Cloud-Based NAC Security Secrets – Revealed

Portnox CLEAR is a cloud-based network security solution that provides role and risk-based network access control for corporate and BYOD endpoints across all access layers, including wired, wireless and VPN. CLEAR allows an IT administrator to discover and monitor unsecure, compromised and vulnerable devices, while being able to authorize and manage access to corporate networks based on device risk posture assessments.

In order to provide these capabilities, our cloud-based NAC solution collects and stores data in the cloud. With the understanding that organizational data includes sensitive and important assets for each company, CLEAR uses the most advanced and secure protocols to protect this data in accordance with best practices in data access control in cloud computing. To better understand these cloud security techniques, we will review the security of data at rest, data in transit, administration, management and additional cloud security measures.

Data at Rest

Portnox CLEAR uses Microsoft Azure as its IaaS (Infrastructure as-a-Service), PaaS (Platform as-a-Service) and in some instances, it uses Azure-specific SaaS elements. Azure infrastructure was selected because of its high security standards and global availability. In fact, Azure has the widest spread of data centers across the globe today.

CLEAR stores all data on different Azure storage services such as Azure Storage Service Encryption (SSE) where data is encrypted and decrypted using 256-bit AES encryption. For CLEAR administrators’ passwords and Radius-shared secret keys, CLEAR uses Azure Key Vault where keys are stored in hardware security modules (HSMs).

Data in Transit

With Portnox CLEAR we protect all data traveling to and from CLEAR cloud services, and the methods are constantly being upgraded to stay ahead.

Ethernet Switches & Wireless Controllers

Ethernet switches and wireless controllers send AAA Radius authentication requests to CLEAR’s cloud Radius in order to validate and allow access of devices to networks protected by CLEAR services. All traffic is encrypted with a shared key between the NAS and CLEAR Radius.

In addition to that, TLS encapsulates the encrypted Radius packet and provides an extra layer of encryption.

There is an option to use RADSEC (Radius over TLS) protocol. RADSEC uses TLS in combination with the TCP protocol. This provides stronger security and reliability than UDP which is commonly used for Radius communication.

Additionally, CLEAR admins could restrict access to the CLEAR Radius service by choosing to allow access only from specific IP addresses. All other IP addresses would be denied access.

VPN Concentrators

All traffic between the VPN and CLEAR’s Radius server is encrypted using a symmetric key – a long and random key, generated by cloud-based NAC solution that is manually copied to the VPN device. Furthermore, the authentication details for users usually include only hashes, but those capabilities vary between VPN GWs. CLEAR secures the VPN client’s connection by verifying that connected devices are complying with the organization’s risk-assessment policies and by using two factor authentication capabilities.

Portnox CLEAR Cloud Broker

The cloud broker is an application component that runs on-premises and is used as a bridge between CLEAR cloud services and the corporate on-premises Active Directory. The broker is deployed when there is a requirement for 802.1X credentials authentication with on-premises Active Directories and/or for AgentP enrollment by using on-prem AD.

AD users and groups include sensitive and important information for any organization and thus the following security measures are taken:

      1. The Broker application is installed on a domain-joined machine, while the LDAP queries user ID is a read-only user, and the LDAP communication can be LDAP or LDAPS (LDAP over SSL).
      2. The service user that connects to the LDAP is saved locally on the domain machine.
      3. The communication with CLEAR cloud services is always over TLS. All traffic is encrypted.
      4. CLEAR services are updated with group names and user IDs only, whereas passwords never travel to the cloud and the verification is done by using the MSCHAPv2 challenge response authentication protocol.

Portnox CLEAR’s AgentP

AgentP is a lightweight application that can be installed on most platforms, including Windows, MAC OS X, iOS, Android and Linux. Using AgentP offers many security advantages such as risk assessment capabilities, SSID configuration, 2FA for VPN / OKTA and CLEAR certificates deployment. Data collected by AgentP is sent via the Transport Layer Security (TLS) protocol. The data is never stored locally on the endpoint, but processed only via the device RAM and is sent periodically to CLEAR services.

Administration and Management

The available administrators’ repositories are: CLEAR (based on email domains), Azure AD, Google G Suite and OKTA.

For administrators on our cloud-based network security platform, password complexities and expiration policies are built-in and cannot be turned off. Two factor authentication is also available for CLEAR admins and authorization codes are sent via text message. Captcha verification processes are also included as part of the sign-up process.

For Azure AD, G Suite and OKTA, the authentication is determined by the authentication repository, including multi-factor authentication.

Role-based access control is supported and administrators can be added with full admin permissions, read only or guest management only permissions.

Additional Security Measures

Portnox’s DevOps team uses automated code and scripts to identify security issues in the code. In addition, Portnox uses third party technologies that specialize in conducting complex penetration tests for cloud products.

Our cloud-based network security solution is a SOC 2 Type 2 compliant technology. Regular audits are conducted to ensure that the requirements of SOC 2 Type 2 security principles are complied with:

  • Security – The system resources are protected against unauthorized access.
  • Availability – The system is available as committed.
  • Processing Integrity– System processing is complete, accurate, timely and authorized.
  • Confidentiality– Information that is designated as confidential is protected.
  • Privacy – The privacy of the information that the service collects, retains, uses, discloses and disposes.

For more detailed information on CLEAR’s cloud-based network security measures, please contact your customer success representative, or visit the CLEAR support site.

See a Demo of CLEAR – Please fill out this form: