During the last two decades, federal agencies have stockpiled an arsenal of wireless security solutions and defined comprehensive security strategies. Excellent work has gone into securing devices, apps, the network and agency assets to keep pace with our incredible appetite to be mobile anywhere and everywhere.
In an unexpected twist, even with all the careful groundwork, many agencies have left a troubling hole in a surprising place—the wired network. Turns out that devices are strolling through the front doors with staff or visitors and easily plugging into the network. Reports note that 70 percent to 80 percent of the time nothing prevents cameras, tablets and even PlayStation from easily joining the network, once they pass beyond the stationed security guards.
To get answers on how to identify these devices, tune into the webcast “Overcoming the Challenges of Wired Network Security for the Federal Government.”
While the network has post-connection and firewall policies to restrict what the devices can do, there’s nothing preventing them from plugging in to the Wi-Fi through a wired port. So much of the security depends on segmenting VLANs with, for example, a printer traffic allocated to one port, voice traffic to another port, and guest traffic to yet another port—and each port having its own policies.
These are proven security best practices, but they don’t prevent the network from being vulnerable to rogue devices that appear to be behaving. While a lone PlayStation may not create a network alert, you can expect a tsunami of IoT devices to start joining networks. These devices can—and will—be exploited by hackers. Successful attacks stand a good chance of having an even larger impact if mission operations are disrupted or confidential information is stolen.
Preventing attacks calls for quickly identifying the rogue devices and making sure they behave appropriately. A recently added iPad that is used for reserving a meeting room or a visiting colonel’s laptop presents little danger, but other devices could be there to make trouble.
4 Steps to Creating Safe Zones
What we’re seeing is that these tainted devices lurking in the network for as many as 100 days. Once identified, mitigating the threat takes up to 30 days. That timeline is much too long and dangerous for federal agencies.
Aruba has assembled a set of certified solutions that will keep potentially dangerous devices in quarantine until they are deemed safe and allow harmless ones to check-in safely and be acknowledged. Working together, agencies can create a safe zone by taking these four steps:
- Identify what is on your network
- Apply “best fit” dynamic control at the edge
- Orchestrate security and experience
- Analyze behaviors and react to threats
Aruba 360 Secure Fabric, which meets FIPS and Common Criteria standards, addresses these wired challenges to create an integrated wired and wireless secure environment. For this blog, I’ll concentrate on Aruba ClearPass network access control. Smarter and more powerful than an asset manager, ClearPass has built-in discovery and profiling to ensure that users and devices are granted appropriate access privileges. It applies a unique combination of deep packet inspection (DPI), advanced machine learning and crowdsourcing device fingerprints to make smart decisions about what a device is doing and if it poses a threat to the network.
You can count on ClearPass for:
- Visibility throughout the network that discovers devices and profiles them with custom fingerprinting
- Authorization that validates network access privileges based on identity and context
- Enforcement of security guidelines with timely attack responses after event-triggered actions
- Authentication of users for one role and one network resulting from AAA and non-AAA options
Security with More Smarts and Less Effort
What I find especially compelling is how ClearPass can improve the security experience for both agency staff and IT. Outside of the IT team, most staff see security as an irritating hassle. With ClearPass, the security team can set up processes that help people navigate their network problems. ClearPass has lots of nifty self-help tools that provide exactly what IT needs to help a frustrated user who believes the Internet is down when in fact, his laptop may be out of compliance.
All in all, ClearPass and the Aruba Secure Fabric strengthen your already sound network and support compliance. Together, they lower the overall risk that rogue devices introduce to federal agencies while improving operations with fewer helpdesk calls and requests for security changes.
Realistically, the network will always have some level of vulnerability. Attackers get smarter every day, and new projects spinning up leave holes in dynamic environments. ClearPass helps you stay ahead and close the gaps.
Related Content
Wired network challenges create real and dangerous problems for federal agencies. For more in-depth information about closing the gaps with Aruba ClearPass, watch the webcast Overcoming the Challenges of Wired Network Security for the Federal Government.
