Laptops, smartphones, tablets, and Internet of Things (IoT) devices are pouring into the workplace. With every employee now utilizing an average of three devices, the addition of IoT increases the vulnerabilities inside the business – adding to the operational burden.
Identifying who and what connects to the network is the first step to securing your enterprise. Control through the automated application of wired and wireless policy enforcement ensures that only authorized and authenticated users and devices are allowed to connect to your network. At the same time, real-time attack response and threat protection is required to secure and meet internal and external audit and compliance requirements.
The use of IoT devices on wired and wireless networks is shifting IT’s focus. Many organizations secure their wireless networks and devices but may have neglected the wired ports in conference rooms, behind IP phones, and in printer areas. Wired devices – like sensors, security cameras, and medical devices – force IT to think about securing the millions of wired ports that could be wide open to security threats. Because these devices may lack security attributes and require access from external administrative resources, apps, or service providers, wired access now poses new risks.
As IT valiantly fights the battle to maintain control, they need the right set of tools to quickly program the underlying infrastructure and control network access for any IoT and mobile device – known and unknown. Today’s network access security solutions must deliver profiling, policy enforcement, guest access, BYOD onboarding, and more to offer IT offload, enhanced threat protection, and an improved user experience.
Mobility And IoT Are Changing How We Think About Access Control
The boundaries of ITs domain now extend beyond the four walls of a business. And the goal for organizations is to provide anytime, anywhere connectivity without sacrificing security. How does IT maintain visibility and control without impacting the business and user experience? It starts with a 3-step plan.
- Identify - what devices are being used, how many, where they’re connecting from, and which operating systems are supported – this provides the foundation of visibility. Continuous insight into the enterprise-wide device landscape and potential device security corruption, as well as, which elements come and go gives you the visibility required over time.
- Enforce - accurate policies that provide proper user and device access, regardless of user, device type, or location; this provides an expected user experience. Organizations must adapt to today’s evolving devices and their use – whether the device is a smartphone or surveillance camera.
- Protect - resources via dynamic policy controls and real-time threat remediation that extends to third-party systems. This is the last piece of the puzzle. Being prepared for unusual network behavior at 3 AM requires a unified approach that can block traffic and change the status of a device’s connection.
Organizations must plan for existing and unforeseen challenges. With their existing operational burden, it’s not realistic to rely on IT and help desk staff to manually intervene whenever a user decides to work remotely or buy a new smartphone. Network access control is no longer just for performing assessments on known devices before access.
Full-spectrum Visibility Across The Network
Security starts with visibility of all devices – you can’t secure what you can’t see. ClearPass provides built-in discovery and profiling to ensure that users and devices are granted appropriate access privileges – regardless of access method or device ownership. ClearPass Device Insight greatly enhances core discovery and profiling capabilities to identify the wide range of IoT devices in many environments. This is accomplished through a combination of Deep Packet Inspection (DPI), advanced machine learning, and crowdsourcing device fingerprints.
True security only occurs when there is overarching visibility and control – ensuring that only authenticated or authorized devices connect to the network. This stems from a multi-vendor, wired, and wireless per device policy.
Template-based policy enforcement lets IT build wired and wireless policies that leverage intelligent context elements: user roles, device types, MDM/EMM data, certificate status, location, day-of-week, and more. No matter how devices connect, Aruba Dynamic Segmentation automatically enforces consistent policies across the wired or wireless network – keeping traffic secure and separate. It’s now easy for guests, IoT, and business operations to coexist at any network location.
Wired is now the new threat
ClearPass OnConnect is a built-in feature that enables organizations to lock down those thousands of wired ports using non-AAA enforcement. No device configuration is needed and one command line entry in the switch is all it takes. Standard AAA/802.1X methods are also supported for wired and wireless. This allows for consistent policy enforcement and an end-to-end approach that siloed AAA, NAC, and policy solutions can’t deliver.
The ability to utilize multiple identity stores within one policy service, including Microsoft Active Directory, LDAP compliant directories, ODBC-compliant SQL databases, token servers, and internal databases sets ClearPass apart from legacy solutions.
Device provisioning without IT involvement
Managing the onboarding of personal devices for BYOD deployments can put a strain on IT and help desk resources and can create security concerns.
