NAC solutions for business can now offer simplified 802.1X industry standard security without all the complications. The goal is to keep NAC simple.
Network Access Control adoption is making a comeback and one of the causes for the is the rapid adoption of IoT (Internet of Things). Past waves of NAC adoption included the increase in guest, contractor and BYOD access requirements, resulting in the understanding that the network is no longer composed of securely managed devices and that the traditional perimeter of a business has been replaced with a virtual one.
Network Access Control is quickly becoming a must-have technology for organizations of all sizes. NAC isn’t used just as an authentication mechanism for endpoints and users, but as a method to gain visibility of all connected network components and where they connect. Whether viewing the wired or the wireless network, it is the only available prevention technology that can handle the many risks associated with bringing IoT (Internet of Things) devices onto the network.
There are currently two prevalent NAC standards, the first is based on using the 802.1X protocol and the other option, a commercially available SNMP-based Next-Generation NAC solution . They are both great standards of service that can be implemented with simplicity, but first, let’s clear up some of the confusion between the two different methods, point out the challenges with implementing 802.1X and help you decide which solution is the best fit for your business.
Challenges with the Implementation of IEEE 802.1X Solutions
In September 2003 the 802.1X usage guidelines were introduced by IEEE in RFC 3580 and were later transformed to become the leading standard for authenticating endpoints on a network. These guidelines are also in use to define the required components for an 802.1X implementation, which includes not only the network switch but also a supplicant on the endpoint, authentication server or radius server at least. Thus, making the standard rely on a lot of moving parts.
- MAC Address Managers
For most of the NAC solutions that are 802.1X-based to work well, you need a supplicant on the endpoint and an agent to implement the client side of the protocol. Unfortunately, most vendors of digital equipment do not embed such software in their offering. You will find multiple endpoints on your network that are non-managed devices, such as IoT devices, including time attendance controllers, IP security cameras, temperature controllers, or IP phones that do not support 802.1X at all. In fact, it is estimated that in many organizations more than 50% of endpoints are IoT devices.
The solution, for connecting these devices is one of two: either to exclude that specific port on the switch level, or authorize that device by its MAC address. However, oftentimes managing MAC addresses is cumbersome and not secure. They are easily forged and are available at the bottom of each physical port – effectively making your network password public and available to all.
- BYOD Trend
The ‘Bring Your Own Device’ (BYOD) trend is making the life of network and security admins a nightmare. How can you control or secure a device that is not under your control? The easiest solution is to create a clear separation between your managed devices and unmanaged BYOD. With on-prem 802.1X NAC solutions this is typically problematic as users can connect devices to the network by using their username and password. So if you do not roll out certificates to all of your managed devices, you cannot use 802.1X NAC solutions without the risk that your network will become an IT jungle.
- Health State – Risk Score
In order to comply with both regulations and security best practices, you should have security posture assessments carried out on the device and allow access to the network, not only with a “password” but based on the posture assessment as well. For that you need to implement a commercial product, usually implement another agent on each device and integrate all of these together.
- Level of Expertise
For on-premises 802.1X implementation, the level of expertise required from a network engineer is very high. They would be required to know about RADIUS, 802.1X, EAP, different switch configurations, endpoint configurations (Windows / MAC OSX) and be able to point out where the root of an issue is when a problem arises. This includes any endpoint, network equipment, configuration or hardware issue. The number one problem in IT in general, and in security specifically, is the shortage of skilled professionals. Without a skilled professional, an 802.1X implementation would fail and the maintenance would be a nightmare, unless you are using a simplified 802.1X solution (see below).
On-prem 802.1X NAC solutions include a lot of other issues that must be taken care of, such as connecting two devices behind the same port, bypassing 802.1X with a hub, high availability and how to implement “monitor mode” in existing networks. All of these items and more need to be taken into consideration when implementing on-prem 802.1X NAC. But using this industry standard protocol does not have to be so complicated any more. Simplified solutions are now available.
Read the details on some of the issues that come up when implementing 802.1X standard and how the whole process can be simplified in the following whitepaper.
Next-Gen SNMP-based NAC and SaaS (Cloud-Delivered) NAC
There are two routes to solve or rather to simplify the 802.1X NAC issues. The first is to go for a cloud-delivered 802.1X NAC solution that can simplify the entire deployment into a few minutes of work. The second option is to use next-gen SNMP-based NAC solution that is agentless, centralized and vendor agnostic. SNMP-based solutions operate differently yet achieve the same desired results.
Cloud-Delivered 802.1X Security
With a cloud-delivered 802.1X NAC solution you can solve many of the hurdles mentioned above. There is no need for expertise since all the heavy lifting is already done for you; no need to take care of high availability and no need to worry about the many moving parts. Additionally, this solution supports flexible on-boarding options, so that you can delegate access management and still have workflow-based authorization for devices, thereby making the management of non-802.1X devices possible.
On-Premises Next-Gen SNMP-based NAC
Next-Gen SNMP-based NAC technology is a flexible approach to NAC which takes into account three types of system users – the network team, security team and the systems team. Each one of these groups will benefit from different values that are offered.
Important Features to Look for in On-Premises Next-Gen SNMP-based NAC
- Agentless capabilities – the ability to identify and authenticate both managed and unmanaged BYOD and IoT devices.
- Flexible enforcement – from monitoring and limiting access all the way down to blocking devices.
- Centralized control – maintain a central view of the whole network on a single pane of glass.
- Vendor agnostic – your NAC solution must be able to work with any pre-installed equipment you have to keep deployment and management simple and within budget.
These characteristics will make deployment simple, meaning that high levels of technical expertise are not required to be able to use the solution.
Click here for a demo of the Portnox CORE solution [On-Premises Next-Gen SNMP-based NAC]
Click here for a demo of the Portnox CLEAR solution [Cloud-Delivered 802.1X NAC]
*This post is an updated version of a post previously posted. Some changes were made to clarify a number of points raised.