users
Inherently
Software-Defined Perimeter
(SDP) Trusts No One

8. Do you trust
users completely?
NAC solutions are designed to work inside
the perimeter, a trust-based model...

9. It's impossible to
identify trusted
interfaces
1
The mantra
"trust but verify"
is inadequate
2
Malicious insiders
are often in
positions of trust
3
Trust doesn't
apply to packets
4
…a model that Forrester says is
broken for these reasons
Read: Forrester, No More Chewy Centers: The Zero Trust
Model Of Information Security

10. Or are no users
trusted?
Abolishing the idea of a trusted network
inside (or outside) the corporate perimeter.
Instead opting for a Software-Defined
Perimeter where…

11. …there is zero trust.

12. NAC was designed to work
inside the perimeter.
Build a perimeter around the internal network, verify
who users say they are, and once in the door users
gain full access to the network or at least a large
portion of the network.

13. In this changing world,
NAC falls short
For SEVEN reasons

14. NAC doesn't extend to cloud1
So enterprises need another security solution for the cloud.
And that adds another layer of network security.
NAC

15. NAC relies on VLANs, which
are complicated to manage2
Defining VLAN segments – Creating can
be easy…keeping them relative and
accurate as your environment changes
is the real challenge.
So most enterprises only have a limited
number of VLAN segments defined.

16. NAC doesn’t encrypt traffic.3
If social networks can encrypt traffic,
why not corporate networks?
WhatsApp SnapchatFacebook
Messenger
Telegram

17. NAC isn’t fine-grained4
It can’t provide fine-grained
control of the network
resources users can access.
Instead, NAC relies on existing
(and separately managed)
network segments, firewalls
and VLANs.

18. – requiring yet another set of policies to
manage.
NAC’s remote user
support is non-existent5
Remote users need
yet another solution
– like a VPN

19. NAC struggles to support the
agile enterprise6
NAC causes management
issues because it’s not agile
or dynamic – it’s static.
It’s complex for the security
team to add firewall rules
for thousands of workers
and their many devices.

20. It doesn’t check specific
attributes such as location,
anti-virus or device posture
or broader system attributes
such as an alert status within
a SIEM.
NAC doesn’t provide deep, multi-
faceted, context-aware access control7

21. A Software-Defined Perimeter
eliminates these limitations

22. A Software-Defined Perimeter is a
new network security model that
dynamically creates 1:1 network
connections between users and
the data they access.
Read: Why a Software-Defined Perimeter

23. A Software-
Defined
Perimeter has
MAIN BENEFITS

24. The Zero-Trust model
1 An “Authenticate first -
Connect second” approach
Everything on the network is invisible,
until authorization is granted and access is then
only allowed to a specific application.

25. for policy compliance.
2 Identity-centric (not IP-based)
access control
Know exactly
who accessed
what for how long
the context of the device
when they connected

26. 3 Encrypted Segment of One
Individualized perimeters for
each user and each user-session
– a Segment of One. All the other
services that exist on the network
are invisible to the user.
Once a user obtains their
entitlements, all network traffic
to the protected network is
encrypted.

27. As new server instances are
created, users are granted or
denied access appropriately and
automatically.
As context changes (time,
location, device hygiene, etc.)
dynamic access policies provide
continuous and immediate
security.
4 Dynamic policy management

28. 5 Simplicity
Much simpler – and
dramatically fewer –
firewall and security
group rules to maintain.

29. Consider the people
and time spent collecting,
consolidating, and making
sense of access logs.
Organizations have reduced this
by up to 90% when using a
Software-Defined Perimeter.
A Software-Defined
Perimeter offers:
• Auditable, uniform policy
enforcement across hybrid
systems.
• Dramatically reduced audit-
preparation time: no need
to correlate IP addresses to
users.
6 Compliance

30. Consistent access policies across
7 Consistency
On-premises In the cloud
Hybrid
environments

31. Would you like to know more?
Watch the video
SDP to prevent malicious
insiders, over-privileged
users and compromised
third-party access
Get a demo
Let us show you how an
SDP can work for your
organization

32. Let’s put NAC vs. SDP
to the test…
Consider port scanning.

33. A tester uses credentials to
connect to the network
Do a simple port scan to see
how many services it finds:
• On the internal network?
• On Wi-Fi?
• On other organization’s
services? *If using a
hosting provider.

