In theory, securing wired should be no different from securing wireless. Wired connectivity should be covered by the same consistent access policies afforded to mobility projects. Mobility, after all, is simply “me, getting my stuff,”it’s just that this time I’m getting that stuff via the wire rather than wireless. So…that’s that solved, let’s move on, shall we!
Actually, no, not so fast! The trouble is that the wire has always worked, instantly – and we don’t like to mess with that. In fact, if at all possible we would rather not touch it, let it fall apart dramatically – or worse we have the CLI jockeys riding roughshod over our switch configurations for the next few months. Not only that but 802.1x is really complicated, and I’ve heard it requires separate supplicants for LAN adaptors. Maybe ignore the last part, I clearly conveniently forgot the last 13 years of pain since Win2K SP4 was released. Regardless, you probably get the point… We will, however, do anything to avoid actively securing access to the wired network – even though it’s vital that we do as it has been left wide open for far too long.
Those that know me, well professionally at least, will know that I often persist in boring them about the importance of remembering that AAA isn’t just Authentication, but also, more importantly, Authorization and Accounting for everything at the end. Well, for all my fanaticism about the latter two A’s, it’s important to remember that most people are currently skipping all of the A’s entirely – so it’s the best break up the journey into separate A roads for everyone’s comfort!
Whilst in the distance we can see active authorization rules composed of dynamic VLANs and downloadable ACLs, with event-driven rules changes and the sharing of security context with third-party solutions – we’re just dreamers in many people’s eyes, so let’s focus on what first steps we need to address. What do we need to know? Gather evidence of what’s trying to connect and connected, classify the unknowns and verify the knowns. We also need to define a process for what happens when devices are unknown but actually need to connect – do we have a break-glass procedure? While we’re talking of failure – what’s our back-up in case the AAA service fails entirely?
Only after these become clear can we even begin to take the first “A” road to Control…and at least Authenticate all devices to the network. Taking small steps to secure the currently open network is still a far better option than being overwhelmed by the total journey and doing nothing at all…
For more information, check out this VRD.
As well, follow our webinar
