The proliferation of mobile devices, from tablets to smartphones, means more and more employees are looking for access to the corporate network using non-corporate devices. How can the IT department keep control, while also keeping end-users happy?
There's no doubt that BYOD presents a significant networking challenge to an organisation. The IT Department is faced with securely serving access to non-corporate devices, in order to ensure end-users can safely use their device of choice.
In this blog I'm going to look at how the enterprise can rollout a rational network access control policy (NAC). In our work with eircom customers, we often find that NAC policy has been on the to-do list in the past, but has never been driven forward due to a number of challenges:
None of these elements is a deal-breaker, however. The technologies behind NAC are more mature, inline appliances are no longer needed, and the benefits in terms of control and risk management are too good to ignore. What's required is good planning, in order to avoid any potential pitfalls and deliver a comprehensive, robust, and secure NAC Architecture.
Divide out the two main elements: Access Control and Posture Assessment
From my experience the best approach is to divide the two main elements of NAC solutions: Access Control and Posture Assessment.
Starting with an Access Control deployment is important: it lets you drive out many of the policies, processes and designs decisions required for both phases of the NAC deployment.
Base the deployment on an 802.1X Architecture. Most network connected devices will support 802.1X as an authentication mechanism; where they don’t, there is a work around available, but these should be minimised.
With most LAN deployments, the access control phase can be achieved with existing LAN switching platforms and a centralised Authentication Server, which may leverage
Active Directory and PKI. In many organisations this architecture is already in place to secure the Wireless network, and the task is to extend the solution to the wired LAN and VPN solutions.
Now that you have control over what devices connect to your network and with what level of access, the next step is adding a level of intelligence about the device state and posture to the Access Control decision tree.
Posture assessment determines whether a device is clean of viruses or suspicious applications before it enters the network, and has been traditionally achieved using an agent on the network device. This approach is generally acceptable for PC’s, and is emerging for major tablet OS, but breaks down for IP Phone, Smart Phones, and utility devices (printers, CCTV, time clocks etc).
The latest solutions use device profiling and monitoring techniques to ascertain what a device is and how it is behaving. Profiling is based on MAC address, DHCP request, and traffic patterns; this means the reach of NAC and posture assessment is now extended beyond the realm of PCs.
In some instances, device profiling is being implemented in the LAN Switching platforms, removing the need to back-haul traffic to the centralised server for analysis.
To minimise the impact to end users of enabling posture assessment:
Pilot the solution with a friendly control group to iron out the user related acitivities and processes.
NAC: whatever you do, don't ignore it
NAC is an extremely strong security tool, especially now in the bring-your-own-device era. If your organisation hasn't progressed its NAC policy, it's probably time to revisit. Implementation is likely to be smoother than you think, given that the technology has progressed and the methodology for rollout is now well proven. What are you waiting for?
In my next blog covering the benefits of Security Information and Event Management I will cover why 802.1X also provides a rich seam of information or Log Correlation and triage of security incidents.
Martin Carry is eircom's Security Solutions Principal. Connect with Martin on LinkedIn or log in to leave a comment for him here.