Key Considerations for Network Access Control (NAC) Architecture in the IoT Era2019-08-14T09:13:39-04:00

RADIUS-based NAC vs Sensor-based NAC

This article will focus on some of the Pros and Cons of central versus distributed architectures with respect to Network Access Control (NAC) solutions. During the decision making process when purchasing or implementing NAC solutions, the question of architecture is always at the forefront.

Many factors come into consideration when looking at central versus distributed architecture. Cost, complexity implementation, ongoing management, redundancy, connectivity, routing, location of directory or other servers, the list goes on and on. To highlight some of the specific factors and how they translate to real-world considerations, we will compare and contrast a generic RADIUS-based central NAC architecture to a Genian NAC distributed Sensor architecture.

Central RADIUS Architecture

Pros

With a typical centralized RADIUS server architecture, a RADIUS server will be deployed in the data center. Various network devices such as switches, wireless controllers and/or wireless access points will be integrated with the central RADIUS server. Upon initial glance, it is relatively easy to highlight some of the more common Pros of this architecture. Below are a few examples:

  • Only one NAC device / RADIUS server to deploy
  • Only one NAC device / RADIUS server to manage over time
  • Less hardware cost if hardware is deployed
  • Potentially less ongoing maintenance cost depending on licensing

If we peel back the onion and dig deeper, this central architecture model does however introduce several Cons as well. Due to the nature of RADIUS and the centrally deployed architecture, there are now requirements, caveats and limitations that must be taken into account.

Cons

A central RADIUS server introduces a Single Point of Failure for network access

  • HA typically then becomes a requirement
  • HA introduces additional cost
  • HA introduces additional complexity
  • Additional complexity means longer implementation

RADIUS requires integration with every network device

  • Every switch, controller or access point requires configuration
  • Every switch, controller or access point must be configured in the RADIUS server
  • Although there are less NAC/RADIUS servers to configure/manage, that is offset by the requirement to configure so many network devices

WAN connectivity creates additional configuration and challenges

  • Bi-directional communication for RADIUS traffic must be allowed
  • Firewalls/ACLs must permit authentications from every network device to the RADIUS server
  • Unsolicited RADIUS Change of Authorization (CoA) packets must be permitted through Firewalls/ACLs to all remote network devices
  • In the event of a WAN failure, network devices will not be able to reach the central RADIUS server
  • Some network devices support critical VLAN or RADIUS failure options but not all. Either way this means additional configuration and complexity
  • To overcome the WAN challenges, distributed RADIUS servers would need to be deployed which negates the original central architecture design

Genian NAC Distributed Sensor Architecture – An Alternative Approach

Since Genian NAC Sensors and Policy Servers are not part of the network architecture, this eliminates many of the challenges involved with a RADIUS architecture and implementation. Additionally, since the Sensors are centrally managed by a Policy Server, all of the benefits of a central architecture are present without the drawbacks.

Below is a list of some of the benefits provided by the Genian NAC architecture:

  • No Single Point of Failure for network access
    • Policy Servers and Sensors are not part of the network infrastructure
    • This negates the requirement for HA to ensure network availability
    • No HA reduces cost
    • No HA reduces complexity
    • Less complexity means faster implementation
  • Does not require any integration with network devices
    • No switch, controller or access point configuration required
    • Network access devices do not need to be aware of or point traffic to Sensors
    • Although multiple sensors may be present, no integration means easy installation
  • WAN connectivity does not create additional challenges
    • Sensors communicate to Cloud Policy Servers to download policies
    • For On-Prem Policy Servers, Sensors communicate via keepalives
    • No unsolicited RADIUS Change of Authorization (CoA) packets must be permitted through Firewalls/ACLs
    • In the event of a WAN failure, Sensors operate in Fail Safe mode by default
    • No network access is blocked while in Fail Safe mode
    • Fail Closed option is available if desire is to block new devices from network
  • Ease of Sensor Provisioning
    • Zero Touch Provisioning to Cloud Policy Server
    • Low Touch Provisioning to On-Prem Policy Server
  • Distributed Architecture = Low Cost? – Yes!
    • Sensors can be installed as Virtual Machines
    • Sensors can be installed on almost any Intel physical machine
    • Even an endpoint node with an Agent can act as a Sensor
    • Sensor deployment options offset cost of a typical distributed architecture
    • Licensing not tied to number of Sensors further offsetting cost

In conclusion, the Genian NAC architecture provides a solution that is centrally managed, yet can be deployed in a distributed fashion. With no requirement for HA, no requirement to integrate with network infrastructure, concerns regarding remote site WAN connectivity negated and the ability to rapidly deploy, Genian NAC’s architecture means low overhead for IT and Security teams. Less planning, less design, less caveats, ease of provisioning, faster implementation.

