This series of posts on wired security explores why most organizations lock down Wi-Fi access but rely on physical security and static segmentation as the primary defense for the wired network, leaving the door wide open. As the risk of insider threat rises, organizations need to implement stronger pre-connect controls and segmentation on the wired network – in a way that actually reduces the operational burden. This post explores how Aruba can solve this challenge for customers with an operationally efficient, user-friendly way to strengthen pre-connection security controls.
At Aruba, we have focused on solving these very concerns with ClearPass. Many of you reading this are likely using some of the user/operational experiences, automation, and integration capabilities of ClearPass on your wireless networks. You likely started on wireless first because you had to (ie., physical security concerns of mobility), wireless didn’t have as many users, and it wasn’t deemed as critical a connection as wired.
Those times have changed, however. In many organizations, wireless is now the primary means of connectivity and critical to business operations. Wi-Fi has to work, has to be usable, and has to be maintainable. So, if you are able to accomplish a usable, maintainable security model on wireless, what is stopping you from implementing it on wired?
Let’s explore some of the capabilities that have been built in and leveraged for wireless in ClearPass and how they may apply to your wired networks.
- The first step is visibility. You need to know what is connecting to the network before you can even think about applying policy. ClearPass fingerprints every device connecting to the network, without any impact or configuration change to the user-facing ports, and produces an inventory report that is constantly updated. This is only the first step on the visibility journey however. Next, it would be incredibly beneficial to consolidate all sources of identity context from all the different systems you have in your environment. Things like EMM/MDM, EDR, CMDB, SCCM, and the help desk ticketing system all contain information about your users and devices that is relevant to policy, yet siloed for use in specific use cases. ClearPass can tap into these systems and consolidate the context centrally. Where gaps exist, for example in the compliance of a device, ClearPass can interrogate the endpoint using a variety of different methods, like OnGuard. You can even expand this with the IntroSpect Behavioral Analytics solution to profile the conversations that each and every type of user and device exhibits to help with policy creation.
- Flexible Authentication.Not every device is 802.1X-capable, so you cannot rely on just 802.1X alone. In fact, not every switch is RADIUS-capable, so in some cases you can’t even leverage RADIUS. On each switch, and even on each port, you need the capability to authenticate and authorize each device on the port (even if more than one) utilizing the best option available, whether that’s SNMP, RADIUS, 802.1X, etc., or all at the same time! Turning on some level of authentication, even if not used for policy and access control, provides administrators and security teams with visibility into, at minimum, where each device is connected, and possibly what users are on which device and on which ports. It also provides a control mechanism to invoke dynamic policy and state changes as needed.
- User Experience. We all know that many NAC implementations failed because users couldn’t navigate the procedure, and help desks were overwhelmed with complaints that ultimately led to lost business productivity. What if you could help users navigate the policy through customized splash pages, self-service workflows, and customized notifications (voice/SMS)? By bringing a guest-like experience to enterprise users, this is possible. When users get stuck, ClearPass knows why and presents the options the users need to navigate their way out without help desk intervention.
- Operational Experience. We also know that no matter how great we make the solution, the unforeseen error will still happen. I’m not sure about you, but for me a call to a help desk is filled with much trepidation and angst – I’m never sure if I’ll get a competent person. I’m sure the help desk engineer on the other side of the phone has the same mindset, concerned about how they are going to get the information they need to effectively troubleshoot the issue, and wondering if I can follow directions. With ClearPass, you can alleviate that by automatically opening help desk tickets when a problem arises, and pre-populating it with the relevant information (username, IP, MAC address, issue description, etc.). Now, when the user calls in for support, the help desk doesn’t really need to ask any questions – they are on it.
- Policy Automation/Orchestration. It is crucial to have policies and identity coordinated throughout the network and security apparatus. ClearPass, strategically positioned as the gatekeeper to the network, will share the identity and policy information across the firewalls, IPS, proxies, IPAM systems, and other security elements to ensure everything is in sync and ready to enforce policy for a specific user/device. Implementing it on the wired network also ensures that you can have a unified policy, and experience across the wired, wireless, and remote access connections.
So far, much of this conversation has been around the risk wired ports expose to organizations. As mentioned though, one of the hurdles to implementing some level of dynamic policy control is based around the operational overhead of supporting it. Hopefully the above information explained how these capabilities can be implemented in a way that reduces the operational concerns around deploying and maintaining such a solution.
But let’s stop and consider the current state of things. Today, many organizations manage their wired “policies” manually, or through complex scripts. Moves, adds, and changes are a constant operational headache for a lot of organizations, and in most cases, they can’t keep up with what is actually connecting to those ports. Dynamic segmentation using an advanced policy engine like ClearPass not only greatly minimizes the risk in an organization, but also becomes the de-facto wired provisioning tool that is dynamically setting the appropriate VLAN, ACL, role, etc., to the port based on what is currently connected. That’s what I would call the proverbial “killing two birds with one stone”!
Ok, so there you have it. If the risk is real, and the technology is available and already proven on a large population of users (wireless), then what’s stopping you from locking those wired ports down? Or at the very least taking the first step, adding visibility to the wired network? That first step alone will greatly increase your security posture and help highlight the next steps you may want to take in adding in some control, experience, and automation.
For more information, see the other blogs in the series:
About the Author
Jon Green is VP and Chief Technologist for Security at Aruba, a Hewlett Packard Enterprise company. He is responsible for providing technology guidance and leadership for all security solutions including…