With the prevalence of digital transformation in the enterprise, there is a clear necessity to balance IoT security issues and BYOD security measures that will prevent suspicious or malicious devices from gaining access to the enterprise’s assets and data centers, while at the same time, making sure that productivity and easy onboarding of devices is maintained. Employees, guests and contractors are bringing all kinds of Wi Fi enabled devices to the enterprise environment and they expect easy and quick network connectivity.

Onboarding is the process in which new devices gain access to the enterprise for the first time. Unfortunately IT departments can sometimes experience additional workloads while endeavoring to get all the devices on the network so as not to hinder business productivity. At the same time, if they are not handling the process with top security standards in mind, they could potentially place users, devices, enterprise data and the network itself at risk. The question arises: how should IT Security teams allow for BYOD, IoT, contractors, guests, etc. to securely and quickly connect to the network without placing any of its components at risk of a breach or ransomware attack? The answer: automation.

By automating the entire onboarding process enterprises can achieve the following benefits:

• Reducing the costs that are typically associated with manual work (including configuration and support activities).
• Enhancing productivity – getting team members, contractors and guests connected to work faster.
• Increasing end-user satisfaction – instead of hassling end-users with onboarding procedures, the whole process can and should be seamless.
• Decreasing the risks – unmanaged, unpatched, high-risk devices should be blocked or connected from the beginning to a separate segment of the network from where the key corporate assets are stored (the “crown jewels” of the company).

Easy Device Onboarding

Employees, students, contractors, partners and guests should onboard their devices once and then automatically re-authenticate after that, within an environment that continuously monitors all devices on the networks and automatically provides a risk score for every device. This ongoing scoring allows security teams to understand the security posture of the devices and the network as a whole, at any given moment. At the same time, there is no need to have end users repeatedly re-enter credentials on subsequent network connections unless a device is deemed to have a high risk-score. This way the enterprise can easily onboard BYOD devices belonging to employees that are traveling, working remotely or working at a satellite office location. Additionally, this allows onboarding of IoT and smart devices for business such as flat screens, printers and IoT devices, as well as gaming consoles, smart refrigerators and more. These items, of course, must be on a separate segment from where company assets are kept.

Reducing Risks on the Network

A while ago Ofer Amitai, Portnox CEO, wrote about tips for securing endpoint devices on college campuses, institutions that are always desiring a relatively simple onboarding process. He discussed how changes in onboarding and guest access policies could reduce risks and improve network visibility and control. The principals for securing the enterprise require these steps and more. Having a clear onboarding set of policies will allow IT teams to have automated actions applied (see examples in the next section).

After handling the company’s initial network security audit and collecting the security posture of all devices, it is important to make sure that the enterprise authorization policies include conducting automated and continuous security assessments of the network.  This way, every device employs baseline security measures before being allowed to connect.  Additionally, the IT security team should use granular policies to govern the level of access while maintaining full visibility and control over network connected devices with the ability to revoke access at any time.

Automated Device Onboarding & Network Authentication

Having an automated onboarding set of policies can allow for automated actions such as:

• Immediately allowing Internet access
• Blocking/ disconnecting
• Segmenting a device to a separate network section
• Remediation actions

For example, IoT devices are considered to be easy to hack.  Therefore, once connected to the enterprise network, these devices should be separated from where core assets are located.  Having different segments on the enterprise network is a good solution for that.  Additionally, if a visitor is being connected, the visitor should gain access to the Internet and not to company files, even when plugging the computer to the wired network.

Two important advanced guest network onboarding features are recommended to be included:

• Easy guest access – allowing for simple and fast connections together with the ability to continuously monitor all devices and ensure security.
• Agentless access – once the IT administrators have set up the onboarding policy – contractors and guests on protected networks should be able to self-onboard without installing an endpoint agent.

Acquiring Advanced Onboarding Capabilities

One of the technologies that can help with safe onboarding is network access control (NAC).  In the past, companies used only desktops and laptops, connected and authenticated over a wired network, however; nowadays wireless networks and mobile technologies have introduced personal devices (via BYOD policies) and Internet of Things (IoT) to the workplace.  In addition, increasingly stringent compliance standards, such as PCI-DSS, SOX, and ISO standards require companies to openly communicate their security controls to external auditing authorities.  All of these can be achieved via NAC solutions. Network access security should be a priority for all companies moving forward.

