Securing the enterprise is an evolving challenge today. In order to effectively manage today’s enterprise, you must be able to draw a complete picture of everything connected to your network. Enterprises are implementing a Network Access Control solution (NAC) to identify, assess, and enforce access control on any and all devices before they connect to the network. A NAC solution provides the basic necessity of knowing what devices IT is tasked with securing. A NAC solution can identify and profile each subsequent device wanting to connect, as well as:
- Perform health check assessments
- Enforce access control policies
- Conduct remediation tasks in many cases
NAC is most commonly perceived as a solution for bring your own device (BYOD) environments. While there are other applications for NAC, there are good reasons why it is used for BYOD. NAC solutions are usually associated today with BYOD environments because users regularly bring external devices into the enterprise, consider a higher educational institution. Aruba ClearPass is the leading NAC solution today that provides a self-service portal that guides users through the process of connecting personal or non-enterprise devices without IT involvement or intervention.
But the need for NAC solutions such as ClearPass exceed far beyond BYOD environments. It isn’t just mobile that is rapidly increasing the attack surfaces of enterprises today. It’s also those little black box like devices that are cropping up throughout companies and organizations, otherwise known as IoT devices. These non-standardized devices are difficult to identify because there are so many types of devices and they're manufactured by so many different vendors. And then there is the issue of security—of course! According to Peter Newton, senior director of product marketing at Fortinet, “Many IoT devices are inherently untrustworthy because they weren't designed with security in mind due to their low cost.” He goes on to refer to them as “headless,” meaning that these devices often lack any authentication or methodology to log on to the device. As a result of companies deploying so many IoT device types throughout their networks at an accelerating pace, companies such as Aruba, Fortinet and Cisco have introduced next generation NAC solutions that are designed to accommodate device conglomerations of all types, IoT being one of them.
There is no doubt that IoT devices are a different breed of device and concern about their inherent vulnerabilities is a legitimate concern in the IT community. According to a survey posted in CSO Magazine in September of 2018, only 10 percent of IT managers reported being fully confident that they knew all of the IoT devices on their networks. An alarming 64 percent responded that they either had no level of confidence or very little. In a recent Ponemon Institute’s report concerning the era of IoT and the security gap it contributes to, 66 percent of respondents say their organizations are unable to or have a low ability to secure their IoT devices and apps. Only 24 percent of respondents say their organization’s IoT devices are appropriately secured with a proper security strategy in place. More than half stated that visibility was essential for detecting attacks and 41 percent said that NAC is important for addressing IoT risks.
Both Fortinet and ClearPass each have NAC solutions that use “collectors” in order to discover all endpoints on your network rather than relying on a database or endpoint agents. These collectors or data sources include but are not limited to RADIUS, SNMP, DHCP and LDAP. An example of the many data sources that FortiNAC uses is shown below.
Both ClearPass and FortiNAC then create profiles for each device in order to identify, categorize it and even create separate security domains for them. This ability to segment IoT devices increases the security of the network and therefore the confidence in the enterprise. With a NAC solution, the issues of who, when, where and how IoT devices are connect to your network are no longer unanswered questions. NAC goes beyond adding clarity and visibility however. NAC also conducts pre and post connection assessments of all access controlled devices according to policies that enforce security measures in dynamic fashion according to slated criteria.
Although mobile and IoT devices get most of the focus when discussing NAC, solutions such as Aruba ClearPass are ideal for securing wired traditional networks as well. Rather than using the cumbersome process of MAC filtering in order to secure switch ports, ClearPass uses a single RADIUS 802.1x authentication solution to ensure that only authorized devices and users can connect to your network drops. Today’s NAC solutions can provide visibility into your VPN connections as well, identifying remote devices to better secure your network.
The concept of access control may seem overly simple and old fashioned, but keeping intruders and unauthorized parties out is at the core of any type of security strategy. The concept of NAC today is the same as it was more than a decade ago, yet the justification and rationalization for implementing a NAC solution is even more relevant today. You could say that NAC is back, a proven technology that is ideally suited for today’s mobile and IoT environments. Talking to a technology partner like WEI can help organizations get started with NAC.
Next Steps: Sign up for a wireless network assessment that covers RF coverage maps, RF analysis, capacity plans, channel plans, access point installation recommendations, and more!