Recently I was talking to the network manager of a school district in Georgia. The district had just experienced a large scale malware attack. It started in the transportation department, which had refused to let go of some outdated machines that were susceptible to the EternalBlue windows vulnerability, made famous by the WannaCry and NotPetya malware encryption attacks last summer.
Several Trojans then took advantage of the web of shared files, spreading cryptocurrency-mining malware throughout the department. Bank Trojans were then introduced and soon an administrator password was recorded and compromised. The virus began proliferating throughout the school system, taking advantage of devices that were behind in their endpoint protection updates. As the school has a successful one-to-one program that boasts more than 13,000 laptops, the virus had a lot of potential targets. Slowly and methodically, the virus grew, consuming the processing power of servers and client devices, capturing account credentials as users interacted with the machines. By the time the full ramifications of the virus had come to light, the only available option was to bring in additional resources to clean servers and reset or re-image workstations.
The district’s enterprise infrastructure consisted of hundreds of Aruba switches along with Aruba Instant Access Points. It’s just too bad they didn’t have ClearPass to complement and secure the enterprise. Many people associate Aruba ClearPass as a system to onboard and authorize BYOD and guest devices. Others know it as a Network Access Control (NAC) solution. While those are important components of Aruba ClearPass, that sell this multifaceted solution well short. ClearPass is a policy management platform that gives you broad visibility throughout your enterprise and offers a suite of tools to protect your networks and the infrastructure that supports it.
Identifying what is on your network
One problem for the school district was the inability to know what exactly was on its network. While the IT staff was able to discern through SCCM logs where the virus started, often times, organizations simply have no idea. Was the malware introduced through a domain joined device, guest device, or smart phone that was anonymously brought in? Anonymity is a thing of the past with ClearPass because every device is required to check in and identify itself, whether connected via wired, wireless, or VPN. Access control policies then state whether a device can be joined or not. All of this is performed in automated fashion requiring little IT involvement. With Aruba ClearPass, you always know what and who is connected to your network with near little time invested.
Creating profiles for all of your devices
Once connected, a profile is created within ClearPass for every device. In this case, the IT department would have been reminded every day about the outdated operating systems that were vulnerable to the EternalBlue exploit. They would have known about the operating systems, hostnames and MAC addresses of each and every device on the network. A built-in certificate authority issues certificates to then identify and reconnoiter all devices while connected.
Health Checks and Posture Assessments
Malware only requires a minimal window of vulnerability to infect a network and spread. This is why it is so imperative that all connected devices are up-to-date when it comes to endpoint and operating system updates. In organizations with thousands of devices, how do you know if they are all in compliance or not? With Aruba ClearPass, there is no more uncertainty involving outdated systems. Every time a device attempts to connect, it is checked for all security criteria set forth by your IT department. This includes minimum standards concerning endpoint protection, updates and firewall activation. This is done through the use of persistent or dissolving agents that support both auto and manual remediation. ClearPass then continues to perform health checks and posture assessments in order to identify weak and vulnerable devices because it only takes one exploited device to bring down your entire network.
Segmentation
Although this malware attack infiltrated domain joined devices from the start, it is your guest network that is the most vulnerable. But how do you segment your guest network without a complicated conglomeration of VLAN switch port assignments and AP access control lists? Well, with ClearPass, VLAN segmentation is done dynamically with little configuration. All devices residing in the guest category are automatically sectored into a separate VLAN that is routed straight to the internet without complicated manual configurations. Referred to as “colorless ports,” devices are assigned to VLANs according to enforced policies, not static port placement.
Wired 802.1x Authentication
Although ClearPass is correctly associated with wireless device management, it provides important management and security features for wired workstations, servers, and IoT devices as well. ClearPass incorporates 802.1x authentication methods so that the only wired computers that can gain access to your network are the ones that have LDAP or similar accounts. Wired devices can then be assigned policies as well.
Protect your dynamic enterprise network of devices
ClearPass is the policy management platform you need to identify, enforce, and protect your network devices. There is nothing static about your network, so why would you continue to depend on static-based configuration tools and methods to manage it? We can never know if ClearPass could have prevented the malware attack mentioned earlier, but it would have given IT the information and reconnaissance about their devices to have at least contained it.
Next Steps: Talk to the Aruba experts at WEI to better understand how a solution like ClearPass can benefit your business. As an award-winning IT solutions provider, WEI can perform a wireless network assessment to detect how well your current wireless solution is performing and can help identify any gaps in coverage. Click below to learn more and get started with an assessment.