ClearPass Onboard lets users safely configure devices for use on secure networks all on their own. Device-specific certificates even eliminate the need for users to repeatedly enter login credentials throughout the day. That convenience alone is a win for simplified security. The additional security gained by using certificates is an operational bonus.
Using ClearPass Onboard, the IT team defines who can onboard devices, the type of devices they can onboard, and how many devices per person. A built-in certificate authority lets IT support personal devices more quickly as an internal PKI, and subsequent IT resources are not required.
Guest access that’s simple and fast - Automate device provisioning for secure BYOD with ClearPass Onboard
BYOD isn’t just about employee devices. It’s about any visitor whose device requires network access – wired or wireless. IT requires a simple model that pushes the device to a branded portal, automates the provisioning of access credentials, and also provides security features that keep enterprise traffic separate.
ClearPass Guest makes it easy and efficient for employees, receptionists, event coordinators, and other non-IT staff to create temporary network access accounts for any number of guests per day. MAC caching also ensures that guests can easily connect throughout the day without repeatedly entering credentials on the guest portal.
Guest self-registration takes the task away from employees and lets visitors create their own credentials. Login credentials are delivered via printed badges, SMS text, or email. Credentials can be stored in ClearPass for pre-determined set amounts of time and can be set to expire automatically after a specific number of hours or days.
When device health determines access
During the authorization process, it may be necessary to perform health assessments on specific devices to ensure that they adhere to corporate anti-virus, anti-spyware, and firewall policies. Automation motivates users to perform an anti-virus scan before connecting to the enterprise network.
ClearPass OnGuard features built-in capabilities that perform posture-based health checks to eliminate vulnerabilities across a wide range of computer operating systems and versions. Whether agentless or using persistent or dissolvable clients, ClearPass can centrally identify compliant endpoints on wireless, wired, and VPN infrastructures.
Examples of advanced health checks that provide extra security:
- Handling of peer-to-peer applications, services, and registry keys
- Determination of whether USB storage devices or virtual machine instances are allowed
- Managing the use of bridged network interfaces and disk encryption
Getting more from third-party solutions
The final element of a secure infrastructure is Response. The ability to respond to attack event data presented by other security vendors. Aruba 360 Security Exchange, our “Best of Breed” ecosystem, lets you automate security threat remediation or enhance a service using popular third-party solutions like firewalls, MDM/EMM, MFA, visitor registration, and SIEM tools. Leveraging the context intelligence included in ClearPass allows organizations to ensure that security and visibility are provided at a device, network access, traffic inspection, and threat protection level.
Using a common-language (REST) API, syslog messaging, and a built-in repository called ClearPass Exchange, automated workflows and decisions help simplify tasks and secure the enterprise – no more complex scripting languages and tedious manual configuration. And for faster integration, ClearPass Extensions allows partners to upload an extension, for real-time delivery of new services to joint customers.
With ClearPass Exchange, networks can automatically take action:
- MDM/EMM data like jailbreak status of a device can determine if it can connect to a network
- Firewalls can accurately enforce policies based on user, group, and specific device attributes and leverage ClearPass to remediate a device exhibiting poor behavior
- SIEM tools can be set up to store authentication data for all connected devices
- Users can be asked to use multi-factor authentication to verify their identity when connecting to networks and resources
Network events can also prompt firewalls, SIEM, and other tools to inform ClearPass to take action on a device by triggering actions in a bidirectional manner. For example, if a user fails network authentication multiple times, ClearPass can trigger a notification message directly to the device or denylist the device from accessing the network.
Securely access work apps from anywhere
Logging in to work apps throughout the day needs to be fast and effortless. ClearPass supports Single Sign-On and the ClearPass Auto Sign-On capability for that reason. Instead of a single sign-on, which requires everyone to login once to apps, Auto Sign-On uses a valid network login to automatically provide users with access to enterprise mobile apps. Users only need their network login or a valid certificate on their devices.
ClearPass can also be used as your identity provider (IdP) or service provider (SP) where Single Sign-On is used.
