Network Access Control (NAC) – Keeping the Devices and Users Where They Belong. I work in a lot of network environments and I see a lot of different approaches to security and networking. One constant I have found is that all IT professionals struggle to adequately identify and secure the devices that may be on their network. Aside from having insane levels of security and prohibitive onboarding practices for devices, it is almost impossible to dynamically assign network access without the use of a network access control solution. I will dive into the basics with my mostly vendor agnostic explanation. What a NAC is. At the most fundamental level, network access control systems are designed to help identify devices and users on your network and then do something with the identification. The solution often integrates with most directory or identity providers. It can be used for authentication, authorization, and access. (AAA) The system can leverage hard-coded attributes of the user or device and enforce a security posture to them. The NAC can also leverage other components like how the device is connecting, where the devices are connecting from, and other more nuanced dynamic characteristics of the connectivity and identity. What the system does with that information is the most important part. As an example, it is rare that every person in a business network should have the same access. However, it is not rare that many people in a department or division would have very comparable access or restrictions. Similarly, devices that are generally doing the same job likely require identical network access. If the NAC can leverage user attributes like department or division then it can use similar attributes for a device. It understands that an HVAC air handler requires the same access as was assigned to the other air handlers that share the same device attributes. Enforcement Policies With the use of what some vendors call roles with enforcement policies, one can automate the application of access based on identity. This allows for a scalable solution that can deliver the same application of security without the intervention of an administrator for every network connection. This concept is called role-based access. I use the term application of security very loosely because each vendor accomplishes this task in different ways. Some will tunnel the user traffic to a firewall or wireless controller and apply stateful firewall policies to the user traffic. Others will change the network or VLAN the device is on so that the access is restricted to that network segment. Some rely on client-side software to enforce the application of a role assigned from the NAC. Other helpful things a NAC can do Integrate with endpoint AV software to assess the vulnerability of a client and use that as an attribute for access. Apply the same security posture to both wired and wireless clients. Centralize the administration and logging for all AAA exchanges. Integrate with edge firewalls from Cisco, Palo Alto, Fortinet, and others What a NAC is not A network access control solution is not the panacea that will make all your aliments cease. NACs by themselves hold a great deal of machine learning potential. It does require some semblance of initial administration to create the logic by which they will apply the enforcement of policies from. They are not infallible. Like any computing system, they do need some TLC when first deployed. Once they are up and running, you can sleep easier at night knowing that there is an intelligent application of security for anything connecting to your network. Here are a few other things they cannot do NACs are not meant for IP address management. I see a lot of people trying to use them as this and most are ill-suited for the task. Just because it has a record of the IP address does not mean it should be used as a database. They are not plug and play. No matter what the vendor tells you it will be a very involved deployment. Not every NAC integrates with every other product. Each vendor has their own special sauce that makes using their NAC with their equipment more appealing. Cisco, HPE Aruba Networking, FortiNet all have features that are only available when you are using their equipment with their NAC. Use Cases I would recommend a NAC to anyone who runs a network with more than 100 users. If we assume that each person will likely have three computing devices, then that is 300 end-user devices. Not all of them being corporate-owned and managed, we would need to delineate access for each user group and device type. We will then need to ascertain if we want to apply different security based on how the device/user connects or if the device presents a risk to the company. This sounds like a lot of work and it can be. But, the work would only need to be done one time if we were programming logic into a NAC solution. Best application of NACs Securing wired ports – We all know that users will bring in devices from home to use so why not protect your environment from the inevitable. Wireless for everybody – Just because the device is connected to the same SSID as all the other devices, it does not have to mean that they have the same security applied or are on the same logical network. Dynamic logins for your most sensitive devices – Securing your switches, routers, and firewalls with Radius or TACACS+ is how you protect against getting hacked from the inside. This is not meant as a comprehensive analysis of each of the major players in the marketplace. In fact, there are some decent open source and free NAC-like products out there that are relatively capable. Most of those do not support machine learning and cannot identify devices very well. However, they can provide authentication and authorization functions. At the very least my hope was to impress upon anyone in the
HPE Aruba Networking UXI Sensor In early 2018, HPE Aruba Networking announced they were buying Cape networks, the developers of the Cape sensor. Rebranded as the HPE Aruba Networking User Experience Insight (UXI), the sensor sits on your network. It alerts you whenever your network is having problems. It may not seem like much, but it is an amazing little device that could help IT departments everywhere. When deployed, the HPE Aruba Networking UXI sensor acts like a user on your network, except much smarter. No more complaints about “the internet isn’t working”. Instead, you get personalized alerts telling you exactly what is going wrong. Whether that means DNS is unresponsive, or merely yahoo.com is having an outage. The sensor is designed to work straight out of the box on any network. It just needs to be registered to a dashboard. Then give credentials to the wifi or plug it into the ethernet. It takes so little set up. It can be mailed to a remote site and set up by anyone. All configuration is done in the web portal. All