Different elements or mechanisms are known in the state of the art for controlling communications network access, these elements incorporate security techniques so that interconnection between the devices of a network is only for the users and devices authorized to access the same and under allowed conditions.
However, until now, none of these elements/mechanisms managing network access provide a global protection, i.e. it is currently impossible to confirm that there is an access control element or mechanism completely covering the needs of the user and of the connected devices, since all the existing elements/mechanisms have serious limitations and vulnerabilities, some of which will be described below.
Usually, the identification of authorized users is performed at layer 3 level of the OSI model by means of IP addresses or in higher layers. Therefore the elements responsible for controlling network access (and identifying the users) must have devices capable of interpreting data at least at level 3 and higher of the OSI model. Furthermore, identification based on IP addresses is insufficient for assuring the identification of a user since any user by means of any device can configure their IP address without needing to have thorough knowledge of the network, so IP addresses can be easily stolen.
A main element for providing connectivity between devices of a communications network is the router. Routers today have hardware limitations (lack of resources such as memories, processors, interfaces/ports needed for performing the tasks of the router . . . ), integration limitations and particularly security limitations since there is no integral security of the routers (for the different services it houses and the communications that pass therethrough). These limitations are to the detriment of the scalability, adaptability and reliability of the router in question.
Security limitations are those vulnerabilities currently detected in the different protocols or standards supported by a router device. These vulnerabilities feed off the weaknesses of the protocols and elements used for establishing trustworthy communications environments. The security layers established by the protocols are destroyed with the so-called network attacks usually in order to obtain the following results: capturing packets in the data network (sniffers), identity theft (spoofing), Man In the Middle or Denial-of-Service (DoS), for example.
Thus, for example, in WIFI networks, FMS attacks (it attempts to break by force the cryptographic protocol RC4 on which the WEP protocol, Wired Equivalent Privacy, is based), Chop-Chop (through which a packet is injected changing the last byte attempting to decipher this value), fragmentation, WPS (Wifi Protected Setup, this function, under the IEEE 802.11i standards, is used for accepting and linking new clients in wireless networks without having to enter the actual cryptographic passwords of the WiFi protection protocol, which entails exposing the router to identity theft attacks), can occur among others.
In Ethernet networks there are protection mechanisms based on the network identifier of the devices connected to the router. The router denies or allows communications between the communication ends based on rules based in turn on the identifier of the network. The decision to interrupt the connection is never taken based on the physical link and therefore it discriminates protection situations against Denial-of-Service attacks or a fraudulent use of the device.
In IPV6 networks, attacks of router advertising, DNSv6 spoofing or packet fragmentation attacks can occur among others. In turn, in WAN networks some of the main problems that arise can be concerning antimalware protection (the routers are mainly software systems that can be affected by malware for the control and unlawful use of the device and there are critical vulnerabilities that allow intruders to take control of many of the routers that give access to Internet) and flow label (the flow label serves for providing differentiated processing for data flows that pass through a network by means of IPv6, this can be used by competitors and malicious people for injecting packets with fake IPv6 addresses or falsified flow labels. This is possible because the headers of the packets that pass through the intermediate nodes are not verified, so there is no assurance that this data is trustworthy and the network simply assumes that the date is trustworthy).
The DHCP protocol (Dynamic Host Configuration Protocol) is widely used in the state of the art for configuring equipment connected by a communications network. Despite all the useful functions offered by the DHCP protocol, there are various very negative aspects when using this system, mainly security aspects. Some of these security problems can be:                Malicious server: The automation of the DHCP protocol is a great security risk allowing a malicious DHCP server to be introduced into a network, which can intercept the information sent by a user connected to the server.        Universalization of the DHCP protocol: Since most of routers and switches have the DHCP protocol implemented therein, any user wishing to access the network can have easy access thereto using said protocol.        Multiple subnetworks or network segments: There are environments where each network segment may need its own DHCP server, or a DHCP relay agent (which requires additional configuration, entailing additional time and highly increased costs). If no option is viable, all the network elements must be configured as emitters of the BOOTP protocol, which is an older and less advanced protocol than the DHCP protocol (with the resulting problems) and furthermore not all the systems can support said protocol.        Control of information flows: The DHCP server often uses ports 67 and 68 through UDP for receiving and sending data to the clients. Said flows can be controlled by a firewall, but this does not rule out those network intruders that can capture the packets related to said sensitive information which can be used for passing oneself off as a client. Currently, the only mechanism offering control for this type of intrusion would be the integration of an IDS or intruder detector, with the subsequent cost and which in some cases is not worthwhile due to the size and shape of the network.        
Firewalls are the most widely used elements for establishing security and they are based on the fact that all the incoming or outgoing traffic of a network must pass through them, and they impose a series of security policy filtering. However, these elements are far from being the final solution to the security problems since they have various vulnerabilities.
The greatest limitation of a firewall is the security gaps they leave and which an intruder can find out. Firewalls are not smart systems, they act according to parameters entered by the designer and the administrator, if an information packet is not within these parameters as a risk threat, they simply let it pass through. It is even more dangerous when the intruder leaves back doors which open a different gap and delete the evidence or signs of the original attack.
Another limitation of the firewall is that if an intruder successfully enters the organization and finds out the password or the gaps of the firewall and spreads this information, the firewall will not be aware of that. Furthermore, firewalls only protect networks and devices, but they do not protect users or physical people. The firewall does not provide tools against filtration of software or virus-infected files either, although it is possible to provide the system where the firewall is housed with a suitable antivirus.
Furthermore, firewalls do not protect people inside the network and do not act suitably against techniques such as social engineering and insider attack.
On the other hand, there are authentication or NAS (Network Access Servers) servers or systems which are access network servers at the initial point of entry to a network for most of the users of network services. It is the first device in the network providing services to the final user and acts as an entry door for all additional services, applying certain policies for authenticating the users who wish to access the network. Some of the authentication systems that are widely used today include KERBEROS, RADIUS or TACATS, for example. However, all the authentication systems existing today have serious limitations.
In summary, it can be said that all the elements and mechanisms forming part of the network access security (for example, routers, switches, firewalls, authentication systems, antivirus) have serious security limitations and vulnerabilities. Furthermore, most of these elements/mechanisms have not evolved at all in the last decade (at least not from the viewpoint of managing and improving security). There is therefore the need to provide a global and effective solution completely covering the current needs of the user and of the devices of the network, not having the limitations and vulnerabilities of the access elements/mechanisms existing today.