Data has become an essential foundation and driver of new business models in almost every industry. Therefore, securing the corporate network where this data resides is a crucial aspect of the IT security strategy. The network serves as a first and important line of defense against attackers who want to gain access unnoticed, or for securing potential vulnerabilities. Due to the increased use of network-enabled devices and the use of Bring Your Own Device (BYOD), the potential for danger rises continuously.
Against this background, the use of a solution for Network Access Control (NAC) can be part of the IT security strategy. NAC acts as a kind of “doorman” of the network that closely monitors every access and device and prevents anything from going wrong or giving someone unauthorized access to sensitive areas of the network connections. However, there are some things to consider and consider when choosing and implementing a NAC solution.
The agony of choice
At the beginning is the choice of the fundamental solution approach. In principle, this raises the question of how far can be intervened in existing infrastructures. Hardware-based concepts demand either to convert the entire computer network to the components of a manufacturer or to distribute appliances throughout the network. This usually means costly, costly interventions in the existing infrastructure. In addition, the complete coverage of the network is not absolutely guaranteed. The latter also applies to the installation of software on all clients.
A veritable way is, therefore, to completely separate from the circumstances of the devices and to choose a hardware-independent approach. On the one hand, existing investments in the infrastructure are protected and on the other hand, the risk of gaps in protection is eliminated. Here, solutions based on SNMP (Simple Network Management Protocol) or SSH (Secure Shell) can be used to communicate with all switches and routers in the network – regardless of which manufacturer and how up-to-date the components are.
Any device connected to and communicating with a switch port is detected immediately. The basic identification of the devices is done originally via the MAC address. However, since it is now relatively easy to fake, modern solutions compare other criteria such as IP address, host name, operating system and open or closed IP ports in the background to completely prevent address manipulation and other attempts to attack.
At the same time, NAC solutions should meet the requirements for authenticating devices in networks over the IEEE 802.1X standard and, if possible, harness both technologies simultaneously to map infrastructures that themselves only partially meet the requirements. Here, a radius server is included, which makes the decision about granting access on the basis of various criteria such as MAC address, user name/password or certificate. The certificate is the highest level of authentication. Since the access to the network by the switch is made only after confirmation by the Radius server, there are no unused or unsecured ports, as recommended by the BSI.
Do not allow blind spots
In addition to the different approaches, attention should be paid in parallel to the functionalities that a NAC solution should bring. Here are some important selection criteria:
- Visibility: Since you can only protect what you see, both the seamless topological coverage of the network and the ongoing monitoring in real time are essential. The NAC solution should not allow blind spots and really detect any device, no matter where it accesses the network. For the necessary overview, care should be taken to ensure that the NAC solution offers a graphical representation in which all information important to the administrators can be seen at a glance.
- Segmentation: If you do not segment your network with Virtual Local Area Networks (VLANs), access from multiple departments or external parties to multiple internal networks, and thus to unrelated business processes, can occur. NAC can act as a parent that spans and keeps an eye on the entire network. It should be able to operate both static and dynamic VLAN concepts and to be able to map the IEEE 802.1X standard described above (also in mixed operation). Unused ports should be shut down or configured into an “Unassigned VLAN” and made productive only when needed to prevent unwanted access to sensitive network areas. Removals of entire departments,
- Mobility: Visitors, field staff, service providers, suppliers, and customers need different access to different resources in the corporate network. By administering via NAC, the necessary granular level of detail for the access rights can be achieved. Pre-staked VLANs or controls by means of access control lists allow dedicated access rights for each group of visitors, which preclude correspondingly sensitive areas.
- Mobile Device Management (MDM): In BYOD scenarios, NAC can also use the MDM coupled to represent different usage scenarios. The workforce can use the comfort and efficiency of their familiar devices in everyday work without posing a problem for the integrity of the network infrastructure. This ensures both employee satisfaction and the necessary security. And this is how it can be realized: If the devices are managed by an MDM solution, they can be recognized by the connection of the MDM system as an identity source to the NAC solution and authorized for the defined network area. If the employees do not want a management agent on their personal device, they can connect it to the network, whereupon they are connected to a guest portal. There you can log in, register the device and operate it in the dedicated area of the corporate network. By registering, a capable NAC solution can now grant access as long as the credentials are valid. If an employee leaves the company, his personal end devices will automatically no longer have access to the corporate network.
Pay attention to possible backdoors
Although regular patching, up-to-date virus scanners and additional technologies such as desktop firewall, host intrusion prevention or application control offer excellent protection, there are still situations in which the virus scanner can no longer adequately respond to threats. For example, if the antivirus program on terminal reports that malware could not be deleted, that system should be found, quarantined, and cleaned as quickly as possible.
By coupling the antivirus program to the NAC solution, the device automatically detects the situation and directly isolates the device in question. Such unsuitable terminals are then automatically moved by the NAC system to a quarantine or remediation VLAN to update their computer security status in this protected environment. After a successful upgrade or cure, the systems can be immediately reassigned to their original production environment on the network.
Furthermore, when choosing the NAC solution, one should be aware that it can work with other internet security solutions or maintain active technology partnerships to provide comprehensive protection.
Especially in the light of the General Data Protection Regulation (GDPR), not least the solution itself should meet certain standards with regard to its security. Businesses should ensure that they do not have a backdoor that allows third parties (such as foreign intelligence agencies) to potentially bypass the security measures unhindered. Solutions developed usually do not have such a “back door”.
Contact us today to learn about Bleuwire™ services and solutions in how we can help your business.