standard tests and alert thresholds come preconfigured. No set up is even needed, though you can definitely still customize it. HPE Aruba Networking Dashboard The dashboard is simple and easy to use. It gives you access to a lot of information about your network. Hover over any piece on the home page to get alert info. Then, click to drill down further and see a trove of other information, such as signal strength, channel, response times for things like dns or dhcp, even websites if you set them up. The sensor can be configured to check both internal and external services. Whether you use internal websites and fileshares, or Google docs and Microsoft OneDrive, you can test them all to be sure they are up and running. If they aren’t, the IT department is the first to know. Proactive Alerts Alerts are sent via email whenever certain customizable thresholds are met. This enables IT departments to know about a problem before a user has a chance to report it. They will also know exactly what went wrong without having to hunt around for the cause of the issue. The alert says which service is down. Quickly letting IT know if the entire internet is down, or if its just the DNS service on a server. Website issues can also be shown through the alerts. Knowing exactly whats wrong, quickly enables the IT department to address the issue faster. This results in less down time and less unhappy users. Cloud Accessibility The dashboard and all data are hosted in the cloud. This allows for you to access it anywhere, at any time. No need to be on site to diagnose an issue. No worries about not being able to see data and alerts while a site is down. Diagnosing issues is half the battle in the helpdesk world. Eliminating this problem, enables the IT department to be far more efficient and timely in resolving those issues. Location, Location, Location Arubas UXI sensor should be placed in a spot where wifi is used most, or problem areas that you would like more information on. It comes with a couple different ways to mount it. It can also be set on a desk or table just as easily. A secure mounting bracket can be deployed in public areas without the fear of it disappearing. All it needs is power either provided by the included power adapter, or by a PoE solution. The sensor also isn’t just limited to wifi. It works over ethernet as well, so you can check all network connections at once. A user experience sensor is a valuable tool for any company, small or large. The key feature is that it enhances the response time of any IT department. Faster response times mean less downtime, which means less time your company is running smoothly. The solution is constantly being updated with more features being added every day to make the jobs of you and your IT department easier. Contact ProCern for more information on this solution or other networking products for your organization.
Increased Vulnerability Identifying what connects to the network is the first step to securing your enterprise. Control through the automated application of wired and wireless policy enforcement ensures that only authorized and authenticated users and devices are allowed to connect to your network. At the same time, real-time attack response and threat protection is required to secure and meet internal and external audit and compliance requirements. Laptops, smartphones, tablets and Internet of Things (IoT) devices are pouring in the the workplace. The average employee now utilizes an average of three devices. The addition of IoT increases the vulnerabilities inside the business adding to the operational burden. Wired and Wireless Devices The use if IoT devices on wired and wireless networks is shifting IT’s focus. Many organizations secure their wireless networks and devices. Some may have neglected the wired ports in conference rooms, behind IP phones and in printer areas. Wired devices – like sensors, security cameras and medical devices force IT to think about securing the millions of wired ports that could be wide open to security threats. Because these devices may lack security attributes and require access from external administrative resources, apps or service providers, wired access now poses new risks. As IT valiantly fights the battle to maintain control, they need the right set of tools. Tools that can quickly program the underlying infrastructure and control network access for any IoT and mobile device – known and unknown. Today’s network access security solutions must deliver profiling, policy enforcement, guest access, BYOD onboarding and more. They should offer IT-offload, enhanced threat protection and an improved user experience. Mobility and IoT are Changing How We Think About Access Control The boundaries of IT domains now extend beyond the four walls of business and the goal for organizations is to provide anytime, anywhere connectivity without sacrificing security. How does IT maintain visibility and control without impacting the business and user experience? It starts with a 3-step plan. Identify – what devices are being used, how many, where they’re connecting from, and which operating systems are supported. This provides the foundation of visibility. Continuous insight into the enterprise-wide device landscape and potential device security corruption. Which elements come and go gives you the visibility required over time. Enforce – accurate policies that provide proper user device access, regardless of user, device type or location; this provides an expected user experience. Organizations must adapt to today’s evolving devices and their use, whether the device is a smartphone or surveillance camera. Protect – resources via dynamic policy controls and real-time threat remediation that extends to third-party systems. This is the last piece of the puzzle. Being prepared for unusual network behavior at 3 AM requires a unified approach that can block traffic and change the status of a device’s connection. Organizations must plan for existing and unforeseen challenges. With their existing operational burden, it’s not realistic to rely on IT and help desk staff to manually intervene whenever a user decides to work remotely or buy a new smartphone. Network access control is no longer just for performing assessments on known devices before access. HPE Aruba Networking ClearPass The stakes are high. It’s surprising that more companies have not embraced secure NAC to prevent malicious insiders from causing damage to the enterprise. The uses cases are many-control devices connectivity, simplify BYOD, secure guest access leads to the same answer, HPE Aruba Networrking ClearPass. Over 7,000 customers in 100 countries have secured their network and their business with HPE Aruba Networking ClearPass. They have achieved better visibility, control and response. Shouldn’t you? Contact ProCern to find out how you can secure your network.
