I recently attended a great webinar presented by Pulse Secure Principal Solutions Architect Lisa Lorenzin and wanted to share my thoughts on key learnings. The webinar can be accessed via this link: https://www.pulsesecure.net/news-events/customer-webinars/NAC4
For years, security professionals have debated whether the bigger risk for cyberattacks comes from inside or outside the enterprise. Today, this argument is moot: With today’s mobile workforce using a mix of BYODs and corporate assets, the threat is all around us because the network demarcation line has blurred.
Pulse Policy Secure provides the tools for overcoming these security risks by moving beyond traditional defenses and providing comprehensive visibility for faster detection of malicious activity.
What is Visibility?
Visibility is the foundation on which network-security policies are laid. Visibility enables you to:
- See who’s on your network, the roles they play, and the association that ties them to those roles.
- Obtain views into traffic flows and user behaviors.
- Align with regulatory compliance audits and demonstrate that the controls in place are working.
Without visibility, there is no way for you to understand who is in your environment, what is in your environment, and the resources they are trying to access. This makes it impossible to develop the appropriate secure-access mechanisms and access-control policies.
Moving Beyond Traditional Defenses
Pulse Policy Secure affords comprehensive visibility by empowering you to see who and what are on your network, including:
- Remote and local users
- Wired and wireless devices
- Personal (BYOD) and corporate devices
This enhanced visibility empowers you to render prudent access-control decisions to ensure that user, endpoint, and device behavior comply with your organization’s roles, policies, and access restrictions.
The primary benefit of visibility is the ability to provide better context. Contextual awareness enhances an organization’s ability to identify the level of threat and effectively pinpoint the source of threats.
For organizations with compliance requirements, contextual awareness allows you to ascertain whether devices seeking network access are:
- Personal or corporate devices.
- Allowed within a particular segment of the network.
- Configured properly, current with the latest software and OS patches/service packs, and up to date with their installed security software.
For organizations that have sensitive areas accessible to authorized users only, contextual awareness allows you to discern location, such as whether users are:
- Local or remote.
- Located in an area that is off limits to them.
Contextual awareness can also be used to assess suspicious behavior on the network, such as:
- Why a device is suddenly sending a large number of packets.
- Why a device is accessing applications that it had not accessed previously.
- Why an unauthorized user is trying to access sensitive resources available to authorized users only.
- Whether an endpoint device is accessing the network regularly in a non-compliant state.
Pulse Policy Secure provides visibility into the contextual information described above in two ways: Local visibility, by offering on-device dashboard and basic reporting; and Global visibility, by providing centralized enterprise-level visibility for compliance, security alerts, and appliance health, with the ability to drill down for granular visibility into appliances, endpoints, and end-users.
Real-Life Use Cases
Here are some examples that describe the role that visibility plays in various scenarios.
Basic Access Control Enforcement
In this scenario, a user connects to the network, possibly from an unpatched device.
For example, Jane has returned from vacation and connects his notebook to the network after using it at a resort. Pulse Policy Secure is able to identify that the device is noncompliant and directs the network switch to place the device into a “quarantine” VLAN. Walter can then remediate the compliance state of his endpoint device. With full network access, Pulse Policy Secure can instruct the switch to place the user device into a production VLAN with the appropriate properties (filters, QoS, etc.).
Pulse Policy Secure can also provision role-based access to the firewall, so Jane can access appropriate resources while being blocked from accessing resources that are not authorized by his role, the state of his endpoint device, etc.
This visibility identifies:
- Who is connecting to the network.
- What type of device is connecting.
- The compliance state of the endpoint.
- Where the device is connecting into the network.
All of this information is associated with the active user session. As a result, you can:
- Identify users who are trying to access unauthorized resources.
- See whether an end device is accessing the network regularly in a noncompliant state.
Gain visibility into the identity associated with traffic pathing through the network.
- Normally, using a firewall to see access to protected resources will show only a source IP address and the destination of the resource. Because Pulse Policy Secure associates an identity to an IP address, the firewall can provide information about the user accessing the resource instead of just the source IP address. This data can be fed into a security information management (SIM) system to provide detailed information about the behavior of a particular user or demonstrate in a compliance audit that only authorized users are accessing a particular resource.
Unmanaged Device Access Control
In this scenario, an unmanaged device wants to enter the network. An unmanaged device is a device that does not have an owner, such as a printer, fax machine, VoIP phone, or IP-based camera. This scenario requires a database of all endpoints on the network. This can be generated manually by an administrator or automatically using a profiling solution.
- When the unmanaged device connects to the network, the switch queries Pulse Policy Secure based on the device’s media access control (MAC) address since there is no user identity.
- Pulse Policy Secure looks up the MAC address in the backend database and identifies the appropriate role.
Although every networked device has a unique MAC address assigned at the factory, the MAC address can be changed (or “spoofed”) to fool the network into thinking that a nefarious device is benign. A device that claims to be a printer, for example, might perform activities that a printer would not do, such as sending traffic to profile a network or trying to access resources it is not permitted to access.
Pulse Policy Secure can identify inappropriate device behavior and take appropriate action. In this way, visibility identifies the devices on the network, the types of devices they are, and the types of access they ought to have — all of which allow the appropriate access-control policies and then provide information about MAC spoofing or any type of unexpected behavior.
It also enables organizations to corral their devices for closer scrutiny. For example, a legitimate printer might go to the Internet for firmware upgrades automatically, but the organization prefers to block the printer from the outside world and upgrade the printer firmware themselves.
Enterprise-Wide Access Control
In this scenario, remote users log in to Connect Secure using an unpatched device. The device is quarantined for automatic patch remediation. After the remediation succeeds, the device is granted full network access via a Pulse VPN tunnel.
At this point, the user would normally need to re-authenticate through Pulse Policy Secure because she has authenticated to the VPN only and not to the NAC. To obviate this repetition, Pulse Policy Secure uses session federation to authenticate the user to the NAC.
Normally, it can be difficult to ascertain the data being transferred through an encrypted VPN tunnel. Having an identity associated with the user session, the IP address, and the tunnel means you can correlate a user’s remote access with a user’s local access to see all of the user’s behavior on the network.
Coordinated Threat Control
This scenario is similar to unmanaged device access control, but extends behavior monitoring to normal users, piloted endpoints, and unmanaged endpoints. In this scenario, an authorized and compliant endpoint tries to access protected resources. A network sensor detects the unauthorized behavior and signals the change in behavior to Pulse Policy Secure. Pulse Policy Secure correlates the anomalous behavior and network threat to the specific device, and then updates the user role information on enforcement points, which take the necessary actions against the offending device.
In this scenario, Pulse Policy Secure’s visibility allows you to see remote-access Trojans and behavior that might not be authorized, but is originating from an expected endpoint and authorized user that indicates some kind of threat beyond a virus or a user who is trying to access resources that they should be accessing
Pulse Policy Secure provides a great answer to the real-world scenario that threats are no longer hard coded as internal or external. With today’s rapidly expanding mobile workforce, enterprise network managers need to be able to solve for the threat that surrounds us, given the lines of demarcation between internal and external threats are so blurred. Pulse Policy Secure offers the right tools to address this evolving security risk for faster detection and remediation of malicious activity.
For More Information About This Topic
Please click here: https://www.pulsesecure.net/news-events/customer-webinars/NAC4