As the challenges identified above manifest themselves increasingly, NAC platforms will need to be highly responsive to marketplace dynamics and the overall threat landscape – and accordingly innovative as well. The essential characteristics required of NAC technology going forward is that it provides enterprises with the flexibility required for them to carry out their business and organizational imperatives in highly dynamic client endpoint connectivity scenarios while also providing for immediately responsive, robust defensive mechanisms in the presence of potential vulnerabilities.
More specifically, as IoT device types multiply and as fore-knowledge of them cannot be taken for granted, the next generation of NAC will need to possess an even greater degree of “intelligence” than is currently the case. In particular, beyond ensuring comprehensive visibility to all devices, next-gen NAC will need to possess:
- Comprehensive, granular information about all IoT devices of the sort required of today’s standard computing platforms (eg function, EOL/EOS status, vendor specifics, connectivity, app dependencies)
- Integration with authentication and identity management platforms
- A master database of known vulnerabilities, patches, and updates for all devices
- Full lifecycle device tracking and monitoring
- Remote management
- Policy-based node group management that allows for micro-segmentation so that all devices and users can be organized dynamically
Introducing Genian NAC
Genian NAC provides superior holistic device visibility without requiring an agent and provides dynamic policy management. It allows enterprises to control in a highly-granular manner both the users and devices that will be allowed to access a given network environment and its resources. It provides the ability to interrogate, review, and modify specific desktop and device configurations dynamically and on-demand.
Network Surveillance
- Device Platform Intelligence
- Identity-related information
- The name of Device Platform consists of manufacturer, device name, model number (Integrated with the Common Platform Enumeration (CPE) dictionary)
- The actual picture of the device platforms
- The list of device fingerprinting sources
- Network connection type (Wired, Wireless)
- Released Date
- Business-related information
- Product end of life (EOL)
- Product end of support (EOS)
- Manufacturer business status
- Manufacturer location (Country)
- Manufacturer homepage
- Risk-related information
- Discover abnormal network traffics (e.g. ARP Spoofing/Bombing, MAC/IP Cloning, Port scanning, Invalid Gateway)
- Integrate with Common Vulnerabilities and Exposures (CVE)
- Report device platforms exposed to vulnerability issues in real time
- Report manufacturer/vendor going out of business or being acquired, which can introduce systems that cannot be upgraded or patched
- Identity-related information
- Contextual Access Information (What, Who, When, Where, How)
- Dynamic Nod Grouping (Classification over 500 conditions)
- Compliance Status Change Detection
Network Access Control
- Dynamic policy management: Policies can be established to address a wide array of network access conditions and requirements: from device type to operating system to patch and update version levels – just for starters – and in both wired and wireless environments. Even more granular access conditions can be created to meet the needs of a specific business or enterprise
- On-demand access management: (BYOD, Guest, Peripheral devices like USB, IP Usages)
- Multi-layered Enforcement Method
- Layer 2: ARP Poisoning (using Network Sensor)
- Layer 3: TCP reset (using Mirror Sensor)
- Layer 3: Inline enforcer (Dual-homed Gateway)
- Agent: NIC/Power Control, Alert Popup
- 802.1x: Built-in RADIUS server
- DHCP: Built-in DHCP server
- Integration: Firewall, Switch port shutdown (SNMP)
IT Security Automation
- The result is full visibility at all times to all users and devices on the network, with full and immediate (including automated) management of their state, thus providing assurance of full compliance with established policies and standards across the entire network environment
- Network access can be denied to those not meeting the conditions established, and automated remediation initiated as appropriate to either bring the device into compliance or place it in quarantine automatically.
- Automated environment security management: eg Self-Service Portal for BYOD access provisioning
- Integration with other security solutions through Restful/SOAP API and exchange/share data automatically to identify and mitigate risk.
- Further, full visibility, control, and compliance assurance translates into full, on-demand, real-time reporting
In short: “Network Surveillance” and “Network Access Control” provides a fundamental, foundational cybersecurity defense capability for the enterprise. Access to the network environment is only provided under conditions of demonstrated security compliance. Those conditions are centrally managed and able to be changed dynamically by those with the appropriate network management credentials. Taken together, these features deliver fundamental security by design, not by chance.