All Posts By

Juda Thitron

Securing VPN remote access with Portnox CLEAR

By | Our Technology | No Comments

Compromised and stolen credentials remain the main threat to corporate data. Remote access via VPN is the most vulnerable method of access, due to compromised employee credentials. The need for flexible and extremely easy to implement two factor authentication (“2FA”) has become crucial for organizations of all sizes. Another weak link in remote access, beyond user authentication, is generated by connecting to organizational insecure and vulnerable end-points. It is not uncommon that when accessing the network using a VPN through a personal device, any vulnerability existing on that device can quickly become a security hole in the entire network’s protection. To address the heavy challenges of securing remote access, organizations should look for solutions that are cost-effective and provide a cohesive approach for all aspects of access security: compromised credentials, lost or stolen devices and access from insecure endpoints.

Meet Portnox CLEAR – cloud-based access control for VPN

Portnox CLEAR is a Security Software-as-a-Service (SaaS) cloud platform that delivers continuous, on/off-premises risk monitoring and access control to all organizational endpoints. It assigns each connecting device a risk score (similar to a credit score), dynamically assesses the threat they may pose to your network and enforces access control actions in real time. Portnox CLEAR can be used in many flexible ways to authenticate user remote access by VPN providing a unique combination of access control by authentication (Active Directory or Open LDAP), strong factor validation and end-point cyber risk assessment (“risk-based access”).
Demo CLEAR today!

Portnox CLEAR™ Unique Two-Factor-Authentication Solutions

As part of its entire cloud-based NAC offering, Portnox CLEAR offers a unique approach to 2FA for VPN. 2FA is a method of computer access control in which access is granted only if two separate pieces of evidence are presented to the authentication mechanism – typically, knowledge (something the user knows, such as his username and password), and possession (something the user has, such as a security token).

Conventional 2FA solutions, however, completely ignore the device that is requesting remote access. Portnox CLEAR, on the other hand, can offer device authentication via its device enrollment mechanism. Devices that install the Portnox AgentP application and have been enrolled in the organization are uniquely recognized and are, therefore, continuously monitored and tracked.

The two elements in Portnox’s unique 2FA solution are the typical knowledge (user credentials) coupled with a unique possession (the enrolled device), ensuring that security is offered on two levels: authentication of the user himself and authentication of the device. Stealing a user’s credentials is useless if the device requesting access is not enrolled; and stealing an enrolled device is of no use if the credentials are not available.

Portnox device authentication is offered in two formats: One-Time-Password (OTP) 2FA and Portnox AgentP 2FA.

OTP 2FA

In this solution, the AgentP application on the enrolled device acts as a soft token by implementing the HMAC-Based OTP algorithm. It generates an OTP upon demand and, together with the user’s username and password, the app allows that specific device access to the organization’s remote network.

As Portnox knows which AgentP generated the OTP, the supplied OTP is the method of authenticating the device; while the supplied credentials are the method for authenticating the user.

Portnox AgentP 2FA

In this solution, a call back mechanism is utilized, relying on the fact that each deployment of AgentP on a device is uniquely recognized. When a user tries to log in by VPN with his credentials, CLEAR calls back the specific AgentP on the device requesting access, to verify that the device is the one it claims to be.

Because Portnox knows that the requesting device is an enrolled device, callback is the method for authenticating the device; while the supplied credentials are the method for authenticating the user.

Portnox CLEAR end-point risk assessment and access policy

Portnox CLEAR offers pervasive and context-aware risk assessment for VPN clients to address attempts by unsecured, vulnerable devices to access the corporate network:

  • Real-time pervasive monitoring of any device, mobile and laptop, on and off the corporate network
  • Monitoring changes in hundreds of parameters, analyzing security posture and known-vulnerabilities of end-points
  • Analyzing and correlating to multiple context attributes
  • Taking historical observations into account
  • Calculating cyber risk score and making access decisions based on this score

CLEAR customers have flexible, granular control of risk assessments and risk actions thought CLEAR Access Policies. Access Policy allows organizations to define the exact level of acceptable risk and compliance standards for end-point devices that are acceptable in their enterprise.

Sign-up for CLEAR now!

This blog was written by Portnox.

Portnox is the manufacturer of Next generation Network Access Control (NAC), that can assist you in protecting your network including your VPN.

