With security now sitting high on every organisations’ priority list, Kathleen Hedde, principal product marketing manager at Aerohive, outlines how the implementation of a Network Access Control (NAC) solution could be the key to defending your network.
In today’s mobile world, companies are seeing an increasing number of devices being added to their network, in the shape of smartphones, tablets and other Internet of Things (IoT) devices. This creates a trade-off between efficiency and security.
Every endpoint brings an opportunity for efficiency gains, but also an increased risk of a network attack. Each connected device presents vulnerabilities that could lead to network breaches, either from inside or outside the organisation.
IT teams face the challenge of securing a large number of device types and user groups. They need to ensure they’re maintaining a diverse network and security infrastructure, all while satisfying their organisation’s need for a leaner IT strategy.
To address this, more organisations are adopting Network Access Control (NAC) solutions, which can effectively tackle both the risk and the growing device population, by securely managing and controlling access to the network.
The traditional definition of a NAC solution is a method of computer network security which combines endpoint integrity together with an access control solution such as 802.1X. However, NAC security has evolved to also encompass guest access management as well as bring your own device (BYOD) and IoT device security.
A standard NAC solution provides endpoint assessment checks to ensure that each device has the required operating system, software patches, and virus signatures. Moreover, access to an enterprise network is controlled using predefined role-based access policies together with an authentication, authorisation, and accounting (AAA) solution.
Authentication, authorisation, and accounting
Authentication, authorisation and accounting is a key computer security concept that defines the protection of network resources.
Authentication is the verification of identity and credentials. Users or devices must identify themselves and present credentials, such as usernames and passwords or digital certificates. More secure authentication systems use multifactor authentication, which requires at least two sets of differing types of credentials to be presented.
Authorisation determines whether the device or user has been authorised access to the network, based on the device type, time of day, or location.
Lastly, accounting refers to tracking the use of network resources by users and devices. This is used to keep a historical trail of who used what resource, where, and when.
Role-based access control
NAC also needs to restrict system access to authorised users. After successful authentication, endpoint devices can be assigned defining network policies based on user roles, type of device, applications, time of day, and location of the network. This ensures that users only have access to the resources they need and not potentially confidential and sensitive information.
IT teams should establish a set of rules to check the health and configuration of an endpoint and determine if it should be allowed access to the network.
Posture assessment can be used to ensure endpoint integrity by validating up-to-date versions of device OS, antivirus, antimalware signatures, and application patches. Noncompliant endpoint devices can then be quarantined until they are updated.
Most posture assessments check the integrity on endpoint using preadmission checks before the endpoint can connect to the network. However, some NAC solutions also offer the capability to perform periodic checks, after an endpoint has already joined the network.
Securing IoT and BYOD
Historically, NAC solutions were used to secure wireless devices like laptops, smartphones or tablets, owned by employees or guests. The switch to Wi-Fi as the dominant access method funnelled large numbers of devices onto the network, with a mix of makes, models and operating systems.
In order to effectively secure the network, NAC solutions need to support all wireless corporate, BYOD, guest and IoT devices alike.
Because of the proliferation of personal mobile devices, a BYOD policy is needed to define how employees’ personal devices may access the organisational network.
A modern-day NAC solution must be able to provide access based on predefined policies for BYOD endpoints in addition to company owned devices.
IT administrators need to manage the onboarding, access, and security policies of IoT devices connecting to the company network, most of which are difficult to secure. This is because of the volume of devices and the capabilities, operating systems and security functions vary greatly.
At the same time, it is essential that they be provisioned with appropriately restricted network policies, be monitored for unexpected use, and be given periodic threat assessments.
Despite the fact that IoT devices are not user-controlled, modern NAC solutions offer features that can automatically profile and identify IoT and other device types, and then onboard and provision them with IoT-specific network policies. These features significantly increase IoT security and can do so at scale as no IT intervention is required.
Key business network needs
Current networking technology isn’t designed to understand or secure IoT. IT teams need to find a way to onboard numerous devices to the network, monitor them and keep them safe.
It’s imperative businesses consider how they identify and secure every IoT device on their network, to minimise the chance of security breaches.
They should also have infrastructure capable of comprehending what devices should and should not be doing, based on their level of access. This is essential for the modern network.