NAC FOR BYOD WHITEPAPER



Similar documents
BLACK BOX. Do you know who s on your network? Network Access Control. Get the facts. Then get the protection you can t live without.

BYOD and Your Business

PCI DSS Compliance White Paper

Whitepaper. Securing Visitor Access through Network Access Control Technology

WHITEPAPER. Addressing Them with Secure Network Access Control. Executive Summary... An Evolving Network Environment... 2

Building A Secure Microsoft Exchange Continuity Appliance

WHITEPAPER. Addressing Them with Adaptive Network Security. Executive Summary... An Evolving Network Environment Adaptive Network Security...

How To Secure Your Store Data With Fortinet

Endpoint Security More secure. Less complex. Less costs... More control.

Best Practices for Outdoor Wireless Security

ForeScout CounterACT. Continuous Monitoring and Mitigation

Mobile Device Strategy

ARCHITECT S GUIDE: Comply to Connect Using TNC Technology

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Network Access Control (NAC)

Sygate Secure Enterprise and Alcatel

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

SANS Top 20 Critical Controls for Effective Cyber Defense

Top Five Ways to Protect Your Network. A MainNerve Whitepaper

Deploy secure, corporate access for mobile device users with the Junos Pulse Mobile Security Suite

Enabling Secure BYOD How Fortinet Provides a Secure Environment for BYOD

Providing a work-your-way solution for diverse users with multiple devices, anytime, anywhere

The 9 Best Practices for Network Security for Banks in Sponsored by April 14, 2009 Gary S. Miliefsky, President NetClarity, Inc.

Bring Your Own Device:

The User is Evolving. July 12, 2011

10 BEST PRACTICES FOR MOBILE DEVICE MANAGEMENT (MDM)

Addressing BYOD Challenges with ForeScout and Motorola Solutions

Security Without Compromise: Context-Aware and Adaptive Next-Generation Firewalls

SECURING TODAY S MOBILE WORKFORCE

End-user Security Analytics Strengthens Protection with ArcSight

How to Prevent a Data Breach and Protect Your Business

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

Endpoint Security Management

IQware's Approach to Software and IT security Issues

QRadar SIEM 6.3 Datasheet

Enterprise Computing Solutions

BYOD Policy & Management Part I

The self-defending network a resilient network. By Steen Pedersen Ementor, Denmark

Virtualization Beyond the Data Center: Increase Network Infrastructure Utilization and Efficiency to Reduce Operational Costs

Trust Digital Best Practices

How To Buy Nitro Security

Robust security is a requirement for many companies deploying a wireless network. However, creating a secure wireless network has often been

Did you know your security solution can help with PCI compliance too?

Delivering Control with Context Across the Extended Network

SECURING ENTERPRISE NETWORK 3 LAYER APPROACH FOR BYOD

SonicWALL Makes Wireless Networking Secure

This chapter covers the following topics: Network admission control overview NAC Framework benefits NAC Framework components Operational overview

10 best practice suggestions for common smartphone threats

PCI Data Security Standards (DSS)

WHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks

Towards End-to-End Security

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

Devising a Server Protection Strategy with Trend Micro

White Paper. Unify Endpoint and Network Security with McAfee Network Access Control (NAC)

Total Protection for Compliance: Unified IT Policy Auditing

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

The Leading Provider of Endpoint Security Solutions

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

Securing OS Legacy Systems Alexander Rau

Seven for 7: Best practices for implementing Windows 7

Network Access Control in Virtual Environments. Technical Note

Network Virtualization Network Admission Control Deployment Guide

WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise

Trusted Network Connect (TNC)

TechnoLabs Software Services Pvt Ltd. Enterprise Mobility - Mobile Device Security

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Enabling Staff with Secure Mobile Technology in an Increasingly Risky World

Uncover security risks on your enterprise network

24/7 Visibility into Advanced Malware on Networks and Endpoints

8 Ways to Better Monitor Network Security Threats in the Age of BYOD January 2014

Critical Security Controls

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

5 Best Practices to Protect Your Virtual Environment

Frank Andrus WHITEPAPER. CTO, Bradford Networks. Evolve your network strategy to meet new threats and achieve expanded business imperatives

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

Devising a Server Protection Strategy with Trend Micro

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

The Value of Automated Penetration Testing White Paper

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Windows XP End-of-Life Handbook for Upgrade Latecomers