Portnox CLEAR offers many other capabilities for real-time access control and risk assessment as part of its entire SaaS offering, which is fully subscription based and does not require deployment of any on-premise software or appliances. With its Fall-2016 release, Portnox CLEAR demonstrates again its leadership and unparalleled innovation as already recognized by the latest award from Frost and Sullivan.

5 Reasons to Move your NAC to the Cloud

By | Network Access Management | No Comments

Have you ever thought about migrating your network access control (NAC) to the Cloud? Are you apprehensive about taking this step? Traditional NAC solutions were built to address a premise-based infrastructure. A new next generation NAC approach is required to protect companies in today’s BYOD, cloud-based, IoT world.

Enterprises will need to change their security procedures and postures to function in cloud-based IT environments. Classic, on-premise infrastructure-based NAC is ineffective against modern applications and these days security threats that are not part of the IT infrastructure such as, mobile phones and cloud-based applications. Today’s enterprise users are not constrained by enterprise network perimeters as they regularly use mobile devices and cloud-based applications. They often sign up for cloud services for HR or marketing departments, for example, without even notifying IT that they are doing this.

The following five prevalent trends in the enterprise marketplace highlight why a cloud-based next generation NAC is essential to any organization.

    1. Disruption – The Corporate Network Goes GlobalEnterprises have been going through a process of de-perimeterization. Traditional perimeters have been torn down by employees’ adoption of BYOD, telecommuting and cloud computing. You can no longer look at the network as a defined infrastructure within a physical firewall. The network is a global network without boundaries. Most workers nowadays are road warriors who spend 50% or less of their time in an office. Companies need to distribute materials, goods, and services to these employees in their offices and on the road all over the world.According to a poll conducted by Gallop News Service in 2015, thirty-seven percent of U.S. workers have telecommuted for work. This is up slightly by 30% from the last decade but four times greater than the 9% found in 1995. The average worker telecommutes two days per month and is just as productive as other employees who work in the office.
      “Borderless” companies need the kind of continuous risk assessment and mitigation that is only possible through the Cloud. There is no reversing these trends.
    2. Flexibility – Supporting Any Type of Business Size InfrastructureCompanies are constantly undergoing changes: reorganizations, M&As, opening branches globally, etc. Only the cloud can deliver the flexibility to support operations for the distributed enterprise. Traditional NAC is too rigid and inflexible and only works in small rigid corporate environments. In larger environments, like a university with its multiple departments, NAC deployment becomes impractical.

Demo CLEAR today!

 

  • Speed – Rapid Service Delivery Required

 

Enterprises of all sizes need rapid deployment of security measures, rapid adoption of NAC policies and procedures, and immediate expansion around the world. One of the key strengths of application delivery in the cloud is its ability to rapidly deploy and implement services on demand. A NAC implementation on the cloud can adjust and adapt along with developing policies and requirements of the organization.

  • Agility, Scalability and Affordability – Enabling Business Growth

 

Enterprises need agility not only in their software programming but in all facets of their businesses. Scalability is important to support rapid growth. As we continue to recover from recent economic crises, affordability is more important than ever. Cloud computing excels at helping companies become more agile and scalable. It enables companies to pay only for the services that they use, when and where they use them. This “pay-as-you-go” model is much more affordable to businesses than standard software and hardware licenses.

Cloud-based NAC is ideal for organizations with limited resources and limited in-house experts who need to provide convenient and secure network access for personal mobile devices. Cloud-based next generation NAC can be provided without having to worry about the time, costs, or resources associated with installing and maintaining hardware and software and keeping everything up to date.

Demo CLEAR today!

 

  • Machine Learning – Making the Most of NAC

 

Machine learning takes NAC knowledge and experience from other organizations and applies that learning to your organization. This sharing of compliance and other valuable data and experience can be accomplished most efficiently and affordably in the cloud. Companies no longer have to reinvent the wheel themselves. Machine learning services make many advanced services much more accessible to SMBs at an affordable price.

Next Generation Cloud NAC

This blog was written by Portnox. Portnox is the manufacturer of Next Generation Network Access Control (NG-NAC), that can assist you in protecting your network in general and your IoT devices specifically.

