Network Access Control
Managing what and who is connected to the network was once a fairly straight forward task, however not so simple today, what with: highly distributed LANS, dispersed offices, remote workers, home working, traveling staff, wifi access, devices such as smart phones and tablets that bridge the network, or even the humble workstation that harbours undetected threats.
Network complexity and device prevalence is creating blind spots within the endpoint defence strategy. Whether it is a legitimate access harbouring dangerous content, or an unsanctioned network admission, the effect is the same. If left unaddressed the network will be impacted, and productivity compromised. Below are a few examples where NAC can augment endpoint security and protect the network:
- An authorised staff member connecting remotely from an unsafe hotel PC or via public Wifi node?
- A laptop connecting onto the corporate LAN with an Ethernet cable, whilst also connecting via WIFI to a local Starbucks for instance, resulting in a bypass of the corporate firewall?
- A staff member swapping their smart phone to a higher risk model, such as upgrading an aging IPhone to a new Android, and using it to access corporate email?
- A contractor or visitor connecting onto your LAN, with their own tablet or laptop?
- A recently commissioned or seldom seen device connecting onto the LAN that has not been configured with an Anti-Virus agent, or that is so out of date as to of lost its protection effectiveness?
What and who is connected to the network?
NAC – Network Access Control: by definition means having the ability to instantly understand what, when and where a network access connection has been attempted, and whether it poses a risk.
Forescout NAC is an easy to set up solution that analyses every device and user connection, permitting access if they are authorised and do not pose a threat. It is agentless and does not require cumbersome VLAN protocols like 802.1x, or demand specific hardware often associated with previous NAC alternatives.
But the real benefit is that as well as blocking unauthorised devices, it can also analyse the security risk of an endpoint. For instance an approved device, legitimately used by an authorised user, will be denied access if the connection poses a risk to the network. Such as if Anti-Virus is disabled, a key security patch is missing, deducing if it is also connected to another unknown network, or if it is trying to connect via an untrusted WIFI access node for example. The control of, when and where a connection should be permitted is granular, powerful, and flexible.
As the majority of attacks are aimed at the endpoint, the strategy behind the science is to reduce the attack surface, thereby reducing the success and the possibility of an attack.
CST can provide consultancy services, technical education, and support services to guide your organisation through the migration, deployment, and management of Network Access Control.