Take the 2018 SANS Security Awareness Report Survey. Chance to Win an iPad.

Reading Room

SANS eNewsletters

Receive the latest security threats, vulnerabilities, and news with expert commentary

Network Access Control

Featuring 15 Papers as of September 12, 2017

  • Challenges to Implementing Network Access Control STI Graduate Student Research
    by Joseph Matthews - September 12, 2017 

    Network Access Control had always offered the hope of solving so many network security problems but has proven quite difficult to implement. NAC was to solve the issues of visibility, control, and compliance enforcement. This paper seeks to demonstrate through research and implementation an effective and practical way for small to medium- sized businesses to move to NAC and take advantage of the security benefits of a 3-6 month implementation plan.


  • Identifying Vulnerable Network Protocols with PowerShell STI Graduate Student Research
    by David Fletcher - April 6, 2017 

    Microsoft Windows PowerShell has led to several exploit frameworks such as PowerSploit, PowerView,and PowerShell Empire. However, few of these frameworks investigate network traffic for exploitative potential. Analyzing a small amount of network traffic can lead to the discovery of possible network-based attack vectors such as Virtual Router Redundancy Protocol (VRRP), Dynamic Trunking Protocol (DTP), Link Local Multicast Name Resolution (LL-MNR) and PXE boot attacks, to name a few. How does one gather and analyze this traffic when Windows does not include an integrated packet analysis tool? Microsoft Windows PowerShell includes several network analysis and network traffic related capabilities. This paper will explore the use of these capabilities with the goal of building a PowerShell reconnaissance module which will capture, analyze, and identify commonly misconfigured protocols without the need to install a third-party tool within a Microsoft Windows environment.


  • Securing the Home IoT Network STI Graduate Student Research
    by Manuel Leos Rivas - April 5, 2017 

    The Internet of Things (IoT) has proven its ability to cause massive service disruption because of the lack of security in many devices. The vulnerabilities that allow those denial of service attacks are often caused due to poor or no security practices when developing or installing the products. The common home network is not designed to protect against the design errors in IoT devices that expose the privacy of the users. The affordable price of single board computers (SBC) and their small power requirements and customization capabilities can help improve the protection of the home IoT network. SBC can also add powerful features such as auditing, inspection, authentication, and authorization to improve controls pertaining to who and what can have access. Implementing a home-control gateway when properly configured reduces some common risks associated with IoT such as vendor-embedded backdoors and default credentials. Having an open source trusted device with a configuration shared and audited by many experts can reduce many of the bugs and misconfigurations introduced by vendor security program deficiencies.


  • Securing the Home IoT Network STI Graduate Student Research
    by Manuel Leos Rivas - April 5, 2017 

    The Internet of Things (IoT) has proven its ability to cause massive service disruption because of the lack of security in many devices. The vulnerabilities that allow those denial of service attacks are often caused due to poor or no security practices when developing or installing the products. The common home network is not designed to protect against the design errors in IoT devices that expose the privacy of the users. The affordable price of single board computers (SBC) and their small power requirements and customization capabilities can help improve the protection of the home IoT network. SBC can also add powerful features such as auditing, inspection, authentication, and authorization to improve controls pertaining to who and what can have access. Implementing a home-control gateway when properly configured reduces some common risks associated with IoT such as vendor-embedded backdoors and default credentials. Having an open source trusted device with a configuration shared and audited by many experts can reduce many of the bugs and misconfigurations introduced by vendor security program deficiencies.


  • Simple Approach to Access Control: Port Control and MAC Filtering by Bill Knaffl - August 22, 2016 

    Many times businesses will spend time and money on "Magic Bullet" security and focus on a single technology or threat. This focus can lend itself more towards placing a "check in the box" for compliance rather than on actual security and facing today's threats. Frequently, missing controls can have a cascading effect where because one control was missing or inadequate, other failures occur turning a minor problem into a breach. This paper approaches one such incident, calls out which control was identified as the primary failure and offers an evaluation of a specific tool that could have helped prevent this attack. It covers not only the cost of the tool and the time to implement but discusses other costs such as training, monitoring, maintenance, user impact and offers a guide for a successful implementation.


  • Protect the Network from the Endpoint with the Critical Security Controls Analyst Paper
    by G. W. Ray Davidson, PhD - August 22, 2016 

    The endpoint is rapidly evolving and often the first vector of attack into enterprises, according to the SANS 2016 State of Endpoint Security Survey. As such, all endpoints should be considered potentially hostile.


  • Dont Always Judge a Packet by Its Cover STI Graduate Student Research
    by Gabriel Sanchez - February 16, 2016 

    Distinguishing between friend and foe as millions of packets traverse a network at any given moment can be a very tedious and trying objective.


  • Securing Personal and Mobile Device Use with Next-Gen Network Access Controls Analyst Paper
    by Deb Radcliff, executive editor - November 24, 2014 

    An updated SANS Analyst Program whitepaper. It covers the essentials of applying NAC to secure guest networking, as well as leveraging NAC for BYOD (Bring Your Own Device) and CYOD (Choose Your Own Device) situations and ensuring endpoint compliance with network policy.


  • Implementing IEEE 802.1x for Wired Networks by Johan Loos - March 14, 2014 

    Most companies do not have an extra of security layer in place when client computers are connecting to a wired network.


  • Your Pad or Mine? Enabling Secure Personal and Mobile Device Use On Your Network Analyst Paper
    by Mark Kadrich - May 7, 2013 

    This paper discusses policies and approaches for using NAC to support guest networking and BYOD to complement and enable other mobile security controls such as Mobile Device Management (MDM).


  • The Critical Security Controls: What's NAC Got to Do with IT? Analyst Paper
    by Mark Hardy - May 3, 2013 

    This paper reveals what NAC can do today, how it stacks up to many of the CSCs and what strategies are needed for successfully leveraging NAC to reduce risk, improve compliance and meet the key automation and integration requisites cited in the controls.


  • Securing BYOD With Network Access Control, a Case Study by Lawrence Orans - April 11, 2013 

    Security-conscious organizations need to proactively develop solutions to mitigate the inherent risks in the BYOD phenomenon.


  • A Survey of Wireless Mesh Networking Security Technology and Threats by Anthony Gerkis - October 18, 2006 

    This paper will summarize the technologies and challenges related to wireless mesh networks.


  • Identity and Access Management Solution by Martine Linares - June 29, 2005 

    Companies must be able to trust the identities of users requiring access and easily administer user identities in a cost-effective way.


  • Security Vulnerabilities and Wireless LAN Technology by Heather Lane - May 17, 2005 

    Wireless local area network systems (LANs), also referred to as Wi-Fi can be found everywhere. Since their introduction in the mid 1990s, they have proliferated among home users and have taken over organizations whether or not they are authorized.


Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.