Network World Highlights Portnox

“A few years ago, industry pundits were declaring NAC dead—done in by complexity and rigidity. Today, however, BYOD and mobile computing in general are breathing new life into NAC. With a range of people and devices coming and going on the average enterprise network, NAC is (still) the best way to control who and what is on your network.

According to the 2014 Cyberthreat Defense Report for North America and Europe, 77% of survey respondents intend to use NAC as part of their mobile security strategy. Along with Next Generation Firewalls, NAC solutions are perceived as having the greatest potential to defend against today’s cyberthreats. Survey respondents say they most commonly use NAC to identify vulnerabilities and security misconfigurations on endpoint devices in between full-network vulnerability scans.

Those same questions are just as important, if not more important, today than they were in 2010. Since then, BYOD has exploded, and various government and industry regulations have tightened the penalties for not being able to answer the question of “who is on the network”? But there are a few questions Snyder didn’t ask four years ago and they are critical today: What about the cloud? How can we control who accesses our cloud-based data and applications?

In short, companies need control over who and what is accessing their complete computing environment, no matter where the computing resources reside. That control is hard to come by, but the security company Portnox is out to change that.

 Portnox claims to be different from other NAC solutions because it requires no appliances, no agents on devices, and no infrastructure changes. The company says its solution will work with all existing network infrastructure and equipment, regardless of how old or heterogeneous it is. In addition to working with wired and wireless networks, Portnox says it considers virtual networks, VPNs and cloud to be first-class citizens of your network as well, since they are within the IT department’s scope of responsibility. The super lightweight solution is said to scale to reach all corners of your computing environment.

Portnox is a software solution that sits on a physical or virtual Windows server. The hardware footprint needed to run the Portnox solution is significantly less than what other NAC solutions typically require. A single server is capable of handling up to 10,000 connected devices or monitoring 20,000 ports.

Portnox gains insight to the network by communicating natively with the switches, wireless access controllers, firewalls, routers and VPNs to get an inventory of what is on the network. There are no IP scans, no port mirroring or span ports or looking for duplicate packets. Portnox uses straightforward SNMP read plus traps sent back from the Ethernet switches, the wireless devices and the routers to the actual Portnox system. For non-Windows devices, Portnox uses telnet, SSH and other technologies to bring them into the fold. Portnox gets a live read of every single device currently connected and drawing power somewhere on the network.

By communicating with the networking infrastructure, Portnox resolves the connected device’s MAC and then IP address. It then uses various methods to provide verification of identity and device health check. It can probe any number of characteristics to match your company’s policies. For example, Portnox can ask questions such as: Are you a member of the domain? Are you in good health? Does the user have local admin rights on the device? Are there any databases or massive storage devices installed on the machine? You can use Windows Management Instrumentation (WMI) to query for virtually anything and start to factor that into your NAC decision.

In the BYOD realm, Portnox can work with an existing Mobile Device Management (MDM) solution to check device characteristics and its worthiness of network access. In the absence of true MDM, Portnox provides light MDM functionality to challenge the device.

Knoxer can quarantine a device and run the quarantine traffic across its own VPN to the Portnox server so that when you are doing remediation all the way down to the branch, you don’t need to set up separate infrastructure to do that. Knoxer creates its own VLAN for the quarantine purposes, allowing you not just to see what’s happening in the branch but really adding control of what is happening in the branch.

Portnox doesn’t charge for Knoxer licenses. Instead, the vendor looks at the totality of the infrastructure you want to protect, whether it is all in one place or segmented to hundreds of branches. This makes it cost effective to run the Portnox solution.

I mentioned that Portnox considers the cloud as an extension of your enterprise computing environment. This is true for SaaS applications as well as for IaaS/PaaS virtual segments in the cloud. For SaaS applications, Portnox uses federated authentication to identify users and their devices to ensure they meet corporate policies. For Iaas/PaaS, you can put an instance of Knoxer in the cloud in order to illuminate this virtual environment as you would a local switch.

In the near term, Portnox plans to offer the ability to deliver NAC as a service through the cloud, removing the need to have a Portnox server on premise. The company expects this will lower the barrier of entry for NAC. Some of the first applications for this cloud-based service will be for guest networking and BYOD.”