Using Aruba Dynamic Segmentation will help keep the Boogeyman away One reality terrifying most business owners is the thought of someone compromising their network and their data. Companies spend gratuitous amounts of money and time to protect themselves from cyber threats. They configure edge firewalls and multi-factor authentication mechanisms to protect their most sensitive data in the cloud. The thing that is often left untouched and overlooked are the data ports which are physically accessible to the public. If the business operates in a public or shared office space, the risk of intrusion from an unprotected or unmanaged port is astounding. Aruba Networks have developed a technology that can now extend the same role-based firewall policies that are applied to the enterprise wireless to the wired ports. By enforcing the same role-based policies, administrators can simplify the deployment and management while also staying consistent across the network. Is this a new threat? In truth, the threat has always existed. The difference is that now more than ever, IOT devices require a hard-wired connection to function. This is because many of them do not support the same security and encryption standards we enforce on the wireless network. Some devices simply require the low voltage power supplied from the switch port to function. These devices include security cameras, lighting controllers, intelligent HVAC devices and some printers or scanners. Another common scenario is when there is a need for a wired port for a special event. The port is configured for one purpose but then it is forgotten about. Then, anyone who plugs into that port has whatever access it was originally configured for. The reality is that these devices and circumstances are not going away any time soon. The best way to protect the network and the switch ports is to secure and isolate the clients and the devices from your sensitive networks and services. What have engineers and administrators done about this attack vector? From a management perspective, port security has always been the bane of network engineers and administrators. It has never been very practical or scalable to deploy. One must define clear attributes to distinguish each device from another. Then, you tell the switch port to change the network the device it is connected to or to simply block the port all together. Often the unique attributes used to distinguish these devices are easy to counterfeit. Deploying the configuration on only the public facing ports takes planning and insight. This often falls through the cracks after the initial deployment. Furthermore, the deployment of these settings must be done on each switch in the environment that may be connected to from a public facing port. HPE Aruba Neworking’s Dynamic Segmentation takes a different approach. It unifies policy enforcement and delivers the same seamless experience that people come to expect of wireless connectivity. How does it work? The technology leverages many of the same security and profiling mechanisms that exists in the HPE Aruba Networking wireless world. It applies them to the switch port adding a scalable security solution without the complexities of deploying another costly security product. It works by treating a HPE Aruba Networking network switch like an access point. The switch tunnels the switch port traffic to the Aruba mobility controllers. It profiles the connected devices in the same manner it would a wireless client. If the device passes certain authentication criteria, then it is granted the same access as if it were on the wireless network. If the device has certain attributes but does not pass specific authentication criteria, than it is treated differently. It will be assigned the same role and given the same privileges as it would on the wireless network. In isolating these devices or unknown users, we can better protect the environment at large while not limiting the connectivity some users may need. What else can HPE Aruba Network Dynamic Segmentation do? By tunneling the traffic to the mobility controllers, Dynamic Segmentation provides greater visibility of the traffic from IOT devices and guests users on your network. You can enforce a captive portal with email registration for guest users. This can add some accountability to a visiting contractor or guest speaker. If an employee brings in a consumer device from home and plugs it in, you can distinguish what the device is, where it is plugged in and what it is communicating with. The most valuable use-case for this technology lies in the constant struggle of BYOD and onboarding of employee devices. If an employee chooses to use their own computing device and company policy allows it, you can check the security posture of the device before granting it access to any resources on your network. Ideally those users would have a policy enforced that would allow them to reach only the least sensitive resources and the internet. Why should network/security engineers and administrators be excited about Dynamic Segmentation? Unlike traditional port security which normally rely on 802.1x and radius authentication to authorize access on a single VLAN, Dynamic Segmentation does not require unique network segments to be defined to physically separate users. HPE Aruba Networking uses the term VLAN sprawl to describe the never-ending creation of new VLANs and subnets to create new layer 2 boundaries to physically segment user and device traffic. With this solution, all the unknown devices and users could reside on the same network segment. Because the traffic is tunneled, all the traffic is subject to deep packet inspection, stateful firewall policies, layer 7 application visibility including web content filtering. Most IT professionals usually wouldn’t believe that their wireless controllers are capable firewalls. They would be wrong where Aruba is concerned. Overall, the solution will simplify your efforts at securing the network edge and unifying security into one manageable platform. Why spend time configuring and deploying a solution that you would have to duplicate with the wireless infrastructure? Save yourself from that spooky nightmare. To learn more, contact ProCern.