Clean VPN Approach to Secure Remote Access

DOBUS And SBL Cloud Services Brochure

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

Closing Wireless Loopholes for PCI Compliance and Security

AVeS Cloud Security powered by SYMANTEC TM

Choose Your Own - Fighting the Battle Against Zero Day Virus Threats

ARCHITECT S GUIDE: Mobile Security Using TNC Technology

Maintaining Strong Security and PCI DSS Compliance in a Distributed Retail Environment

Zone Labs Integrity Smarter Enterprise Security

The Clock is Ticking on Windows Server 2003 Support

Security Considerations for DirectAccess Deployments. Whitepaper

Say Yes to BYOD How Fortinet Enables You to Protect Your Network from the Risk of Mobile Devices WHITE PAPER

All You Wanted to Know About WiFi Rogue Access Points

Defending Against Data Beaches: Internal Controls for Cybersecurity

IDENTITY & ACCESS. BYOD and Mobile Security Seizing Opportunities, Eliminating Risks in a Dynamic Landscape

Frank Andrus WHITEPAPER. CTO, Bradford Networks. Evolve your network security strategy to meet new threats and simplify IT security operations

Mobile Workforce. Connect, Protect, and Manage Mobile Devices and Users with Junos Pulse and the Junos Pulse Mobile Security Suite.

Technical Note. ForeScout CounterACT Rogue Device Detection

Transcription:

Network Access Control (NAC) Bring Your Own Device (BYOD) NAC FOR BYOD WHITEPAPER Leverage Next Generation Network Access Control to Manage the Bring Your Own Device (BYOD) Scenario January 2012 Copyright 2012, NetClarity, Inc. All rights reserved worldwide. NetClarity, Inc. Crosby Corporate Center, 34 Crosby Drive, Bedford, MA USA 01730 USA/Toll Free: 1-800-874-2133 International: +1-781-791-9497 Email: sales@netclarity.net Web: www.netclarity.net

Contents What is Bring Your Own Device (BYOD)?... 3 What Kind of Security Exposure Do You Face from BYOD?... 4 It s All About Risk... 5 Two Risky BYOD Scenarios... 6 Best Practices for these BYOD Scenarios... 7 The Right Solution for BYOD is Next Generation NACwalls... 9 BYOD Requires Agentless NAC... 10 Only Next Generation NACwalls Are Designed to Manage BYOD... 11 What is Next Generation NAC and Why is it Better... 11 Goals of Next Generation NACwalls... 11 Mitigation of Zero-day Attacks and Vulnerabilities... 12 Policy enforcement of BYOD over Wireless and using 802.1q VLANs... 12 Identity and access management... 12 Next Generation NACwalls provide the BYOD Convergence You Need... 12 Contacting NetClarity... 14 2 P a g e N E T C L A R I T Y, I N C. W H I T E P A P E R N A C W A L L N G

What is Bring Your Own Device (BYOD)? It is the consumerization trend, which appears to grow exponentially and is unstoppable, as we see a plethora of new device types being released on a monthly basis from new Tablet devices running the Android operating system (a derivative of the open source Linux OS) to new phones, laptops, netbooks, ebook Readers to the latest Apple itouch, ipad and iphone devices. All of these devices can be enabled with Internet access using either or both wired and wireless access and some with cellular technologies that enable external public internet access over telephone carrier networks, also wirelessly. Some of these devices also have infrared and Bluetooth networking features which can be enabled to eavesdrop or to be hacked and eavesdropped upon by peers. Corporations need to create and implement policies around network access for these personally owned devices as they physically enter the internal corporate structure limits to access under guest or DMZ networks have become a requirement. The ability to detect and quarantine these devices needs to be done efficiently and automatically. Corporations will want to be alerted when these devices come and go on their networks, block or control access granularly, even down to the VLAN level and inspect them as untrustworthy endpoints that may be bringing in new forms of viruses even zero-day malware, behind the corporate firewall, where this malware may propagate and cause data loss and data integrity issues. The advantages of BYOD, especially for the mobile workers sales and marketing teams for example, who travel frequently, are well recognized. However, there needs to be a balance, decided upon and managed by the corporation, to ensure secure network access as well as compliance with numerous regulations. 3 P a g e N E T C L A R I T Y, I N C. W H I T E P A P E R N A C W A L L N G

