Your BYOD Strategy – Where is the trust? – Juniper has the NAC

By Toby Makepeace, Technical Director, Netutils

This post contains original thoughts posted by Toby Makepeace, Technical Director, Network (Utilities) Systems Ltd. These views are his own.

More and more enterprises faced with pressure from guests to supply secure network access are deploying network access control (NAC) solutions. In today’s digital society there is an increasing expectation from your guests, contractors and staff that they will be able to quickly, easily and securely connect to the internet wherever they are on your premises.  Again, this places pressure on your IT department and brings challenges with regard to deploying solutions that are easily scalable, fast to install and compatible with your existing IT infrastructure.Juniper’s recent White Paper on Network Access Control shares some interesting findings:

According to Gartner, Inc., 80 percent of NAC deployments are installed initially to address guest access control. Some enterprises have already installed gear from different vendors to meet individual use cases; for example, deploying one NAC solution for the visitor waiting in the lobby, and another for contractors, partners, or other non-employees who may need broader access.

 …Gartner recommends that enterprises plan for the long term and deploy NAC solutions that not only meet their immediate needs, but also take into consideration their future access control needs and plans.’*

In my experience a good network access control policy and solution mean that things like BYOD should not be a challenge for a business. Your BYOD Strategy should simply start with the fundamentals about who you want to grant access to and what they should be allowed to access based on a number of factors.

  • User classification (staff, contractor, guest)
  • Device type (PC, MAC, PDA, Tablet, Mobile)
  • Device health (Anti-Virus, Patches, Restricted applications)

So once you have a robust BYOD policy in place a “Network Access Control” solution becomes your tool of enforcement. If you do not deploy a NAC solution you will have to consider deploying lots of different networks and trust people to only connect to the network they should be on. Consider though; can you really trust people to connect to the network they should be on rather than the network they want to be on?

By employing a robust BYOD strategy you remove the element of uncertainty and implement an assured method of control. So In my opinion an 802.1x based network access control solution that supports multiple and different EAP-protocols is a must. You should implement a solution that not only caters for the devices you have the ability to control, the “Access Control Client” but also a solution that can still support any 802.1x supplicant a user might have on their own personal device.

This way you make the user access from trusted devices and untrusted devices the same, and allow the solution to determine which network the connection should be terminated on. If the user is on a trusted device, and has a trusted identity (Username and Password) then they should be allowed onto the corporate network. If the user is on an untrusted device (a machine that is not owned by the organisation or fails to meet a security policy requirement) then they should be placed on a separate network with limited access to resources. And finally if it’s the user themselves who is un-trusted, then the question is – do you actually want them on the network at all?

If there are users you do not want on the network (contractors, vendors or guests), they should be on a separate network from your trusted users, irrelevant of the device they are on, trusted or untrusted. A trusted device can fall into one of two categories:

  • A corporate machine that meets a required security policy
  • A personal device that meets a required security policy.

In my view despite the fact that both devices are ‘trusted’ they should be granted different levels of access, and therefore you may want to consider directing them to different networks. For example a full corporate device should be granted full access to the network as if they were on a wired connection. Whereas a BYOD (PC) device would only gain access to resources like the internet, email and intranet (all those web based services users want access to that made you consider BYOD in the first place!)

Now we get into the detail regarding levels of access and control. What I like most about the Juniper UAC solution is its’ ability to integrate with a firewall; to act as a dynamic “user” based firewall. Most firewalls have policies based on Source IP/Destination IP, with the Juniper UAC the firewall rules are based on the User / Destination IP. This allows you to grant network access to an untrusted device to only the resources you consider to be permissible / safe. In addition, as the solution is focused on the user, as that user moves throughout the building and the IP address changes the rules of access are still granted.

The levels of flexibility you have with a good NAC solution should allow you to safely consider BYOD as a benefit to your business. Juniper Unified Access Control (UAC) solutions solve a wide variety of business and technology issues, addressing authentication, end point security and access control capabilities.

Enterprises benefit from a single, comprehensive NAC solution that can accommodate onetime guests, repeat visitors such as contractors and partners, employees, and future use cases as they emerge. Juniper Networks Unified Access Control is an integrated, easy-to-use solution that enables enterprises to cost-effectively turn on the right level of access control for their guests today and be well positioned to meet tomorrow’s access control challenges.’

Suggested further reading Juniper Networks, White Paper ‘Guest Access Made Easy

* Source Juniper Networks, White Paper ‘GUEST ACCESS MADE EASY, Juniper Networks Unified Access Control and EX Series Ethernet Switches Solve Today’s NAC Problems

This entry was posted in Enterprise Posts, Service Provider, Uncategorized and tagged , , , , by NetUtils. Bookmark the permalink.

About NetUtils

We operate as a specialist integrator of network, security and data solutions across the industry. Gathering together those with the skills and expertise to assess, champion and partner with the best innovation and technology available. Combining top tier solution providers and our own expert team we offer you decades of knowledge and experience in maximising your security investment. With our 25-year heritage comes over 450 years collective experience available to you in a million-pound team of industry leading specialists. By design we are structured to be guided by our technical arm, ensuring our core business is driven by solid technical policy. Working with over 400 enterprise and service provider clients, including household names across financial, education, public sector, manufacturing and healthcare brings a multitude of variance in challenge and opportunity. Our technology subject matter experts work with all our clients to meet their individual needs, both in the immediate and into the future for the threats yet to come.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s