Typically, computer networks employ perimeter defenses such as network firewalls to secure the corporate network by blocking unauthorized inbound access attempts from the Internet. However, motivated adversaries will find ways to bypass perimeter defenses—perhaps by physical intrusion into office spaces—to access networks at their weakest point, behind the firewall. As the value of corporate information is on the rise, there is a need for a more secure means of protecting access to networks even in the face of physical security breaches.
In trying to protect the network from unauthorized access, a network administrator could try to identify the source of unauthorized access into the network, despite an adversary's attempts at masking their network identity. One solution includes a TCP/IP trace back technique used to trace the path of attacks back to the source, but they cannot map attacks to a specific machine.
Some networks employ Network Access Control (NAC) systems to enforce security policy at the physical points of connection into the network. Present-day NAC solutions utilize special client software installed onto desktop and laptop computers to inspect and report configuration states to a Policy Enforcement Point (PEP), which in turn provides the data to a Policy Decision Point (PDP) to render a decision on whether to admit the device onto the network. Issues arise when certain types of networked devices cannot support such client software —for example, storage devices, printers, and Voice over IP (VoIP) telephones and other network-connected specialized devices. In these cases, conventional NAC systems follow a simple policy of searching for the device's link-layer Media Access Control (MAC) address in an approved list, and if found, admitting the device into the network. Such a policy is useless against a malicious device that can spoof or impersonate, the MAC address of a legitimate device in order to gain access the network.