Today, NAC solutions must go well beyond just permitting access to devices and individuals. Portnox CLEAR cloud NAC solution is able to provide both full control of access permissions to the network and full visibility of activities within the network and who conducts them. Furthermore, cloud NAC separates BOYD and mobile devices from the core servers of the company, ensuring network security in the world of IoT. It does so by enabling continuous risk assessment of all components of the network, no matter where they are located.

Today’s enterprises are clearly going through a period of de-perimeterization and they will suffer great losses if they are not prepared for this. With next generation NAC in the cloud from Portnox, network administrators in SMBs can be sure they are provided with all the levels of network security they require.

DDoS Attacks are a Loud IoT Wakeup Call for Enterprise Security

By | IoT | No Comments

The recent headline grabbing DDoS attacks on IoT devices that occurred at OVH, Krebs on Security, and DYN, were performed and spread by taking control of IoT devices found today in most homes and offices. These attacks reveal the true danger in our IoT devices – attacking them is child’s play. Surprisingly, most users do not bother to change factory default usernames and passwords, making the hackers’ lives much easier.

Gartner estimates that the IoT market will grow to 20.8 billion connected devices by 2020 and IDC estimates that by 2020 there’ll be nearly 30 billion connected devices. More than half of major business processes will incorporate IoT.  As with all ‘good things’, this growth brings with it dangers from IoT that will go far beyond DDoS attacks. Unfortunately, this is not FUD; it is the equivalent of leaving the office doors unlocked and expecting nothing to get taken.

IoT devices are the weakest link in corporate cybersecurity

IoT devices are the perfect candidate for criminal takeover. The devices are everywhere, always online and are largely unprotected. Hackers transform the devices into “command & control base stations”, where devices receive commands from their operator, usually to perform network information reconnaissance in order to find the information to steal, take down the system or extract valuable intelligence. Because they are always connected, there is no human to detect that the device is slow or sluggish, and they are generally not protected by security measures – such as anti-malware software. Many device users are unaware of the danger and don’t take the time to change the default passwords (they are not always aware that multiple admin accounts might exist), or to upgrade the latest version of the operating system software, all of which could stall or even stop a malware attack. Bringing these unprotected devices to the office makes the sloppy practice (or lack thereof) a problem for organizations large and small.

layered approach for corporate IoT security

It is impractical to reach each IoT device vendor once (yet another) zero day vulnerability attack occurs. Organizations typically have dozens of vendors and most IoT devices are NOT centrally managed. This leaves the security team with only one option – a software solution that will find those devices ahead of time and move them to a dedicated segment away from the organization’s most mission critical systems.

A layered approach that includes the following levels is most effective:

  1. Assessment – A network discovery process of all of the existing IoT devices including managed and partially managed devices. Then, understanding what each type of device is, what operating system it is running on, and which application and processes are installed on it.
  2. Segmentation – IoT device should not be in the same network segment as other devices or within reach of the organization’s mission critical systems and data. Firewalls must be deployed between these segments to prevent IoT devices from reaching the “crown jewel” section of your network. By performing proper segmentation, you enhance the ROI on your existing detection technology by making it much more accurate and effective.
  3. Detection – The ability to immediately detect every IoT device which joins the network and carefully verify whether it behaves similarly to other typical devices. A compromised device or a fake device might look the same but will behave differently.
  4. Response – Once a breach is discovered, it is poor practice for an alert to be sent and then processed manually. Manual actions take time — hours or even days (a weekend breach for example). Not to mention the costs associated with manual responses. An automated breach response is required to block a specific device or limit its access within seconds. Network Access Control (NAC) tools are one way to achieve this.

It’s far from all doom and gloom but organizations will suffer if appropriate cybersecurity measures are not a priority.

This blog was written by Portnox. Portnox helps organizations to see, control, react and manage the risks their networks face for any user, any device, anywhere. Using Next Generation Network Access Control (NAC), Portnox secures connected organizations with ease.

How does Portnox do this? By discovering 100% of an enterprise’s connected endpoints and profiling them, Portnox can point out which devices are IoT devices. Next,  Portnox can also force these devices to a defined segment of the business network. This creates network hygiene and ensures that the rest of the network remains out of reach of the IoT devices. Sensitive information and systems that are vital to the organization are maintained segregated and secure.