What Kind of Security Exposure Do You Face from BYOD? Most managed devices cause enough network trouble. Allowing employees to come and go with personal equipment may appear to be beneficial for productivity gains, however, there is serious risk in their bringing equipment into the corporate network that have holes, known as CVEs, which are susceptible to malware. According to US-CERT (United States Computer Emergency Readiness Team), 95% of downtime and IT related compliance issues are a direct result of an exploit against a Common Vulnerability and Exposure. A firewall, IDS, IPS, anti-virus software and other countermeasures don t look for or show how to remove CVEs. So most companies are really only 5% secure. Figure 1: With a WIFI enabled network for employees, you have security, compliance and productivity risks. Most IT managers are not familiar with the term CVE, but the majority are aware of Blaster, Msblast, LovSAN and the Nachi and Welchia; worms which have caused massive downtime and financial losses. They all exploited one CVE one minor hole. It was a software flaw running in most Microsoft Windows operating systems. This allowed hackers to send these exploits out and take advantage of the many Windows systems that had the fatal flaw. On the U.S. National Vulnerability Database powered by CVE at http://nvd.nist.gov, it is possible to search for CVEs that may lurk in a network. If an organization has just purchased a new 4 P a g e N E T C L A R I T Y, I N C. W H I T E P A P E R N A C W A L L N G

router or switch, or anything else that plugs into a network, it is a simple matter of typing the name of the system into the NVD and seeing how many CVEs (vulnerabilities) can be found. The top 20 exploited vulnerabilities are available on http://www.sans.org/top20/ which lists ten vulnerabilities in Windows and ten in Unix/Linux systems. If any computer user has one of these holes, it needs to be closed as soon as possible to ensure the installation isn t attacked when least expected. In addition, more than 80% of these security breaches happen behind the firewall and on systems running the latest anti-virus software. There is a catastrophic impact upon business operations resulting from these attacks that occur behind firewalls. In addition, these types of attacks is growing exponentially from guest and unmanageable devices stealing inside information and identities to internal propagation of zero-day malware, some of which, such as Stuxnet, are also designed to cause physical damage. It s All About Risk Ultimately, you need to manage your risk posture. First, let s understand the risk formula: Risk = Threats x Vulnerabilities x Assets (R = T x V x A) You will never be 100% secure but if you can manage risk, you ll be one step ahead of the problem. Now, let s breakdown the formula: Threats - Zero-day malware, Untrusted and Rogue Access, Malicious Insiders. Vulnerabilities - Known as Common Vulnerabilities and Exposures (CVEs) are all the exploitable holes in your network. Assets - All dynamic, moving targets - people and their desktops, laptops, VoIP phones, PDAs found throughout your network. Hackers, viruses and worms cause Billions in damages by exploiting CVEs against business and the damages are growing annually (Source: CSO Magazine). How many CVEs are in a company s network? Is the risk of an internal breach, downtime and data theft taking you out of 5 P a g e N E T C L A R I T Y, I N C. W H I T E P A P E R N A C W A L L N G

compliance? Take a look at PrivacyRights.org and see for yourself data breaches are accelerating at an incredible pace, yet billions of dollars have been spent on Firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) and Anti-virus Software (AVS). It s been argued in CIO magazine that we ve placed our largest investments and trust for network security in products that solve yesterday s problems. What about today and tomorrow? Two Risky BYOD Scenarios The top two BYOD scenarios we re seeing across the industry are: 1. Employee, student, contractor or guest-owned devices accessing corporate WIFI resources: a. Most of these devices do not run the Microsoft Windows operating system; b. Installing a NAC agent is nearly impossible for technical reasons as well as political and possibly legal/privacy rights; c. These devices are highly vulnerable through CVEs holes and most likely are infected with eavesdropping software; d. In addition to WIFI connectivity, they may be operating on cellular networks, at the same time, thereby leaving a gaping hole of risk in the area of data theft and leakage; 2. Employee, student, contractor or guest-owned devices accessing corporate wired (local area network) resources: a. These are typically Netbooks or Laptops which may be running Linux or Windows; b. Although they might be more technically able to handle a NAC agent, installing one is nearly impossible for political reasons and possibly legal/privacy rights; c. They may contain corporate resources in-transit such as customer records, contact lists, spreadsheets, documents, presentations, etc. which could be at risk of theft by malware eavesdropping and data theft or if the equipment is lost or stolen. 6 P a g e N E T C L A R I T Y, I N C. W H I T E P A P E R N A C W A L L N G

