Daniel is a young man who started learning hacking as a hobby on the Internet. He learned how to launch a few attacks and would like to try it out in the real world to see the results. This will allow him to ascertain his training works and that he can actually do hacking.
He has a friend that he meets regularly at the bank where he awaits at the reception for him till the end of his shift before they can head home together. While sitting at the reception unattended, he quickly connects his Kali Linux computer to the network by cable and immediately receives an IP through DHCP. He then goes on to scan the network and run some exploits and was able to bring one of the bank’s internal servers down. The IT team on call starts running all over the place and Daniel feels a rush of accomplishment as he knows he is the cause of the issue. He disconnects his cable, packs his computer, and waits for his friend to come. They go home and Daniel enjoys his sleep that night having the assurance that he is getting better at hacking.
Here is what is most likely going to happen to the bank’s IT after this event. The server will resume responding to traffic again without help or after a simple reboot and they will attribute the issue to a bug in the system, and they will not look further. Because Daniel was not really trying to cause any damage the “glitch” might not happen again to them but they might never get to know what really happened. Now pause a little bit and imagine what would have really happened if Daniel was ill-intentioned and had planned an attack on the IT environment of that bank. Just take two minutes and think about it.
Pretty wild rights? They could have suffered a major incident on that day and spent hours finding the cause of the problem. Not just that the brand damage and the cost of having senior staff stay over or probably having to bring in a consultant to help resolve the issue would have been just the tip of the iceberg. If they were to realize that they were hacked they would have to clean up the systems and they may never know if some remnant malicious programs were left and could activate at any time in the future.
What could they have done to prevent something similar to this? Is it possible to securely allow access to your network on Wired, on Wireless, and on VPN? Is there a way you can record every network access, identify who was behind that connection, from what device they were operating, and ensure they were given access only to the portion of the network they would be authorized to access? Is there a way to check various components on their endpoint, to ensure they meet some level of compliance before allowing them onto the network? Such are the questions we will attempt to answer in this article.
Network Access in General
A typical access network would be made of various access switches segmented using VLAN technology. There could also be Wireless Access Points and Remote Access VPN available for the users of the organization. In order to make access seamless and simple, organizations provide DHCP service so the users would automatically get onto the network. Some level of security is provided at the gateway of the network for inter-VLAN traffic. The problem is more often than not, organizations are not able to secure access to their physical network appropriately. An ideal situation would be to have the capability to singularly authenticate every user and device before permitting them onto the network. It is easier said than done though. Let’s look at how NAC does that.
What is NAC?
Network Admission Control or Network Access Control is a way to protect your network from unauthorized access. It requires users and/or endpoints to authenticate before even giving an IP to the endpoint connecting. Because the authentication and authorization happen before the endpoint is given access to the network, any user or endpoint cannot easily compromise the network as the user/endpoint does not belong to any network.
From Wikipedia: “AAA refers to Authentication, Authorization, and Accounting. It is used to refer to a family of protocols that mediate network access. Two network protocols providing this functionality are particularly popular: the RADIUS protocol and its newer Diameter counterpart.”
How does this work?
The NAC devices are able to provide visibility onto what is connected at the access-network by using metadata provided by these devices when they come onto the network. This is achieved by activating some probes on the network access devices (Switches, Access-Points, etc.). So you can see how many iPhones, Windows PCs, or tablets are connected to your network. This allows you to create rules based on the type of devices that are connecting to the network and/or blocking an entire category completely depending on the policies of your organization.
Using the visibility provided by probes, you are able to create rules that will automatically apply some rules to certain types of devices. This is usually great for Printers, IP Phones, Biometric Devices, IP Cameras, etc. Everything that may not really have the capability to authenticate on the network actively. This way of authenticating your devices is called Mac Authentication Bypass which allows the endpoints to authenticate but then provides security at the authorization level.
Using a technology called 802.1X, NAC solutions are able to authenticate endpoints against an established database such as Active Directory. You would be able to not only authenticate the device, but also the user. When you combine this with MFA (Multi-Factor Authentication) you can be very sure you have the right person accessing the network.
After ensuring you have the right devices connecting onto the network with the right people using them, you may have some additional requirements. It could be that you want to ensure the endpoint is running some antimalware or antivirus or is running some encryption software, etc; you could check the software are at the minimum version authorized before admitting them onto the network, or else you quarantine them and allow them to remediate before giving them full access.
- Guest Access
Because you are able to have such granularity control over your network, you can now provide access to guests without compromising on your users’ security. The NAC solution provides an easy and simple way to ensure your guests and contractors only have access to the only things you want them to have access to.
As your users, guests, and consultants are busily accessing the network and doing their work, the NAC system records everything, yes every authentication successful or failed, any authorization when it was given how long the session lasted. With this, you are able to tick that compliance box that has been sitting on your table for so long. Yes, am talking about the sentence: “All devices and users must be securely allowed access onto the network”. Not only that you have records that would come in handy during auditing and forensics analysis.
There are many NAC solutions on the market that work in different ways and it could be difficult to choose the one that fits your organization. One of the important features that you need to look out for is CoA (Change of Authorization). CoA dynamically changes the Authorization of the user/device after it has authenticated. It particularly comes in handy when a quarantined device has now remediated itself or a user logs out and another user logs in and they have different authorization policies. There are two of them that are very great that I advise right out of the box. Aruba ClearPass and Cisco ISE are two of the great NAC solutions and they would easily meet all your requirements and provide additional features as well.
Complete security may be unattainable, but you can do your best by providing multiple layers of security to ensure if one fails there is a high probability another layer would protect your infrastructure and your users. NAC is an important component of your security strategy and the earlier you set it up the earlier you protect your organization from our fictitious friend Daniel.
Apotica deploys a large portfolio of Next-Generation technologies and is uniquely positioned to advise on the next steps to help with your security strategy. You can request a free consultation here. To enquire about any equipment or software, call us on +233.54.431.5710 or write to firstname.lastname@example.org.
Apotica, headquartered in Accra, Ghana and brings together the best information and communications technologies to help clients grow, compete and serve their customers better. Apotica is an ISO 27001 and 9001 Certified Organization.