Attended by an animated group of Greater Boston area tech engineers and executives, the evening event began with Josh Trivilino of Omada and Andy Richter of Presidio, each an accomplished NAC technologist in his own right, and each offering up their individual perspectives on the NAC “journey” as it has evolved over the last decade. The presentations quickly moved from overviews of NAC fundamentals and current state to best practices and lessons learned from years of employing this technology in the field.
Josh Trivilino began by providing a number of real-world examples of successful NAC deployment strategies. The best practices he enumerated ranged from matters of design and architecture to the mechanics of operational delivery. In particular, Josh advised that NAC newcomers remember, first and foremost, to “design for failures” – thus ensuring a high availability design profile. Beyond that, he reminded us of the need to achieve a complete understanding of the total network environment, not simply of its endpoints, counseled the use of strong authentication approaches (for example, EAP-TLS), of adopting a “no piggybacking” approach (i.e. each device should possess its own individual access path), as well as the implementation of granular access controls – although not “too granular.” There’s no need, for instance, to create separate device ACL’s when you can more efficiently leverage AD group-based controls. On the deployment side, again with regard to new NAC environments, his advice was to begin with small pilot rollouts, test vigorously, and ensure proper performance and behavior before moving on to full enterprise delivery. As is the case with all technology projects, he advised ensuring that appropriate executive sponsorship was secured before proceeding.
Andy Richter also emphasized the need to take a phased, measured approach to initial NAC deployments. Rather than begin with a comprehensive network environment assessment, for example, he suggested that it was generally more useful to start by putting effective monitoring in place so that the proper data could be gathered and assimilated to inform follow-on network design decisions – as, for instance, with such key items as segmentation design. His advice was to take a “crawl, walk, run” approach. In short, begin by understanding business goals – for example, what level of security was needed to enable and support the business? With those goals in mind, one could then move on to develop the architectural framework needed to establish specific NAC functions and ensure that proper controls (detective, analytic, and preventative) were implemented.
Kyeyeon Kim extended upon these perspectives by presenting the case for moving NAC beyond its foundational beginnings as a relatively straightforward mechanism for assessing device state and either allowing or denying network access to providing a far more full-featured and powerful set of “Next-Gen” network management capabilities.
What exactly do we mean by the phrase “Next-Gen NAC” and why is it so important? Today’s networks, as operators know, are becoming increasingly complex, with many more device types (from wired to wireless to mobile to BYOD and IoT) requiring network access, and with a plethora of appliances and vendors now making up the typical enterprise data center stack. And of course, the increasing ubiquity of cloud-based functionalities, often from multiple vendors (whether IaaS, PaaS, and/or SaaS), adds to this complexity significantly. The result is that it has become harder and harder in recent years to know what is actually happening on your network overall and to be able to manage both network performance and risk effectively. This trend will only continue and grow in the years ahead.
As Kyeyeon explained, NAC technologies thus now have a much larger and broader set of challenges to master. As noted by the previous speakers, NAC deployments now need to be able to ensure comprehensive device visibility from every potential point of network access, across the entire range of wired and wireless devices in the marketplace today. But simple device or appliance visibility is just the beginning. Next-Gen NAC also needs to provide fully integrated, enhanced platform detection of individual endpoint profiles based on specific device signatures as well as enabling real-time device monitoring and management. Kyeyeon described Genian’s “Device Platform Intelligence (DPI)” technology as one approach for delivering on those needs, one that paints a more comprehensive network picture that includes such key information as device EOL and EOS data, manufacturer status, connection type, country of origin, and specific platform vulnerability status. Likewise, such information needs to be readily available to operators via cross-environment dashboards that offer not only a quick and convenient way to survey the entire network landscape but provide the tools for managing it as well.
To fully support today’s network environments, Next-Gen NAC also needs to provide flexible deployment options, from more traditional, on-premise NAC scenarios to fully cloud-hosted management environments and service-provider-based options for MSSP’s.
Finally, Next-Gen solutions need to allow for full integration via RESTful API with one’s existing cyber-defense technology platform. This will provide the flexibility needed for organizations to maintain their legacy security infrastructure while adding the benefits of a full-service NAC capability set. Importantly, such deployments should require no network downtime or business disruption.
This month’s BOSNOG thus offered a substantive and detailed set of perspectives on where NAC is today and what the Next-Gen universe looks like. The lively conversation that followed the evening’s presentations reflected just how much demand there is among network operators for both sophisticated, advanced NAC features and functionalities going forward, but for addressing the very real challenges of ensuring security in such use cases as home-to-corporate network connectivity situations, various VPN scenarios, and integration with legacy remote solutions that may no longer deliver the right value proposition at their price point.
Most importantly, the BOSNOG meeting emphasized how far beyond network access control, pure and simple, Next-Gen NAC is quickly moving. Increasing network complexity and endpoint proliferation, along with the ever-advancing cyber-threat landscape, means that more powerful defensive capabilities are now needed, such as comprehensive network surveillance of all devices and appliances, full network environment scanning, real-time monitoring and alerting, automated policy enforcement, and integration programmability – these are all now the order of the day.
As we all work to better defend and secure the entirety of our global network environment, Team Genians is happy to participate in and support any discussion to help achieve that end. Please feel free to contact us accordingly.
Thank you all!