What Portnox CLEAR – Fall 2016 release has in store for cloud-based NAC

By | Our Technology | No Comments

The complexity and risks of corporate networks are increasing on a daily basis. The growing flood of new devices, new form factors, and rapid changes in network architecture, coupled with a constant shortage of well-trained specialists, requires organizations to choose an IT vendor and partner that is able to keep pace with continuous change. Furthermore, the vendor or partner must constantly deliver new critical capabilities required by organizations to address new security challenges. Portnox CLEAR definitely falls under this category, carefully listening to customer needs, ever innovating, and constantly delivering IT security products.

With its Fall-2016 release, Portnox CLEAR offers several innovative solutions in the areas of end-point risk assessment and secure network access:

Radical simplification of 802.1X deployment and management

It is no secret that implementation of network access control based on 802.1X protocol is a very complex task. That is why Portnox CLEAR is constantly innovating and delivering solutions for simplifying 802.1x usage, and in its latest release takes a big leap forward by introducing the following new features:

    • Advanced on-boarding capabilities for employees, contractors and guests on 802.1X protected networks by providing alternative methods of authorizing new device access: centralized onboarding by CLEAR administrators and self-onboarding by the end user.

 

  • Ability to on-board devices and access 802.1X networks without having to install an end-point agent (“agentless access”).

 

 

  • Flexible and granular management of MAC Authentication Bypass (“MAB”) for devices lacking 802.1X supplicants, especially IoT devices

 

 

  • Ability to use Portnox CLEAR itself as an alternate user repository for managing and authenticating access to protected networks, without having to integrate with any on-prem users repositories

 

Find out more about Portnox CLEAR

Full-blown integration with Open LDAP

Open LDAP has already earned recognition as a possible alternative for Active Directory in many organizations, and Portnox CLEAR now introduces full-blown integration with Open LDAP in various scenarios:

    • Ability to authenticate 802.1X and VPN access vis-a-vis Open LDAP repositories
    • Group management based on Open LDAP groups

 

  • Ability to on-board an end-point device and to manage the device life cycle based on Open LDAP accounts

 

Cloud-based, cost effective and unique 2FA approach

Compromised and stolen credentials remain the main threat to corporate data, and remote access by VPN is the most vulnerable method of access due to compromised employee’s credentials. The need for flexible and extremely easy to implement two factor authentication (“2FA”) schemes has become crucial for organizations of any size. Portnox CLEAR is now offering a cloud-based, cost effective and unique 2FA approach for remote access:

    • The ability to define the VPN authentication flow both as regard the order and as regards the type of Primary and Strong factors being used

 

  • A unique strong factor based on device enrollment and the ability to authorize device access along with identity authorization (“risk-based access”)

 

Portnox CLEAR offers those and many other capabilities for real-time access control and risk assessment as part of its entire SaaS offering, which is fully subscription based and does not require deployment of any on-premise software or appliances. With its Fall-2016 release, Portnox CLEAR demonstrates again its leadership and unparalleled innovation as already recognized by the latest award from Frost and Sullivan.

Avoid the 5 Pitfalls of NAC – Get our Free Whitepaper Today! 

Continuous risk assessment of endpoints or a one-time audit?

By | Network Security | No Comments

Are you up to speed with your cybersecurity?

Do you really know, in real-time, who is hooked onto your network? Do you have full control of the entire network and all its components, as well as all the devices that need to connect to it? Are all the users keeping their devices secure and free of ransomware?

In a world of hyper-fast services, cloud computing, a geo-distributed mobile workforce, BYOD, and IoT, it is truly a daunting task to control the network and all its endpoints with a key element of success being speed. Therefore, the only solution for the IT security officer is to adopt a new approach; Continuous Risk Assessment (CRA) is a real-time approach to network admission control, an approach that recognizes the need to speedily and continually assess the endpoint risks to the network.

Your network is only as strong as its weakest security link – therefore CRA calls for constant monitoring of the endpoints. The traditional auditing approach of periodical scanning simply lacks the crucial element of speed, which enables network and security teams to stay ahead of cyber attackers by discovering new risks in real-time, acquiring decision supporting data, reacting to changes and anomalies and delivering protection on a continuous basis.

