By Toby Makepeace, Technical Director, Netutils
This post contains original thoughts posted by Toby Makepeace, Technical Director, Network (Utilities) Systems Ltd. These views are his own.
More and more enterprises faced with pressure from guests to supply secure network access are deploying network access control (NAC) solutions. In today’s digital society there is an increasing expectation from your guests, contractors and staff that they will be able to quickly, easily and securely connect to the internet wherever they are on your premises. Again, this places pressure on your IT department and brings challenges with regard to deploying solutions that are easily scalable, fast to install and compatible with your existing IT infrastructure.Juniper’s recent White Paper on Network Access Control shares some interesting findings:
‘According to Gartner, Inc., 80 percent of NAC deployments are installed initially to address guest access control. Some enterprises have already installed gear from different vendors to meet individual use cases; for example, deploying one NAC solution for the visitor waiting in the lobby, and another for contractors, partners, or other non-employees who may need broader access.
…Gartner recommends that enterprises plan for the long term and deploy NAC solutions that not only meet their immediate needs, but also take into consideration their future access control needs and plans.’*
In my experience a good network access control policy and solution mean that things like BYOD should not be a challenge for a business. Your BYOD Strategy should simply start with the fundamentals about who you want to grant access to and what they should be allowed to access based on a number of factors.
- User classification (staff, contractor, guest)
- Device type (PC, MAC, PDA, Tablet, Mobile)
- Device health (Anti-Virus, Patches, Restricted applications)
So once you have a robust BYOD policy in place a “Network Access Control” solution becomes your tool of enforcement. If you do not deploy a NAC solution you will have to consider deploying lots of different networks and trust people to only connect to the network they should be on. Consider though; can you really trust people to connect to the network they should be on rather than the network they want to be on?
By employing a robust BYOD strategy you remove the element of uncertainty and implement an assured method of control. So In my opinion an 802.1x based network access control solution that supports multiple and different EAP-protocols is a must. You should implement a solution that not only caters for the devices you have the ability to control, the “Access Control Client” but also a solution that can still support any 802.1x supplicant a user might have on their own personal device.
This way you make the user access from trusted devices and untrusted devices the same, and allow the solution to determine which network the connection should be terminated on. If the user is on a trusted device, and has a trusted identity (Username and Password) then they should be allowed onto the corporate network. If the user is on an untrusted device (a machine that is not owned by the organisation or fails to meet a security policy requirement) then they should be placed on a separate network with limited access to resources. And finally if it’s the user themselves who is un-trusted, then the question is – do you actually want them on the network at all?
If there are users you do not want on the network (contractors, vendors or guests), they should be on a separate network from your trusted users, irrelevant of the device they are on, trusted or untrusted. A trusted device can fall into one of two categories:
- A corporate machine that meets a required security policy
- A personal device that meets a required security policy.
In my view despite the fact that both devices are ‘trusted’ they should be granted different levels of access, and therefore you may want to consider directing them to different networks. For example a full corporate device should be granted full access to the network as if they were on a wired connection. Whereas a BYOD (PC) device would only gain access to resources like the internet, email and intranet (all those web based services users want access to that made you consider BYOD in the first place!)
Now we get into the detail regarding levels of access and control. What I like most about the Juniper UAC solution is its’ ability to integrate with a firewall; to act as a dynamic “user” based firewall. Most firewalls have policies based on Source IP/Destination IP, with the Juniper UAC the firewall rules are based on the User / Destination IP. This allows you to grant network access to an untrusted device to only the resources you consider to be permissible / safe. In addition, as the solution is focused on the user, as that user moves throughout the building and the IP address changes the rules of access are still granted.
The levels of flexibility you have with a good NAC solution should allow you to safely consider BYOD as a benefit to your business. Juniper Unified Access Control (UAC) solutions solve a wide variety of business and technology issues, addressing authentication, end point security and access control capabilities.
‘Enterprises benefit from a single, comprehensive NAC solution that can accommodate onetime guests, repeat visitors such as contractors and partners, employees, and future use cases as they emerge. Juniper Networks Unified Access Control is an integrated, easy-to-use solution that enables enterprises to cost-effectively turn on the right level of access control for their guests today and be well positioned to meet tomorrow’s access control challenges.’
Suggested further reading Juniper Networks, White Paper ‘Guest Access Made Easy‘
* Source Juniper Networks, White Paper ‘GUEST ACCESS MADE EASY, Juniper Networks Unified Access Control and EX Series Ethernet Switches Solve Today’s NAC Problems