Every enterprise today must support a rapidly proliferating world of devices and platforms.  From an operational view point, this shouldn’t pose an obstruction of workflows and productivity. Ideally, the enterprise IT team will automate and secure network onboarding and authentication so that the IT helpdesk doesn’t have to intervene when guests, contractors and IoT devices need to connect. Additionally, an effective plan for secure network onboarding will on one hand improve end-user experience for BYOD, IoT, users and guests and on the other hand improve IT security as part of a layered protection strategy.

Looking to set IT security policies and automate your device onboarding? Portnox CLEAR offers easy onboarding while never compromising on network security across the enterprise.

The Firewall is Here to Stay

A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules. Firewalls have been a first line of defense in network security for decades. They establish a barrier between secured and controlled internal networks that can be trusted and untrusted outside networks, such as the Internet. 

Firewalls have evolved beyond simple packet filtering and stateful inspection. Most companies are deploying next-generation firewalls to block modern threats such as advanced malware and application-layer attacks. Next-generation firewalls (NGFW) are more sophisticated than packet-filtering and stateful inspection firewalls. Why? They have more levels of security, going beyond standard packet-filtering to inspect a packet in its entirety. That means inspecting not just the packet header, but also a packet’s contents and source. NGFW are able to block more sophisticated and evolving security threats like advanced malware.

Necessary Capabilities

Advanced Threat Protection

Most traditional firewalls integrate with a separate intrusion prevention system (IPS) to gain additional security features. Next generation firewalls have IPS capabilities built in to protect against a wide variety of threats, such as DDoS attacks, malware and spyware. Further integration with threat intelligence systems like SIEM provide advanced layers of protection to defend against the modern threat landscape. 

SSL Inspection

Malicious threats can be hidden within encrypted web traffic. In order to filter out malicious content, the NGFW intercepts encrypted web activity to filter out malicious activity through a “man in the middle” approach. The NGFW will first decrypt the incoming web traffic and then scan for threats like malware or viruses. After its examination, the traffic will be encrypted and forwarded to the user so that the user can access the data as originally intended. 

Application Control

The users on your network use several tools on their devices, such as email, social media and other vendor applications. Some of these web applications can be malicious and lead to open backdoors that can be exploited to enter your network. Application control allows organizations to create policies that either allow, deny or restrict access to applications. This not only protects organizations by blocking risky applications but also helps them manage their application traffic to ensure availability for business-critical resources. 

User Identity Awareness

User identity awareness allows organizations to enforce policies that govern access to applications and other online resources to specific groups or individuals. The NGFW integrates with your authentication protocols (such as LDAP or Active Directory) so that access is governed by user identity as opposed to IP address. User identity awareness not only helps organizations control the types of traffic allowed to enter and exit their network but also manage their users.

Deep Packet Inspection

Deep packet inspection inspects data to identify and filter out malware and unwanted traffic. By inspecting the content of a data packet, the NGFW can intelligently determine which applications are being used or the type of data being transmitted. This allows the firewall to block advanced network threats (such as DDoS attacks, trojans, spyware and SQL injections) and evasion techniques used by threat actors. 

Centralized Management

Firewalls need proper security management to ensure that they meet the security needs of the organizations that need protection. Firewall capabilities need to be updated and firewall rules need to ensure they are being properly enforced. Centralized management of your firewall(s) is crucial in gaining on overall view of your firewall configurations. Organizations need to ensure they can scale their firewall to ensure that their organization has maximum protection to fit their growth needs.

Reporting & Insights

Firewalls generate logs that detail information about security and network traffic that security administrators review to understand the overall activity. This information provides organizations with useful insights to help them prioritize application traffic and understand their network security and monitor user activity.

As with everything else in life: so many network security options, so little budget. How do you know which one will best protect your network, users and devices? No need to agonize over endless hours of research, we’ve shortlisted the five critical elements of cyber security: firewalls, NAC, anti-virus software, proxy servers, and endpoint security.

Firewalls

Filtering out malware that might otherwise bury itself so deeply into the network that it cannot be removed is a pure gain for your network security. That is what a firewall is for. How can you be sure you have a firewall suited to your network? Test it for stability under tough traffic conditions.  According to NSS Labs you should subject your firewall to traffic from several protocol randomizers and mutation tools. And at a maximum of 350Mbps and 60,000 packets per second. Another test is to see if your firewall blocks a constant stream of attacks over time, while allowing most of the legitimate traffic and alerting the admin to the attack.

On the downside, employees pressured to get their jobs done, might turn a firewall off as if it slows down their computers.  Only regular employee training  and raising awareness to the importance of the firewall will help here.