Bonjour, DLNA and UPnP services
Projectors, TVs, printers, and other media appliances that use DLNA/UPnP or Apple AirPlay and AirPrint, can be shared between users across your Aruba Wi-Fi infrastructure. ClearPass makes finding these devices and sharing between them simple.
For example, a teacher who wants to display a presentation from a tablet will only see an available display in their classroom. They will not see devices on the other side of the campus. They can also use the portal to choose who else can use the display – this keeps students from taking over the display.
Another example is in healthcare – doctors can easily project digital images, x-rays, and MRIs from their iPads to a larger screen anywhere within a hospital. Patient collaboration just got simpler. User and location context is both a security and enablement tool.
Clearpass Delivers Both Protection And Efficiency For Aruba Sd-branch
With dozens, hundreds or even thousands of individual branch locations to set up, secure, and maintain, security and efficiency are both required for success. Because ClearPass centrally establishes role-based access control that follows a user or device across any type of network connection, labor-intensive VLAN and ACL setup and sprawl are eliminated. Within minutes, organizations can set standard permissions for typical branch users such as customers, associates, and managers, as well as devices which include: point-of-sale systems, building controls, and peripherals. Once the policies are defined, ClearPass automatically pushes them to every location and dynamically adapts access based on device and user status.
Through embedded next-generation firewalls, deep packet inspection, and content filtering, Aruba branch gateways interpret and apply the permissions assigned to each role without requiring manual changes to the network. Unlike other branch solutions, ClearPass works with the Aruba branch gateway to define and enforce policies up to and including the application layer – access control that is not available with simple VLAN segmentation. In addition, ClearPass operates not just with Aruba, but with over 140 security and IT solutions, including cloud-based security solutions from ZScaler, Palo Alto Networks and Checkpoint, thus ensuring an optimized security strategy
Adaptive Foundation For Security And Services
Providing a seamless experience for today’s mobile users and the fast adoption of IoT technologies have created a host of new IT challenges. It takes planning, the right tools and a strong foundation to secure anytime, anywhere access to the wired and wireless enterprise infrastructure.
ClearPass solves these challenges by delivering device identity, policy control, workflow automation, and automated threat protection from a single cohesive solution. By capturing and correlating real-time contextual data, ClearPass enables you to define policies that work in any environment – the office, on campus, or at the ballpark.
ClearPass enhancements also handle emerging network security challenges surrounding the adoption of IoT, stronger mobile device and app authentication, and deeper visibility into security incidents. Automated threat protection and intelligent service features ensure that each device is accurately given network access privileges with minimal hands-on IT interaction.
Detecting Threats Before They Can Do Damage
New threats now evolve from inside the organization – attacks involving malicious, compromised, or negligent users, systems, and devices. Organizations can no longer look at security in the same way. Machine learning and behavior analysis are the next steps to solving the dual crisis of better-resourced threat actors and undervalued security operations. User and Entity Behavior Analytics, or UEBA plugs the gap between device visibility and control, and the secondary threat of malicious behavior.
Aruba’s IntroSpect UEBA spots small changes in behavior – when put into context over a period of time – that are indicative of attacks that have evaded traditional security defenses. Attacks involving compromised users and hosts are notoriously difficult to detect because cybercriminals can evade perimeter defenses by using legitimate credentials to access corporate resources. Phishing scams, social engineering, and malware are just a few of the popular techniques by which these criminals acquire employee corporate credentials. IntroSpect automates the detection of these attacks with analytics-driven visibility. Advanced techniques, including supervised and unsupervised machine learning, are applied to data from the network and security infrastructure.
With the integration of IntroSpect and ClearPass, the precision alerts that IntroSpect provides mean that ClearPass can respond with pre-determined policy-based actions – thus cutting off the threat before it can do damage.
The stakes are high and it’s surprising that more companies have not embraced secure NAC to prevent malicious insiders from causing damage to the enterprise. The uses cases are many – control device connectivity, simplify BYOD, secure guest access – but the answer is always the same. Over 7,000 customers in 100 countries have secured their network and their business with Aruba ClearPass for better visibility, control, and response.
Learn more about Aruba ClearPass at https://www.vlcm.com/aruba-clearpass.
Blog Repurposed from Aruba ClearPass Solution Overview