We are well into an age of decentralization. Our offices are decentralized. We work all over the country and sometimes the world. Main offices, satellite offices, and the use of contractors are standard practice. Our workers are decentralized. They work in those offices or from their own homes. Sometimes they work from coffee shops. And the technology we use to power our businesses are most certainly decentralized.
What makes up our fleet of devices? It doesn’t seem like we can even paint a typical picture anymore due to the vastness of the Internet of Things (IoT). At any given moment these devices could be trying to access your network: laptops, smartphones, tablets, smartwatches, security cameras, thermostats, and the list goes on.
All of this ambiguity and complexity means it has never been more of a challenge for IT professionals to secure their networks. With the expectation being that employees and contractors can bring their own devices (BYOD) to work, it’s clear that the days of relative simplicity are over.
However, there is an answer to the challenge of the unsecured Internet of Things. The solution is Genians NAC, which is up to the task of securing your network through a multi-faceted approach. Here is how the Genians NAC solution can help:
1. Take an inventory of devices and personnel
This is an important first step for any IT manager or small business owner. It’s difficult to secure what you don’t see. Though accounting for every device is obviously critical, one must also keep an inventory of personnel, virtual systems, applications/software, and the anticipated usage patterns of each employee. Once every possible variable is accounted for, then true network security can be addressed.
2. Segment devices and users on your network
Establishing a classification system to better segment all of the devices on your network is a key functionality of Genians NAC solution. This is accomplished through a variety of ways. A typical NAC solution will segment devices based on broad classifications. Generally that starts at the top level, which would segment company managed devices (desktops, etc.) from IoT devices (which typically pose bigger risks). Then the categorization narrows with specificity from there. Take for example the BYOD scenario that nearly every business engages with. The employee-owned devices would be isolated into their own segment for authentication. Each segment is then fortified by authentication measures and control policies that are context-based.
Genians NAC solution takes this segmentation concept further by constructing Node groups.
Node: Anything with the MAC corresponding to IP. For instance, a laptop loaded 3 different virtual machines can be counted as 3 Nodes.
Identified devices and users are dynamically organized based on business requirements. This is done via 140+ individual classification conditions which quickly categorize devices and users for efficiency and convenience. There are two types of groups:
- Policy Group: Node related information such as device type, address (IP/MAC), user authentication, access logs, and more.
- Status Group: Node measured by policies and the associated conditions.
Grouping Nodes is the Genians NAC solution advantage. It provides significant administrative benefits by simplifying tasks, organizing resources, and applying policies dynamically across the network.
3. Monitor your network
IoT devices are most likely your main concern so let’s keep focusing on them. This is an extension of the first step of creating an inventory. A log management system of your IoT devices will give you visibility into the normal day to day activity of the IoT devices running on your network. Why is this important? Because it’s only by recognizing what normal activity looks like that one can determine when a threat has occurred. Without a baseline, a malicious event can go undetected.
Genians NAC solution will also monitor your network. You’ll also want to update your security policies to take actions depending on sets of specific parameters. There are mainly two types of policies:
- Node Policy: Secure endpoints (authentication and system configuration management)
- Compliance Policy: Apply a Node group to multiple Node groups so you can easily identify the overall Node status of compliance defined by the Node groups. This kind of policy setup process can support various regulatory compliances, such as PCI, HIPAA, FERPA, more dynamically and effectively
You can keep monitoring to get a better understanding of what issues can come up when introducing new devices that fall under the IoT umbrella to your network. Introduce these devices with different configurations and take actions you would describe as “hacking” to see where vulnerabilities lie.
4. Security-driven Network Access
Providing a consistent and reliable access experience to all authorized users is the top priority and keeps non-compliant devices to the highest level of security compliance automatically through security-driven network access management.
Genians NAC solution is positioned to enforce compliance with your IT security policies. There are a variety of enforcement and control options available, such as using Address Resolution Protocol (ARP) poisoning, Port mirroring, or TCP/IP connection reset:
- Protocol Control: ARP, DHCP, TCP/IP, ACL, SNMP
- Switch Port Control: Port mirroring
- Endpoints Access Control: Captive Web Portal and Agent.
The Enforcement Policy can be integrated with third-party security solutions such as a Next-generation Firewall, IDS/IPS, to receive Syslog messages about potential threat events. When an endpoint triggers such a critical security event, the integrated security device forwards the event message to the Genians NAC Policy Server, which marks the endpoint as out-of-compliance. What happens thereafter depends on the actions set up in the Node and Enforcement policies for that endpoint.
Genians NAC solution continues throughout the day-to-day operation, monitoring device/user behavior and adapting to trends in the network security industry.