Network Access Control

Network Access Control (NAC – sometimes AKA Network Administration Control), provides visibility and control for any user and any device in the corporate network. Utilizing its agentless technology, it can detect and profile any device on the corporate network in real time across all network layers; wired and wireless network, VPN, Virtual and Cloud.

It also employs an access-control policy that matches users and permissions. This policy also defines endpoint security via wired or wireless networks. NAC enables you to set a policy for every user or group of users. This means that once a NAC solution is deployed, your cyber security team have a much easier time controlling access to the network (denying access if necessary), thus protecting it. Some of the NAC solutions are deployed in a central location (on premise / cloud) and can see all of the network locations – whether headquarter or a remote branch.

The 802.1x NAC protocol is not always the most viable option. Next generation NAC sets out to resolve all the issues that have made NAC deployment complex. With NG-NAC, you control who accesses the network and what activities they can take once they have entered it. NG-NAC also copes with smartphones and IoT devices by separating them for core components/ layers of the network. Cloud based solutions such as Portnox CLEAR, make deployment even simpler as they easily integrate with other existing security solutions and offer pre set-up infrastructure for easy deployment. Portnox CLEAR also delivers continuous risk monitoring as well as Risk Adaptive Access over the VPN utilizing its two factor authentication approach, enabling access not only by the user strong identity but also based on the device risk score when accessing through VPN.

Get Your Free IoT Security Risk Assessment With Portnox

Anti-Virus

The best “anti-virus program” is to get network users to be aware of how easily viruses can attack their computers, laptops and smartphones every day. Employees tend to remove the anti-virus applications from their devices because they often consume a lot of resources during scans.  After the firewall, the anti-virus software is the second level of protection, detecting malware on the hard drive. A good anti-virus software should also protect your network from viruses, spam, spyware, Trojan worms and identity theft. Automated updates are essential for optimal protection.

Proxy Servers

Deciding what you  want to use a proxy server for is the first step of the equation.
Will it be used  solely for the purpose of forwarding requests for internet access, or also as a replacement for IP addresses? Proxy servers can thus save expenses of providing routable addresses to access many systems. In this mode they also obscure the location of the client but it is still advised to use a firewall.

Proxy servers can also increase performance by acting as caching servers. But look out! The high quality of the cache system might well mean that your secured data is being viewed by the proxy service provider. You can place filters and anti-virus programs on the proxy. This is however not foolproof as not all data is scanned. A proxy server can simplify access to blocked websites. This however is not always good news. Hackers create proxies to achieve high level access to networks, using them for repeated attacks.

Endpoint Device Security

Endpoint devices come in all shapes and sizes and are probably today’s biggest security loophole. For example, no security application is known to completely stop someone from attaching a USB drive to a computer (and stealing confidential data in large volumes). Endpoint devices are also used to initiate a malware attack.

Securing the endpoint devices directly is usually limited to a specific device and sometimes to a specific version (no updates for more advanced devices). Unfortunately, Network Administrators cannot ensure all network users are using permitted and secured endpoint devices. The biggest culprit is the USB stick. According to Hendon Publishing, most frequently, the vast majority of sloppy endpoint practices are the result of employees trying to get things done quickly. Once again training and awareness play a key role to your ability to implement a successful network security program.

The Optimal Solution for Enterprise Network Security

Of all of these methods, next generation NAC is the best all-around type of protection. It is more comprehensive than just anti-virus, end point security, firewalls or proxy servers. NG-NAC controls access to the network and provides full visibility to activities within it. It thus stops one of today’s most prevalent network threats, namely illegitimate mobile devices used to access corporate information.

Training and awareness are important, but you do not want to depend on others when securing your network. Only NAC is dynamic enough to provide you with peace of mind.

Cyber security is a market plagued by acronyms, especially on the networking side. This doesn’t simplify matters. The real problem is that the security technology landscape, like its lingo, is too complex. How can anyone with their back against the wall make sense of the options presented to them in the Cyberscape? The reality is that we need to get back to basics. What businesses large and small need to be asking is: what’s essential to maintain business continuity safely and securely? 

Don’t let the Cyberscape fool you. When it all boils down, cyber security can be fundamentally bucketed into three areas:

1. Network Security
2. Endpoint Security
3. Application Security

While security software vendors have made the subcategorization of these areas into a cottage industry, this overarching security trilogy is pretty straightforward. In essence, companies should seek to secure their networks, the devices in use across those networks, and the business applications in use across those devices.

Network Security

Simply put, network security is a set of rules and configurations designed to protect computer networks and the data in transit across them via software and hardware. Organizations large and small require a degree of network security to protect it from the proliferation of cyber threats we covered earlier.

