The network should be the first line of protection against threats. Meanwhile, most networks allow easy access to important servers and services for anyone who can plug into a network socket or connect to a wireless network.

Most of the attacks and abuses carried out through the network and at the network level can be effectively detected and stopped. Most networks allow for easy access to important servers and services to anyone who can plug into a network socket or connect to a wireless network of your organisation, regardless of his or her identity or status of the workstation.

In order to efficiently prevent unauthorised access to the company's network and potential abuse by users who have obtained authorised access to the network, it is necessary to design and implement the NAC system.

The control of access to the corporate network (NAC) should be performed in a uniform manner, regardless of how the user gets connected (LAN, WiFi). From the point of view of a person who uses the network, the method of obtaining access to the company's resources should be uniform and as transparent as possible, regardless of the type of medium used. If possible, the NAC system should also closely cooperate with other elements, thus increasing the security of the Client's IT system. These elements include, for instance:

• central repository of information about users, e.g. Active Directory,
• public key infrastructure (PKI) or other strong authentication system infrastructure,
• external firewall systems (separating the corporate network and external networks, e.g. the Internet),
• internal firewall systems (separating the corporate network of users and networks in the Data Center),
• SIEM systems.

By integrating the NAC system with firewalls, it is possible to create filtration rules based on the identity of a particular user or groups of users, e.g. Active Directory and very precise tracking of a person's activity, the so-called user awareness.

As a result of the NAC system implementation, access control in wired (LAN) and wireless (WiFi) networks can be based on 802.1x protocol in L2 layer or/and L3/L4 layer (in the case of integration with firewall systems). Enabling access based simultaneously on L2 and L3/L4 layers allows for obtaining much simpler network architecture with much more granular access control. A user may, for example, be granted access to a specific VLAN assigned to his or her organisational unit and, at the same time, have specific authorisations to access resources (IP addresses and ports) resulting from the projects in which he or she participates or a role in the organisation that he or she performs (e.g. a manager).