What’s New Device Platform Intelligence on Aug 13, 20192019-08-13T04:59:23-04:00

Updated Node Types

    1 Node Types are updated
Platform Name
Old
New
Printer
Mobile Device

Added Platforms

    21 Platforms are added
Node Type
Platform Name
Network Appliance ( 1 )
Wireless AP Device ( 4 )
Switch ( 1 )
Security Appliance ( 2 )

Updated Detection Rules

    157 Detection Rules are updated
Node Type
Platform Name
Mobile Device ( 11 )

Wireless AP Device ( 2 )

Security Appliance ( 2 )

Changed Platform Names

    1 Platform Names are changed
Node Type
Platform Name
What’s New Device Platform Intelligence on Aug 6, 20192019-08-06T05:06:31-04:00

Added Platforms

    34 Platforms are added
Node Type
Platform Name
Mobile Device ( 12 )
Wireless AP Device ( 1 )
Security Appliance ( 6 )

Updated Detection Rules

    361 Detection Rules are updated
Node Type
Platform Name
Mobile Device ( 111 )

Network Appliance ( 2 )

Wireless AP Device ( 12 )

Switch ( 60 )

Security Appliance ( 8 )

Other ( 54 )

Changed Platform Names

    46 Platform Names are changed
Node Type
Platform Name
Mobile Device ( 12 )

Security Appliance ( 8 )

Genians Partner Update, July 20192019-07-31T15:29:02-04:00
We hope this finds you having an enjoyable and productive summer. For Genians, the last two months have been quite busy, as we’ve participated successfully in three major conference events:
Additionally, we were very pleased to see Genians’ CEO Dong-Bum Lee honored at the 2019 (ISC)² 13th Annual Information Security Leadership Awards (ISLA®) Asia-Pacific Program. All of Team Genians wants to thank you for your important support as we keep moving forward with news such as this.
While we continue to make advances in the global market, we have also made some changes internally:
  • New Genians Solution Architect: I am so glad to announce that Brett Hamill has joined us as our Genians Solution Architect. Brett has tremendous hands-on experience and has gained extensive knowledge of NAC over several decades. Brett will enrich our journey by assisting global partners as needed in responding to the solutions requirements of specific customers and prospects.
  • Genian NAC updates: Over the last two months, we have released two minor updates (5.0.205,0.21) with the following enhancements:
    • Easily navigate details top to bottom by simple scroll in the node view
    • Active Directory user information synchronization improved
    • RADIUS Server improved to display certificate information and restart internal RADIUS server after registering EAP-TLS certificate
    • Control External Device plug-in improved
    • Required Software Check action plug-in improved
    • Mobile App for administrator improved by receiving notification when an (IP/Device) Request or Node change occurs.
    • API Guide for the enterprise edition and your MSSP business
As you know, minor updates are released every month, so please check out our release notes web page to learn more. Soon we will begin providing video content to highlight product updates. So stay tuned!
What’s New Device Platform Intelligence on Jul 30, 20192019-07-30T05:41:46-04:00

Updated Node Types

    1 Node Types are updated
Platform Name
Old
New

Added Platforms

    55 Platforms are added
Node Type
Platform Name
Mobile Device ( 9 )
Network Appliance ( 2 )
Wireless AP Device ( 9 )
Switch ( 2 )
Security Appliance ( 8 )

Updated Detection Rules

    403 Detection Rules are updated
Node Type
Platform Name
Mobile Device ( 23 )

Network Appliance ( 6 )

Switch ( 18 )

Security Appliance ( 18 )

Changed Platform Names

    65 Platform Names are changed
Node Type
Platform Name
Wireless AP Device ( 3 )

Security Appliance ( 1 )

Printer ( 58 )

What’s New Device Platform Intelligence on Jul 23, 20192019-07-23T05:12:01-04:00

Added Platforms

    60 Platforms are added
Node Type
Platform Name
Mobile Device ( 10 )
Network Appliance ( 3 )
Wireless AP Device ( 14 )
Security Appliance ( 6 )
Printer ( 12 )

Updated Detection Rules

    156 Detection Rules are updated
Node Type
Platform Name
Mobile Device ( 60 )

Server ( 3 )

Network Appliance ( 4 )

Wireless AP Device ( 14 )

Switch ( 3 )

Security Appliance ( 9 )

Changed Platform Names

    8 Platform Names are changed
Node Type
Platform Name
Mobile Device ( 4 )

Printer ( 1 )

What’s New Device Platform Intelligence on Jul 16, 20192019-07-16T06:05:56-04:00

Updated Node Types

    14 Node Types are updated
Platform Name
Old
New
Network Appliance
Router
Network Appliance
Router
Network Appliance
Router
Network Appliance
VOIP
Network Appliance
VOIP
Network Appliance
VOIP
Network Appliance
Wireless AP Device
Switch
Router
Network Appliance
Router
Network Appliance
Router
Network Appliance
Router
Network Appliance
Router
Network Appliance
Router
Network Appliance
Router

Added Platforms

    57 Platforms are added
Node Type
Platform Name
Mobile Device ( 9 )
Wireless AP Device ( 11 )
Security Appliance ( 3 )

Updated Detection Rules

    228 Detection Rules are updated
Node Type
Platform Name
Mobile Device ( 28 )

Network Appliance ( 63 )