Best Practices for these BYOD Scenarios Companies and government organizations including libraries and schools often support guest networks as part of their overall computer networking setup. A guest network is a small section of an organization's computer network designed for use by temporary visitors. This subnet or virtual local area network (VLAN) often provides full Internet connectivity, but it also strictly limits access to any internal (intranet) Web sites or files. Besides helping to keep an organization's internal information private, guest networks help avoid spreading any computer worms that visitors may have on their systems. Until NACwalls, setting up and securing a guest network was difficult and cost-prohibitive. To properly configure a guest network, NetClarity recommends the following network configuration and deployment of a Next Generation NACwall appliance: 1. Place a low cost managed switch that supports 802.1q (VLAN tagging) on the DMZ port of the corporate or branch office firewall. 2. Take one of the freely available Ethernet ports of the NACwall appliance and plug it into this managed switch. 3. Configure a VLAN called GUEST in the NACwall s 802.1q VLAN Tag Configuration screen and map it to the TAG ID of that VLAN on that managed switch. 7 P a g e N E T C L A R I T Y, I N C. W H I T E P A P E R N A C W A L L N G

Turn on the Asset Detection System to BLOCK rogue access to the corporate network but EXCLUDE the GUEST VLAN from the BLOCK RANGE. Make sure a valid email is setup to receive alerts. Anytime a guest arrives on that VLAN (which could also be the local SUBNET of a WIRELESS ROUTER plugged into the DMZ port of the firewall instead of a managed switch), they will show up as YELLOW (untrusted but not blocked) in the NACwall Manage Assets user interface and an alert will be sent. As long as they stay on the GUEST VLAN (or the wireless subnet) they will not be quarantined. If they attempt to gain rogue, malicious, internal access to your corporate network they will automatically be BLOCKED and their device will show up on the Manage Assets page on the other VLAN or other subnet marked in RED (untrusted and being blocked). 8 P a g e N E T C L A R I T Y, I N C. W H I T E P A P E R N A C W A L L N G

BYOD Made Easy. The Right Solution for BYOD is Next Generation NACwalls Here is what customers around the globe are saying they want their NAC solution to do: 1. Know who is on my network; 2. Do they belong on my network; 3. When are they on my network; 4. If I don t trust them, I want an alert and I want them off my network instantly; 5. If I do trust them but they are exploitable or have running malware, I want to quarantine them immediately; 6. I want to remediate problems by hardening systems I trust and block those I don t; 7. I want to document and demonstrate regulatory compliance (for GLBA, HIPAA, SOX, FISMA, EO13231, PCI, NERC/FERC, etc.). These needs cannot be solved by 9 out of 10 NAC solutions. Customers want a solution that manages risk on what most NAC vendors call unmanageable devices such as Blackberry devices, iphones, itouches, Androids, VoIP phones, Wireless barcode scanners, wireless routers and so much more. Most networks are alive they are very dynamic in nature. NAC needs to 9 P a g e N E T C L A R I T Y, I N C. W H I T E P A P E R N A C W A L L N G

intelligently fingerprint every device that comes and goes on networks and helps IT staff manage these devices as well as user access and user behavior. In addition, at the brick and mortar retail outlets, by spoofing the MAC address of a trusted device one of the many wireless barcode scanners, one can continue to gain inside access into their network without ever stepping foot into the building. Any system (Desktop, Server, Laptop) that fails these posture checks goes into the quarantine via a NAC proxy server and 802.1x protocol controls. Try this on one of your executives run one of these solutions on their laptop and watch them sit there unproductive for an hour or two while these useless client software tools help you feel like you ve done the right thing for Network Access Control (NAC). Over 30% of all computers in the world are infected with unknown malware, despite having passed these three checks. BYOD Requires Agentless NAC How will you install a NAC agent on your VoIP phones, Wireless Routers, Hubs, iphones and other devices? NAC agents are designed for only ½ of your network your weak, already infected Windows systems. If you truly want to control access, you need to solve all of these problems and ensure that rogue assets are not on your network today and are never allowed to gain access to your network in the future (see: www.netclarity.net). Just take a look at the chart below and you ll see that conventional antivirus checks are absolutely NOT effective against threats that exploit common vulnerabilities and exposures (CVEs), known as Zero-day malware. Figure 2: Anti-virus is totally ineffective against moderately to high modern threats 1 1 Source: ModernMalwareExposed.org. 10 P a g e N E T C L A R I T Y, I N C. W H I T E P A P E R N A C W A L L N G