In today’s digitally driven world, businesses are becoming increasingly reliant on network connectivity to operate effectively. But with increased connectivity also comes increased risk exposure. Cyberattacks are on the rise, and more businesses are succumbing to security breaches, data loss, and other security-related issues. In fact, cybercrime damages are expected to reach $10.5 trillion by 2025. Your ability to protect your network from cyberattacks and unauthorized access while maintaining network performance and compliance with regulatory requirements is not a nice-to-have—it’s essential. With a Network Access Control (NAC) system in place, you can safeguard your network infrastructure and your data while maintaining business continuity. 5 Reasons to Implement a Network Access Control System NAC is a security solution that restricts access to network resources based on users’ identities, roles, and devices. Today, more businesses are turning to NAC solutions, and here’s why: Improve security: Cyberattacks are a significant threat to businesses of all sizes. Cyber hackers are always looking for new vulnerabilities that make it easy to install malware, access sensitive data, and disrupt business operations. By preventing unauthorized access to your network to protect sensitive data and prevent malicious attacks, network access control systems provide an added layer of security for greater peace of mind. NAC systems can also be used to enforce security policies that ensure only authorized users can access the network. Even if a cyber hacker gets through one layer of security, they will be faced with additional security measures that make it infinitely more difficult to launch an attack. Comply with regulatory requirements: Many industries have strict data protection and privacy regulatory requirements—and failure to comply can result in lofty fines and a tarnished reputation. NAC systems enforce security policies that restrict access to the network based on predefined rules, ensuring only authorized users and devices can access the network. Plus, with the ability to deliver greater visibility and control over all devices that connect to the network, NAS makes it easy for you to monitor and manage the access of devices across the network—and automatically remove a non-compliant or malicious device. And with simpler auditing and reporting capabilities, NAS also simplifies auditing and reporting to support various regulations and standards. Improve performance: Offering a secure and efficient network environment, NAC solutions can help businesses optimize network performance and productivity. As network traffic increases, its performance can take a hit, disrupting operations. By reducing the number of unauthorized devices that connect to the network and ensuring critical business traffic receives priority over non-critical traffic, NAC solutions help to reduce network congestion to boost performance. And with the ability to identify and address issues with connected devices before they create a problem, NAC also improves uptime. Simplify network management: NAC solutions offer a centralized approach to network security, making it easy for administrators to easily control and monitor access to the network and enforce security policies. By automating the process of identifying and authenticating users and devices, NAC eliminates the need for manual configuration and management of network devices, which minimizes the risk of human error, reduces the workload on IT teams, and improves overall network security. Boost productivity: NAC solutions ensure only authorized users can access the resources they need, which reduces the risk of data breaches and other security incidents that can lead to network downtime and lost productivity. By providing visibility into all devices that connect to the network, your IT team can quickly resolve issues and enforce security policies, which allows employees to work with confidence and without interruption. By implementing an NAC system, your IT team can ensure the network is secure, reliable, and always available, while supporting regulatory compliance, network management, and network performance. At ProCern, we can help you protect your network infrastructure, safeguard sensitive data, and maintain business continuity with ClearPass from HPE Aruba Networking, a leading provider of NAC solutions that help businesses secure their network infrastructure while ensuring compliance with regulatory requirements. Providing robust network access control with granular role-based policies for authentication, authorization, continuous monitoring and enforcement, HPE Aruba Networking ClearPass gives you anywhere, anytime connectivity while supporting simplified network security operations and enforcing security policies.