In search of network security and simplicity
- By Ofer Amitai
- Jan 03, 2019
We live today in the world of devices. In almost every enterprise, devices outnumber employees. Obviously, this includes more than just personal computers. Everything is connected these days -- IP phones, the conference room smart TV, the AC systems, the lighting infrastructure and coffee machines. IP addresses rule.
These connected assets have very basic security mechanisms that are easily hackable. In fact, from a security perspective, they are where Windows products were 20 years ago. Internet-of-things manufacturers are using default passwords, there are no lockout mechanisms on brute force and no central updates of firmware. In short: zero cybersecurity awareness.
Clearly, the people in charge of network security must now plan for a new set of threats. For each organization that plan looks a bit different, but it should always surround the “crown jewels” with the appropriate security techniques. For government agencies these jewels would include personally identifiable information on citizen and employees, national security-related information, financial data and mission-critical systems. IT managers must make sure that IoT, bring-your-own and managed devices are not posing a risk to the agency's assets.
The most natural approach is first to understand what assets are on the network and then to take the required measures to protect them. Both steps entail deploying a network-access control solution. NAC is not just about blocking or allowing access to the network; it has evolved far beyond that in recent years. Still, not all NAC solutions are born equal. Here are the seven the most important capabilities agencies should focus on when choosing an NAC solution.
1. Real-time network and endpoint visibility. This means endpoint visibility of all managed devices -- BYOD or IoT -- as well as discovery capabilities in real-time, in and outside the enterprise perimeter. There must be universal coverage for any endpoint on the network with in-depth information on the endpoints. This includes employee workstations, security cameras, printers, smart TVs, smart appliances, private employee devices or anything else. This visibility will show which endpoints are connecting to the network, from what location, the type of devices and OS, if they have the latest security patches and software updates, what processes are currently running, their installed applications, services, certificates, open ports, configuration and much more.
All these capabilities should be available within monitor mode -- without blocking the device.
2. Continuous risk monitoring -- on and off campus. Today’s enterprises have a virtual perimeter that includes all end users connecting to the network, whether they are on or off premises. Continuous device risk-monitoring is a crucial feature because it will provide a risk assessment for each device, at any given moment, as well as the track endpoints in real-time as they are connecting to the network.
3. Simplicity and centralized management. An agency that can’t easily deploy and manage an NAC solution with minimal training and setup cannot afford it, no matter how large the IT budget might be. Consider a solution that has all management features controlled via one simple web interface, without the use of external applications. That alone makes things easier and saves time.
Also look for features that help simplify NAC, such as the ability to deploy from a centralized location without the need to change anything in network architecture, without having to route the traffic through an appliance and without having to mirror the traffic to be able to analyze it.
4. Agentless solution. A cardinal aspect of simplicity can be achieved by using an agentless technology. Having an agent helps manage driver complexity, but many endpoints -- such as IoT devices -- do not support the use of an agent. Therefore, it is important to have a solution that can still provide full visibility and control but does not require the installation of an agent.
5. Flexible/granular enforcement and control. The efficacious NAC solution won’t just block or allow universal network access. IT security teams must have granular control options for a wide variety of situations that include the abilities to quarantine, segment and continuously profile endpoints. Ideally an NAC solution will also assist with remediating devices and bringing them back into a healthy security state. For example, an NAC should be able to restart endpoint detection and response software as well as other actions. At the same time, these actions should not hinder productivity.
Agencies should implement NAC gradually, starting with monitoring mode, continuing with enforcement mode on specified parts of the network and for particular security events, such as a rogue endpoint being discovered. Gradually, agencies can move into full enforcement and add a pre-connect option if required.
Once the IT security team has had a chance to set policies and automated responses for handling rogue and non-compliant devices, it can use automation to control risk before and after onboarding the endpoint. This will save considerable amount of labor and will help with one of the most common challenges in IT security -- not having enough skilled manpower on hand.
6. Vendor-agnostic. Agencies should be able to continue working with any vendor any version of firmware (new or old) as long as it has SNMP or SSH management included. The result: no vendor lock-in and the ability to use existing network infrastructure and third-party security solutions. Be sure the NAC provider works both with or without 802.1X authentication to cover any equipment and any scenario.
It is unrealistic to expect an enterprise to forklift core infrastructure to accommodate security, yet oftentimes trying to match a solution to current infrastructure can be challenging. Clearly, solutions that work with existing infrastructure will allow for easier implementations and a better user experience in the day-to-day usage.
7. Proof of concept. Some vendors promise all sorts of features but, once implementation is under way, the customer finds out that some of its endpoints and network segments are simply not supported. However, by then, the client is locked into a contract. The IT team should always aim to have a proof of concept to verify that the vendor can deliver what the organization requires.
All of these points will help agencies cope with the ever increasing network security complexities and the use of unmanaged connected endpoints on their networks. Having full and in-depth visibility into all endpoints on the network coupled with the ability to take actions will make the solution invaluable. These capabilities are the answer to the new and future threats that IT security teams must deal with. It is time to take back control over the network and all the “IP of things” that are on it.
Ofer Amitai is CEO and co-founder of Portnox.com.