HPE Aruba Networking Blogs

Rethinking network access control for wired and IoT networks

Screen Shot 2016-09-16 at 10.29.16 AM.pngIt's no secret that cyber attacks are getting worse.

Mobile devices and users continue to succumb to new attacks. IT managers continue to try to protect against threats that are coming in from all directions and are never 100% sure their networks are fully protected. This, unfortunately, is the new normal.

Enter the Internet of Things (IoT)

We know that sensors and other connected devices promise to transform industries from retail to healthcare to manufacturing. The IoT promise of operational efficiency and data monetization is truly compelling.

There's been a lot of attention to wireless IoT devices, but in the enterprise and industrial space, a lot of IoT devices are wired. Motion detectors for physical security, medical equipment in operating theaters, process controllers on the factory floor, and many other industrial IoT devices are wired.

Now consider that IoT devices have been designed for a specific function, and not necessarily with security first and foremost. When HP Enterprise security researchers took a close look at the most popular IoT devices last year, they found an alarmingly high average of vulnerabilities per device. A year later, it hasn't gotten any better.  Sadly, this is also likely to be the new normal for the foreseeable future.

Getting to the NAC of things

Historically NAC has been closely associated with 802.1x, and wireless to enable secure employee and visitor access to your Wi-Fi network.  Since 802.1x has not been pervasively provisioned on all switches across the entire network, the usage of NAC solutions has also been largely restricted to Wi-Fi networks.

Times have changed. NAC has matured. It can be deployed easily and scaled to support many tens of thousands of devices in a large enterprise. Many organizations have 802.1x-capable switches. And for those switches or endpoints that don't support 802.1x, there are other ways to secure network access without having to upgrade your entire infrastructure or install software agents on endpoints.  The ClearPass solution can function equally well in a non .1x and non AAA environment

More devices and more types of devices are connecting to your network than ever before. You need to take note of the fact that the adoption of IoT in the enterprise is shifting the focus from wireless to wired. IT leaders must now step up their use of NAC for wired networks to complement their current use with wireless networks.

Because we understand that configuring NAC for a wired network is not the same as configuring it for wireless access,  we provide two methods of enforcement that make it easy for IT to start locking down wired ports.  One approach works with any type of switch, with no dependence on 802.1x. Simple SNMP enforcement works very well. The second approach utilizes 802.1x and may require more configuration on the switches themselves.

Aruba, a Hewlett Packard Enterprise company, recently enhanced the ClearPass solution with a new  capability called OnConnect that makes it easier than ever before to secure access to any kind of device without the need for additional software or hardware refreshes. With OnConnect, ClearPass still provides granular profiling capabilities, but enforcement and device assessments are accomplished without using 802.1x or MAC authentication. Switches use standards-based SNMP to notify ClearPass when a new device connects, and  ClearPass applies a pre-defined enforcement policy using SNMP as well.

As you contend with the approaching tsunami of IoT devices in your networks, make sure to adopt a solution architecture that is built around secure access and policy enforcement from the ground up.

Learn more about ClearPass.