Imagine a contractor or employee comes into your office and plugs in a printer or security camera into an open port on a switch. If the port is unsecured – as most still are – they are immediately connected. If their device is compromised, they may inadvertently spread malware that could wreak havoc across your organization's entire network. Now imagine a disgruntled employee or unscrupulous visitor who plugs into an unsecured wired port and starts sniffing around your network to find high-value assets or launch attacks.
Unsecured switch ports are a big hole in many organizations' cybersecurity playbook. Switch ports are visible and accessible in open offices, and even if a switch is physically locked away in a wiring closet, unsecured ports are still risky. It's a risk that too many IT managers have underestimated.
The rise of IoT is also driving the need for better controls over access to the wired network. Smart connected devices like security cameras, smart TVs, and building management systems are creating new value, but many IoT devices are rife with security flaws. Whilst many IoT devices are wireless, we are starting to see many more take advantage of Power over Ethernet (PoE) and hence plug into the wired network.
Network Access Control for Wired, Too
In the early days of the wireless LAN industry, security was a major concern of customers. Aruba is a leader in building secure wireless network solutions, and in fact, we have said for a long time that wireless is more secure than wired. This is because, since the implementation of WPA2 Enterprise, every wireless device not only encrypts its data, but also needs to authenticate to the network, and most enterprise wireless networks today use certificate-based authentication. Traditionally wired devices are allowed to "just plug in" with no form of authentication. Once the port is up, the device can access whatever VLAN the port is configured on.
Many customers already use Aruba ClearPass to control how mobile and other wireless devices connect to their networks. With ClearPass for secure network access control, they can be confident that only authorized users and devices can access their wired or wireless networks and they are free to build whatever access policy meets the needs of the business.
We're seeing more customers adopt ClearPass for wired network access control. Here in Australia, we've been working with several banks to use ClearPass to control access across their campus networks – both wired and wireless. Many industries, especially banking and finance, have regulations that mandate organizations to create effective controls to mitigate security risks. That includes ensuring only authorized users to have access to the appropriate resources, and that rogue or compromised devices are kept off the network. There is also a greater awareness of the need to take wired access control much more seriously with the rise of IoT.
See, Control and Respond with ClearPass
ClearPass gives you visibility into what devices are on your network, regardless of wired, wireless or VPN, and then allows you to control network access for those devices and respond when a potential situation arises.
The reality is that most IT managers simply are unaware of all of the devices that are connected to their network at any moment. ClearPass gives you that visibility with profiling. It is very common for a new ClearPass customer to discover many more devices on the network than they had ever anticipated simply because they had no way of "looking" previously. Visibility is the key to control. Once you have visibility, you can create the right access policies.
ClearPass supports multiple authentication methods, including 802.1X and MAC authentication, to support a broad variety of device types. These days, many wired and wireless devices can use 802.1X, but there is still a large selection that cannot – especially low-cost IoT wired connected devices. Whilst MAC authentication is one way to secure these devices, it has its limitations. ClearPass also support OnConnect, a non-802.1X mechanism to validate the device type and usage. OnConnect is a very useful tool as part of your wired access control framework.
ClearPass enables you to enforce your corporate policies for proper user and device access, for all users, device types or locations. Authorized users and devices get connected quickly and easily, whilst everything else is prevented from connecting. And of course, you are made fully aware of all of the unauthorized connection attempts.
ClearPass can protect your information resources with dynamic policy controls and remediate threats in partnership with third-party systems. ClearPass works with an ecosystem of more than 100 third-party products, so IT can automate threat remediation or enhance services with leading firewalls, mobile device management, multifactor authentication, and visitor registration systems. With the context provided by ClearPass, your organization can ensure security and visibility at a device, network, traffic inspection, and threat protection levels.
Go Deeper
Take our Enterprise Security Risk Assessment.
Learn more about ClearPass for secure network access control.
