Network Access Control, or NAC, is the frontline defense in an ever-present battle in network security. NAC has been around for many years in the form of securing wireless SSIDs, but what about the gaming floor or the back of house locations? There is usually so much commotion that a malicious attempt to plug into the network could possibly be missed. While it is true, there have been methods of securing physical network ports in the past, either by restricting access physically, by using port security related commands, or even leaving switch interfaces shutdown until they are needed; these all require manual intervention from the information systems team before a client can successfully gain access to the network. These dated methods quickly become less feasible when the subject of scalability is introduced. Floor moves come instantly to mind – wouldn’t you love for the Slots department to be able to move machines and “just have them work,” all the while enhancing your security position on the floor? So how can we achieve every IT professional’s dream of automation in the ever-changing world of NAC? A robust access control software platform.
Brief History Lesson
NAC software platforms have been around for years and Remote Authentication Dial-In User Service (RADIUS), the protocol that NAC thrives on, has been around even longer, since 1991 to be exact. Windows NT 4.0 released with a component called Internet Authentication Server (IAS) in 1996; this component eventually evolved over new versions into the windows server component we now know as Network Policy Server (NPS).
Think about all the devices connected in public places: EGMs, digital signage, POS terminals, access points, ATM and TRMs – the list is almost endless; access control is a big deal. But why is it a big deal now? If the baseline for NAC has been around for decades, why have most gaming enterprises been ignoring NAC on their wired networks until recently? The most common answer is feasibility. Most IoT endpoint’s implementations didn’t play well with NAC methods prior to recent years. In addition, NAC software platforms are notoriously hard to manage and limited in their capabilities. Outside of using them for wireless networks, it is simply easier to manage the network manually by other methods – until now.
The Golden Age of NAC Software
Within recent years, newer versions are giving network administrators abilities that were never an option before. The amount of information that can be passed in a radius packet is quite extensive – allowing control rules to be established based on a wide array of criteria. RADIUS attributes aren’t the only thing that can be used for access evaluation either. Most software implementations integrate directly with directory structures allowing administrators to evaluate domain users and computer alike against something as simple as if the user belongs to a certain security group.
Authentication Methods
There are two main methods of authenticating wired endpoints or users: Mac Authentication Bypass (MAB) or the IEEE 802.1X protocol. MAB is the method of authenticating endpoints based on MAC addresses alone. Because this method is less secure than 802.1X, it is generally reserved for endpoints that do not have robust supplicants that are capable of performing 802.1X methods. On the other hand, 802.1X requires the client or supplicant to pass credentials to the server through an EAP tunnel called EAPOL, typically using EAP-TLS or PEAP. This allows end-to-end encryption between the client and the authenticating server, fully securing the NAC process. 802.1X is the golden standard of NAC.
Authorization
After a client is successfully authenticated access still needs to be granted, that’s where the fun part comes in. Administrators can dole out access based on any number of criteria, from security groups as I listed above, to the physical location they’ve plugged into on the network, and much more. Even better, with the correct supported devices and device versions, access can be changed dynamically; meaning ALL access switchports can be configured identically… once a client plugs in and gets authenticated successfully, their access is pushed down to the switchport. No more manual intervention! Some of my favorite capabilities in relation to NAC software and authorizing access:
- Universal switchport configuration – access dynamically changed based on authentication rule.
- Bad actor obtained physical access to a switchport on the slot floor? You can change their access or even blackhole them entirely automatically or via manual intervention.
- Dynamic access lists can be given / taken away.
- Voice domain permissions – phone authorizes to voice VLAN and workstation behind it authorizes to a data VLAN.
- Total customization – most NAC software implementations come with predefined dictionaries of vendor specific radius attributes such as Cisco’s cisco-av-pair for network device logins.
One of my go-to moves while implementing NAC on the casino floor is give the slots department the proper permissions to manage their own EGMs. If they need to replace network modules on the floor, they can add them; and in doing so ensure that when the new module hits the floor that it is granted appropriate access.
No matter the end goal, whether it be security, automation, accountability, or manageability, these new NAC software platforms are ready to put in the hard work for you. Secure slot floor, back of house, BYOD, guest access, sponsor portal pages, wireless access, you name it – it can be done, and done better. In a fast-paced industry with security at the top of the priority list, NAC simply cannot be ignored any longer. I encourage you to try out a demo and see how easy securing the network can become.