Network security typically consists of three different controls: physical, technical and administrative. Physical security controls are designed to prevent unauthorized personnel from gaining physical access to network components such as routers, wiring closets and so on. 

Technical security controls protect data that is stored on the network or which is in transit across, into or out of the network. Protection is twofold: it needs to protect data and systems from unauthorized personnel, and it also needs to protect against malicious activities from employees, contractors and guests on the network. 

Administrative security controls consist of security policies and processes that control user behavior, including how users are authenticated, their level of access and also how the IT department can implement changes to the infrastructure.

Endpoint Security

Endpoint security is the practice of protecting enterprise networks against threats originating from on-premises or remote devices. An endpoint is any device that provides an entry point to corporate assets and applications and represents a potential cyber security vulnerability. Examples include desktops, laptops, servers, workstations, smartphones and tablets.

Historically, most organizations have relied on tools such as firewalls, VPNs, and antivirus programs to safeguard sensitive information, prevent unauthorized access to critical applications and IT systems, and protect against malicious software and other vulnerabilities. 

As we’ve touched on, however, companies are increasingly adopting mobile applications and cloud services that erode the once well-defined enterprise network perimeter. Many enterprises are now taking a defense-in-depth approach to endpoint protection, instituting a wider range of security controls to protect against a broader array of threats.

Application Security

Application security is the discipline of processes, tools and practices aiming to protect applications from threats – both internal and external to an organization. Cyber threat actors exploit vulnerabilities in enterprise applications to capture data, intellectual property, and more – often with impunity. Application security can help organizations protect all kinds of applications (such as legacy, desktop, web, mobile, etc.) used by corporate stakeholders including customers, business partners and employees.

Most successful breaches target vulnerabilities that reside in the application layer, such as the recent log4j vulnerability. As a result, IT teams must be extra vigilant about application security. To further compound the problem, the number and complexity of applications is growing, as is the number of devices and device types running them.

Even a decade ago, the operations, systems and digital footprints of most medium to large companies had become overwhelmingly complex. Over the last ten years, these digital corporate footprints have expanded to reach and capture growth from previously untapped corners of the world. More recently, the business imperatives of the COVID-19 pandemic spurred faster adoption of enterprise software solutions – particularly Software-as-a-Service (SaaS) – that pushed data beyond the organization’s physical perimeter. This has all added significant pressure to already lean IT teams.

The truth is that lean IT teams have to reassess and realign their priorities. This means leveraging technical security essentials in a way that eases the burden on them. In practice, the first step is to begin adopting network security solutions that accommodate today’s most common networking hardware; provide out-of-the-box integrations with critical security tools such as InTune, MFA, and popular SIEM solutions; and work in conjunction with firewalls and endpoint security solutions.

Securing Networks is Only Getting Harder

Events like the recently exploited Log4j vulnerability continue to keep IT security teams on their toes. Little can be done to plan for, let alone prevent, such wide-reaching software flaws – hundreds of Cisco, VMWare, IBM and Oracle products were affected in this instance, including more than 120 different configurations of Cisco Identity Services Engine (ISE). The unfortunate reality is that these events ultimately mean lost weekends patching systems, as well as assessing the damage done to the network and the devices. In many cases, it means bringing in more skilled professionals to investigate, diagnose, and implement – a costly endeavour you likely would not have budgeted for. Other on-going IT priorities are also inevitably pushed to the side with mitigation underway.

Such exploits and subsequent critical system fixes are particularly hard felt by the mid-market. This segment is often considered the backbone of the economy, yet they’re underserved when it comes to having purpose-built network security essentials, including network access control technologies. 

Lean IT Should Maximize Value

For resource-strapped IT teams, these unpredictable security incidents can seem insurmountable, especially when the onus is on the customer to patch their own software. Constant fire drills lead to stress, burnout and turnover – something many organizations simply can’t afford. Instead of helping alleviate stress on lean IT teams, traditional on-premise network security vendors make the problem worse. Their solutions require extensive, ongoing integration and maintenance. Complicating matters further, specialized point solutions don’t mesh easily to provide a holistic view of the network. 

This then brings us to the question of value. Wouldn’t it be more valuable to bring in IT security essentials that can reduce this stress and anxiety by eliminating the need for heavy systems maintenance? Wouldn’t it be valuable to free up that time spent putting out fires and use it to modernize your IT security stack? In practice, this means adopting and deploying network security solutions that deliver the essential functionality and capabilities we laid out earlier. It also means turning to SaaS for security. And for network security, it means choosing the right cloud-native NAC.