Only Next Generation NACwalls Are Designed to Manage BYOD The first generation (1G) NAC solutions were not aware of, nor could they manage and control access, to the dozens of new devices from VoIP phones to Blackberry, ipod, itouch, iphone, Droid and other devices. As a result, with the dynamic nature of networks, more and more of these devices have been able to gain access as internally trusted and unmanageable devices, behind firewalls and wireless routers. There s a strong, growing need to detect, alert, block and control these devices without software clients or agents and it must be done in real-time. The only answer is NEXT GENERATION NACWALLS. What is Next Generation NAC and Why is it Better Next Generation (NG) NAC...It's more than another NAC solution, it's a NAC revolution. Similar to the advances in Cellular Telephone technology, 1G Cell phones were bulky, expensive, rarely deployed until the advent of NG Cell phones. The same holds true for Network Access Control. At 1/4th the price of first generation (1G) NAC solutions with deployment speeds up to 100x faster than 1G, you should be looking for a NG solution in 2012. The first NG solution in the NAC market is the NetClarity NACwall NG - providing real-time internal network access control (NAC) and intrusion defense without clients, without software agents. It is now available, worldwide, from trusted NetClarity channel partners. NetClarity intends to continue to push the innovation envelope on what a NAC solution should do to secure networks internally and help customers document their best practices for regulatory compliance. Goals of Next Generation NACwalls Because NAC represents an emerging category of security products, its definition is both evolving and controversial. The overarching goals of the concept can be distilled to the following three key issues: 11 P a g e N E T C L A R I T Y, I N C. W H I T E P A P E R N A C W A L L N G

Mitigation of Zero-day Attacks and Vulnerabilities The key value proposition of Next Generation NACwalls is the ability to prevent weak or infected trusted devices from accessing the network and placing other computers at risk of cross-contamination of network worms. NEXT GENERATION NACWALLS enables automated, real-time quarantine of trusted assets that become weak and infected. You can find and fix your Common Vulnerabilities and Exposures (CVEs), hardening your network assets and preempting successful exploitation of holes. Policy enforcement of BYOD over Wireless and using 802.1q VLANs Next Generation NACwalls allow IT staff to define policies, such as the types of computers or roles of users allowed to access areas of the network, and enforce them automatically in all old and new unmanaged and managed switches that support the safer, more stable protocol of 802.1q as opposed to the easily hacked and circumvented 802.1x. Identity and access management Where conventional IP networks enforce access policies in terms of IP addresses, Next Generation NACwalls support authenticated user identities, agentlessly communicating with Active Directory services, but don t place the trust and reliance upon client/agent-based services, like 1G NAC solutions. Criminals don t install trust agents and don t authenticate when they choose. Next Generation NACwalls provide the BYOD Convergence You Need Imagine three key areas: Identity Management, Device Security and Network Security. This is where NEXT GENERATION NACWALLS takes us. By focusing on the convergence of these three unique and distinct areas of corporate security, a NEXT GENERATION NACWALLS solution handles internal intrusion defense where most IT Security and Regulatory Compliance issues arise, nearly automatically and in real-time. Take a look at the Venn diagram, below, for a visual understanding of where NEXT GENERATION NACWALLS fits: 12 P a g e N E T C L A R I T Y, I N C. W H I T E P A P E R N A C W A L L N G

Figure 3: NEXT GENERATION NACWALLS the Convergence of Internal Intrusion Defense As network attackers have moved on to new threats constituting the majority of today's risk - and requiring new protection technologies (i.e. Network Asset Cops ) or NAC solutions that converge device security, network security and identity management. NetClarity, Inc. offers these appliances into the marketplace as the only NEXT GENERATION NACWALLS solution that is both non-inline and agent less and does not require 802.1x. With the right NEXT GENERATION solution, such as NACwalls from NetClarity, you ll be able to defend your organization from unexpected threats, untrusted network access, known vulnerabilities and their exploits. NACwall NG appliances function while you are at work and even while you are sleeping. It is completely automatic and easy to use; the same way a NG cell phone was adopted by everyone. No need for complex training to perform these key functions and defeat rogue access, malicious insiders and new malware. We've been watching NetClarity for some time. In our view, this company is among the most innovative we've seen. SC Magazine 13 P a g e N E T C L A R I T Y, I N C. W H I T E P A P E R N A C W A L L N G

With the NACwall, managing BYOD is an easy, simple process. Agent-less detection, alerting and controlling features are implemented through simplified LAN management or even more complex Active Directory and VLAN management, without the need for additional client software, or new switches or new firewalls or new wireless routers. This can be demonstrated in only a few minutes, with proper NACwall appliance configuration. Figure 4: NACwall Next Generation NAC Appliances Family Nano, Branch Pro and Enterprise Contacting NetClarity Send us an email to sales@netclarity.net or Find us online at http://www.netclarity.net or worldwide: Corporate Headquarters Crosby Corporate Center 34 Crosby Drive Bedford, MA 01730 United States of America (781) 791-9497 14 P a g e N E T C L A R I T Y, I N C. W H I T E P A P E R N A C W A L L N G

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information