This guest blog is the second of a series written by Ken Rich, a Consulting Systems Engineer at Aruba, a Hewlett Packard Enterprise company. Ken leads secure mobility, VPN, and classified networking discussions with the DoD and Civilian Federal government. Thanks Ken!
Conventional wisdom dictates that wireless networks are less secure than wired. Federal agencies adopted mobility with an abundance of caution, carefully weighing productivity gains and cybersecurity risk. But in practice, many wired networks have fewer security mechanisms in place than an equivalent wireless network.
For wired networks, the crutch of physical access restriction to the wired port is often the primary security mechanism. Ironically, ease of physical access ends up being the primary issue.
With the rise of insider threats, it’s not enough to rely on the physical security of a room, building or campus. Often Ethernet ports are left open by accident, inadvertently allowing someone to simply plug a device into that port, maybe in a conference room or open area, and get connected. In addition, wired IoT devices, such as surveillance cameras, have dismal track record of security.
At other times, shortcuts are taken where security is enabled, but insufficient. Maybe the switch is checking the wired device’s MAC address, but there are no real authentication checks, as with wireless networks. There’s little to keep an even moderately risk-aware user off the network.
Making wired networks more secure lies in using the same network access controls that are deployed for secure wireless LANs. Users and devices must be authenticated before they can pass data through a wired or wireless network, and the traffic must be encrypted from the client into the network. Clear visibility into who—and what—is connected to an agency’s network is critical, as well as policy-based controls over mobile and IoT devices.
Deploying wired switches that support 802.1X authentication is far easier and more comprehensive than when network access control technology was introduced more than a decade ago. Further, just as with the wireless network, wired devices can be fingerprinted, profiled, authenticated and have the appropriate network and security policies applied. If someone tries to login with valid credentials but the device fingerprint is wrong, access can be denied—anywhere across the wired and wireless network. Wired device behavior can be monitored, analyzed, and acted upon in the event of an alert.
Deploying a mobility first network architecture isn’t just about wireless LAN. A mobility first network embraces the concept of ubiquitous access, regardless of the access mechanism, with a centralized and consistent access and security policy and the ability to identify and respond to threats in real time.
Read More Aruba Federal Blogs
Do You Know What’s on Your Network and What it’s Doing?
Is Wi-Fi Secure Enough for Federal?
Securing the Growing Usage of IoT in Federal
The Intelligent Edge Will Power Real-Time, Data-Driven Government
Aruba ClearPass Supports Continuous Diagnostics and Mitigation for Government Agencies