Wireless AP Device ( 10 )

Security Appliance ( 4 )

Changed Platform Names

    23 Platform Names are changed
Node Type
Platform Name
Server ( 1 )

Network Appliance ( 6 )

Wireless AP Device ( 1 )

Router ( 10 )

Genians Honored at 2019 (ISC)² 13th Annual Information Security Leadership Awards (ISLA®) Asia-Pacific Program2019-07-10T08:59:36-04:00

North Andover, Mass. – July 10, 2019  – (ISC)² – the world’s largest nonprofit membership association of certified cybersecurity professionals – today announced it has recognized Dong-bum Lee, Genians CEO, as 2019 Showcased Honoree in the category of Managerial Professional for an Information Security Project.

As the founder and CEO of Genians since 2005, Dong-Bum has applied his energy and unparalleled experience to propel Genians, its customers, its partners, and even Korean society to the cutting edge of the cybersecurity field by leveraging the company’s flagship product, Genian Network Access Control (NAC). In the process, he has provided leadership to the global NAC market by introducing Genians Next-Gen NAC to help organizations of all sizes struggling to address the fundamental cybersecurity issues of the IoT era.

As Dong-Bum notes, “It is a great honor to be recognized with this (ISC)² ISLA award. As we all know, cybersecurity is a tough job. The field’s professionals are often highly compensated, but their work often remains hidden behind the scenes. Team Genians has done and continues to do a tremendous job helping its more than 1,300 customers around the world secure their network access.”

Dong-bum also points out that “We all know cybersecurity is no longer a regional or industry-specific challenge but rather global in scope. In a world of ever-advancing cyber threats, we all need to work together to build a more secure world regardless of politics and culture. To achieve that, Team Genians is ready to share and discuss our proven technology and experience, which is exactly what we have been doing around the world.“

Dong-bum expresses confidence in his company’s achievements as well as its new strategy. Recently, Genians announced its collaboration with both 128 Technology, the leader in Session Smart™ routing, and Seceon, which pioneered the first fully-automated, real-time cyber threat detection and remediation solution, as part of its next-generation network access control solution helping to further secure the WAN and mitigate cyber-attacks from inside the enterprise and without. Also, Genians Device Platform Intelligence (DPI) has been requested by many organizations to provide enhanced, more intelligent and economical, network visibility.

About Genians

For over 14 years, Genians (KOSDAQ: 263860) has delivered the industry’s leading Next-Gen Network Access Control solution, which surveils all connected devices holistically and ensures they are operating at the highest levels of security and compliance. Genians secures millions of various endpoints in organizations of all sizes and industries, including global Fortune 500 companies, the government, the military, energy, finance, healthcare, education, and more. Genians keeps working to build a better security culture in the connected world by teaming up with community and industry leaders around the world.

About (ISC)²

Celebrating its 30th anniversary this year, (ISC)² is an international nonprofit membership association focused on inspiring a safe and secure cyber world. Best known for the acclaimed Certified Information Systems Security Professional (CISSP®) certification, (ISC)² offers a portfolio of credentials that are part of a holistic, pragmatic approach to security. Our membership, more than 140,000 strong, is made up of certified cyber, information, software and infrastructure security professionals who are making a difference and helping to advance the industry. Our vision is supported by our commitment to educate and reach the general public through our charitable foundation – The Center for Cyber Safety and Education™

 

What’s New Device Platform Intelligence on Jul 9, 20192019-07-09T04:43:47-04:00

Updated Node Types

    10 Node Types are updated
Platform Name
Old
New
Server
Security Appliance
Network Appliance
Router
Router
Network Appliance
Router
Network Appliance
Router
Network Appliance
Server
Security Appliance

Added Platforms

    69 Platforms are added
Node Type
Platform Name
Mobile Device ( 9 )
Wireless AP Device ( 6 )
Router ( 1 )

Updated Detection Rules

    257 Detection Rules are updated
Node Type
Platform Name
Mobile Device ( 37 )

Server ( 12 )

Network Appliance ( 1 )

Wireless AP Device ( 10 )

Router ( 98 )

Security Appliance ( 7 )

VOIP ( 7 )

Other ( 2 )

Changed Platform Names

    37 Platform Names are changed
Node Type
Platform Name
Network Appliance ( 1 )

Router ( 1 )

What’s New Device Platform Intelligence on Jul 2, 20192019-07-02T05:11:32-04:00

Added Platforms

    84 Platforms are added
Node Type
Platform Name
Mobile Device ( 5 )
Server ( 1 )
Wireless AP Device ( 20 )
Security Appliance ( 23 )
Printer ( 10 )

Updated Detection Rules

    197 Detection Rules are updated
Node Type
Platform Name
Mobile Device ( 66 )

Wireless AP Device ( 13 )

Changed Platform Names

    5 Platform Names are changed
Node Type
Platform Name