Securing the IoT with Modern NAC

October 25, 2018 Derek Holmes

By this point, it’s almost impossible not to have heard about the Internet of Things (IoT) but what does that mean for IT and security professionals? IoT has become a popular buzzword in the IT industry, bringing with it all kinds of exciting possibilities and a load of new headaches for IT administrators. Everywhere you look, there are new devices, control systems, and sensors popping up, connecting to our networks, and bringing new and innovative capabilities to our lives.

Unfortunately, they are also bringing a multitude of new vulnerabilities and attack vectors for those looking to exploit them. Oftentimes, IoT devices lack adequate security mechanisms and don’t integrate easily, or at all, with our existing security solutions. For many of us, securing those endpoints is a matter of regulatory compliance. Some security experts say to just keep those devices off the network, but I like to take a different approach and plan for a plethora of devices on the network.

We don’t invest in all of these IT services to restrict our capabilities. We want to deliver a breadth of services to our customers, to treat IT as an enabler, and to quickly provide support and new capabilities to our users. If we too often tell our customers that we can’t support their new projects or initiatives, they’ll stop coming to us and, instead, look for ways to work around us. This creates a counterintuitive approach to security, leading to shadow IT and an organizational culture of us versus them. So how can we secure our ever-expanding IoT?

The Shortcomings of Traditional NAC

Traditional Network Access Control (NAC) solutions and methodologies just don’t scale well for the IoT. IEEE 802.1X implementations are often difficult to manage or nearly impossible to integrate with IoT devices. And MAC Authentication Bypass (MAB) is vulnerable to spoofing and lacks the sophistication required to provide adequate security in today’s landscape.

But modern NAC solutions, such as Cisco’s Identity Services Engine (ISE), ForeScout CounterACT, and Bradford Networks’ Network Sentry (recently acquired by Fortinet), have evolved significantly to offer a much more robust set of features. They perform configuration and security assessments, policy enforcement, and traffic analysis. These solutions no longer just provide secure authentication for corporate managed assets, but allow for fingerprinting of both known and unknown devices, and are able to enforce differentiated services. They also provide a deep visibility into what types of devices are connecting to the network, where they’re connecting at, and who is using the device.

The Advantages of Modern NAC

Modern NAC provides centralized inventory of devices on the network and how they’re connecting. From here, we can enforce different security policies based on type of device, user role, location, time of day, and almost any other variable that an administrator can imagine. For our corporate-managed devices, we can restrict access to printers or medical devices differently than we would our workstations and restrict BYOD endpoints to only our guest network. And using these same methods, we can lock down our IoT devices, helping to enforce a policy of least privilege.

Many new solutions are also offering a deeper traffic analytics component, either as a standalone, separate-but-augmentative solution, or integrated as part of a more holistic NAC solution (such as Cloudpost in the Medical market, which integrates via API with Cisco ISE). These tools offer that sophistication that MAB alone lacks, ensuring a connected device is what it appears to be, and can even offer continuous post-authentication monitoring of an endpoint. By analyzing traffic flows from IoT devices and establishing a baseline of normal activity, these additional tools can monitor for deviations and alerting on suspicious activity. Configured properly, these systems can also integrate into the NAC solution to trigger a response, such as quarantine or restricted access, as well as alerting to the appropriate staff.

With all these different offerings and capabilities, there’s a modern NAC solution out there for every enterprise. So, don’t let IoT be a bad word in your organization. Look at some of the different NAC offerings Connection has, request a demo, and consider performing a Proof of Concept (PoC) to evaluate a solution.

Previous White Paper
Samsung Solid State Drive
Samsung Solid State Drive

Next White Paper
Top 10 Reasons to Use Kingston Encrypted SSD with TCG OPAL
Top 10 Reasons to Use Kingston Encrypted SSD with TCG OPAL