Avoid the 5 Pitfalls of NAC – Get our Free Whitepaper Today! 

The benefits of Continuous Risk Assessment (CRA)

The National Institute of Standards and Technology (NIST) defines Information Security Continuous Monitoring (ISCM) as:
“Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.”

According to NIST, risk assessment is to be conducted in a frequency that supports a risk-based security decision system and enables adequate protection of the organization’s data.

Furthermore, NIST experts specify that ISCM should be:
“…sufficient to ensure and assure effectiveness of security controls related to systems, networks, and cyberspace, … in accordance with organizational risk tolerance – and within a reporting structure designed to make real-time, data-driven risk management decisions“.

The above recommendations are easier to understand when continuous monitoring is reviewed in light of the major benefits, which a top notch CRA solution should entail. These benefits are:

Proactivity – Real-time CRA must provide organizations with immediate visibility of the security state of the network and all the devices connected to it, reporting their potential vulnerabilities. This enables organizations to address potential issues before they become security breaches. Organizations using CRA are taking a proactive approach to avoiding breaches, instead of investing an ever growing effort in detecting breaches that have already occurred. This approach entails effective management of high-risk devices, proactively preventing future threats.

Updated Context-awareness– The traditional audit approach is based on using pre-defined compliance parameters to determine a risk to the network at the time of the scan/audit. The CRA new approach depends on real-time and continuous update of varied risk factors by:

  • Monitoring changes in hundreds of parameters
  • Analyzing and correlating to multiple context attributes
  • Taking historical records into account

Continuous monitoring brings an analytic and adaptive approach to risk determination. It does so by correlating hundreds of parameters and keeping the security policy updated at all times. Security status analysis is context-aware (time, network location, user identity, and scenario are all considered), identifying anomalies in the network security status and/or in device behavior.

Anywhere, anytime functionality – In a world with no boundaries and a high diversity of endpoint types, CRA must provide capabilities for monitoring devices  in any location, no matter what type they are and what type of data is being transferred, or where they are connecting from.

Continuous monitoring must keep the network secure even if employees take their corporate laptops home or connect their phones from a hotel during a business trip. Alternatively, the network needs to remain secure even when staff connect their personal smartphones at the office. CRA must function on and off the corporate network and remain relevant for all current types of devices and OS’s.

Complete Integration – A silo solution cannot work in today’s complex IT scenarios. Stand-alone vulnerability scanners will be abandoned, simply because they are not an integrated part of the entire network operation.
Continuous monitoring procedures must be integrated into the organization’s network infrastructure.

One approach towards achieving this goal is a tight binding of risk assessment with access scenarios, in particular with the network admission (NAC) solution. In the ideal approach, CRA ultimately becomes a natural and deeply integrated part of admission, starting from device on-boarding and continuing with device authentication and re-validation before permitting access to the network.

Automated Action – The desired solution must offer an actionable, preferably fully-automated processes to already determined risk factors.  A report of problematic issues is only useful when it is also clear what protective actions need to be taken. For example, quarantine of a risky device or an adaptive approach to VPN authentication related to device risk levels. CRA helps assess potential risks, prioritize resolutions and initiate protective actions.

Portnox CLEAR –  on/off premises continuous risk assessment solution

Portnox CLEAR is a cloud-based network access control (NAC) and endpoint security management solution, offering a cohesive approach to Continuous Risk Assessment. As opposed to stand-alone vulnerability scanning tools or NAC solutions with a naïve approach to endpoint stateless posture, Portnox CLEAR delivers ultimate control over users and devices, which can access your network anywhere, anytime. It does this through various access layers, while continuously, pervasively monitoring and understanding endpoint risk in its real-time context.

Portnox CLEAR enables real-time risk assessment of devices – on and off customer premise networks. We know how to take smart actions and proactive access decisions, based on the risk from devices attempting to access your network. Device profiling reports are continuously updated, for complete integration and automation.

With Portnox CLEAR, network and security teams enjoy the full benefits of the CRA approach to network access control. They will  really know, in real-time, who is hooked onto the system; to have full control of the entire network and all its components, as well as all the devices that need to connect to it, knowing they are all compliant with NAC policy.  The answer to the concerns, which opened this post is a resounding YES with the Portnox CLEAR solution to CRA from Portnox.