34. The tester would see
every single network
port and service
available for every server
that’s in that VLAN.
That could be thousands
and thousands of
resources.
Port-scan test with NAC

35. Port-scan test with a
Software-Defined Perimeter
The tester would
authenticate first,
connect second.
The only ports the
tester would see are the
ones he has explicit
rights to through his
digital identity.
Everything else
would be
completely
invisible.

36. (we’ll need to get techie for a bit)
Here’s why

37. SDP Architecture
37
Protected
Applications
SDP
Controller
SDP Gateway
(Accepting Host)
SDP Client
(Initiating host)
PKI
Identity
Management
Policy Model
The SDP controller is
the authentication
point, containing user
access policies

38. SDP Architecture
Protected
Applications
SDP
Controller
SDP Gateway
(Accepting Host)
SDP Client
(Initiating host)
PKI
Identity
Management
Policy Model
Controller is the
authentication point,
containing user access
policies
Clients are securely
onboarded

39. SDP Architecture
39
Protected
Applications
SDP
Controller
SDP Gateway
(Accepting Host)
SDP Client
(Initiating host)
PKI
Identity
Management
Policy Model
Controller is the
authentication point,
containing user access
policies
Clients are securely
onboarded
All connections are
based on mutual
TLS connectivity

40. SDP Architecture
40
Protected
Applications
SDP
Controller
SDP Gateway
(Accepting Host)
SDP Client
(Initiating host)
PKI
Identity
Management
Policy Model
Controller is the
authentication point,
containing user access
policies
Clients are securely
onboarded
All connections based
on mutual
TLS connectivity
Traffic is securely
tunneled from
Client through
Gateway

41. An SDP stops people like this from
abusing your network
Negligent Insiders Malicious Insiders
Compromised
Insiders
Cyber Criminals
Advanced
Persistent Threat
(APT) Agents
State Sponsored
Actors
Compromised
Third Party Users
Over-privileged /
Super-privileged
Users

42. Helping to Prevent These
Type of Attacks
Server Exploitation
Credential Theft
Connection Hijacking
Compromised Devices
Phishing
DDoS Insider Threats
Malware
Man in the Middle

43. Software-Defined
Perimeter sounds great…
But what if a NAC is already in place?

44. NAC and SDP CAN Coexist
Enterprises
with existing NACs
• Can deploy SDP without
replacing NAC.
• Get the benefit of an SDP
solution without a rip and
replace program.
Enterprises
without NACs
• Should consider SDP as a
simpler alternative.
• There’s no compelling reason
to deploy a new NAC solution
because SDP offers better
security, removes complexity,
enforces uniform compliance,
lowers cost of ownership.

45. uncompromised network
security and compliance
A Software-Defined Perimeter delivers
across hybrid environments

46. Industry experts agree
Legacy, perimeter-based security
models are ineffective against
attacks. Security and risk pros
must make security ubiquitous
throughout the ecosystem.”
“
Through the end of 2017, at
least 10% of enterprise
organizations (up from less
than 1% today) will leverage
software-defined perimeter
technology… by 2021, 60% of
enterprises will phase out
network VPNs for digital
business communications in
favor of software-defined
perimeters, up from less than
1% in 2016”
SDP enables organizations to
provide people-centric,
manageable, secure and agile
access to networked systems.”
“
“

47. Cryptzone delivers the
market leading
Software-Defined
Perimeter:
AppGate

48. Learn more about
AppGate
Network Access Control
vs. Software-Defined
Perimeter – or both?
WEBINAR
The Zero Trust Model of
Information Security
WHITEPAPER
Forrester Report
No More Chewy
Centers:
AppGate
VIDEO
Network Security is
Changing
See How AppGate
Works

49. FREE TRIAL | START NOW
Email: info@cryptzone.com
Twitter: @Cryptzone
LinkedIn:
linkedin.com/company/cryptzone
GET IN TOUCH
Get access to a 15-day free
trial on AWS marketplace.
Want to know
more?
www.cryptzone.com