how to overcome network access control limitations for better network security

How to Overcome NAC Limitations Why a Software-Defined Perimeter delivers better network security for today’s enterprises

Enterprise technology has changed.

DYNAMICSTATIC

IDENTITY CENTRICNETWORK CENTRIC

SOFTWAREHARDWARE

INTERCONNECTEDISOLATED

Work habits have changed.

Home Mobile Contractors

Third-party

partners

The network perimeter has dissolved.

Enterprise resources – applications, databases, and infrastructure – are increasingly outside the

perimeter.

And people are constantly working

outside the perimeter.

Network security must change

to keep up with enterprise technology

and work habits.

There’s a fundamental shift in network security

happening right now.

The philosophical difference is centered around trust:

Network Access Control (NAC) Trusts Users

Inherently

Software-Defined Perimeter (SDP) Trusts No One

Do you trust users completely?NAC solutions are designed to work inside the perimeter, a trust-based model...

Forrester, No More Chewy Centers: The Zero Trust Model Of Information Security

It's impossible to identify trusted

interfaces

1The mantra

"trust but verify" is inadequate

2Malicious insiders

are often in positions of trust

3Trust doesn't

apply to packets

4

…a model that Forrester says is broken for these reasons

Or are no users trusted?Abolishing the idea of a trusted network inside (or outside) the corporate perimeter. Instead opting for a Software-Defined Perimeter where…

…there is zero trust.

NAC was designed to work inside the perimeter.

Build a perimeter around the internal network, verify who users say they are, and once in the door users

gain full access to the network or at least a large portion of the network.

In this changing world, NAC falls short

For SEVEN reasons

NAC doesn't extend to cloud1

So enterprises need another security solution for the cloud. And that adds another layer of network

security.

NAC

NAC relies on VLANs, which are complicated to manage 2

Defining VLAN segments – Creating can be easy…keeping them relative and accurate as your environment changes

is the real challenge.

So most enterprises only have a limited number of VLAN

segments defined.

NAC doesn’t encrypt traffic.3

If social networks can encrypt traffic,why not corporate networks?

WhatsApp SnapchatFacebook Messenger

Telegram

NAC isn’t fine-grained4It can’t provide fine-grained control of the network resources users can access.Instead, NAC relies on existing (and separately managed) network segments, firewalls and VLANs.

– requiring yet another set of policies to manage.

NAC’s remote user support is non-existent5

Remote users need yet another solution – like a VPN

NAC struggles to support the agile enterprise6

NAC causes management issues because it’s not agile or dynamic – it’s static.It’s complex for the security team to add firewall rules for thousands of workers and their many devices.

It doesn’t check specific attributes such as location, anti-virus or device posture or broader system attributes such as an alert status within a SIEM.

NAC doesn’t provide deep, multi-faceted, context-aware access control7

A Software-Defined Perimeter eliminates these

limitations

A Software-Defined Perimeter is a new network security model that dynamically creates 1:1 network connections between users and the data they access.

A Software-

Defined Perimeter

has

MAIN BENEFITS

7

The Zero-Trust model

1 An “Authenticate first - Connect second” approach

Everything on the network is invisible,

until authorization is granted and access is then only allowed to a

specific application.

for policy compliance.

2 Identity-centric (not IP-based) access control

Know exactly

who accessed

whatfor how

longthe context of the device when they

connected

3 Encrypted Segment of One

Individualized perimeters for each user and each user-session – a Segment of One. All the other services that exist on the network are invisible to the user.Once a user obtains their entitlements, all network traffic to the protected network is encrypted.

As new server instances are created, users are granted or denied access appropriately and automatically.As context changes (time, location, device hygiene, etc.) dynamic access policies provide continuous and immediate security.

4 Dynamic policy management

5 Simplicity

Much simpler – and dramatically fewer – firewall and security group rules to maintain.

Consider the people and time spent collecting, consolidating, and making sense of access logs. Organizations have reduced this by up to 90% when using a Software-Defined Perimeter.

A Software-Defined Perimeter offers:• Auditable, uniform

policy enforcement across hybrid systems.

• Dramatically reduced audit-preparation time: no need to correlate IP addresses to users.

6 Compliance

Consistent access policies across

7 Consistency

On-premises In the cloud Hybrid environments

Let’s put NAC vs. SDP to the test…

Consider port scanning.

A tester uses credentials to connect to the network

Do a simple port scan to see how many services it finds:• On the internal

network? • On Wi-Fi? • On other

organization’s services? *If using a hosting provider.

The tester would see every single network port and service available for every server that’s in that VLAN.That could be thousands and thousands of resources.

Port-scan test with NAC

Port-scan test with a Software-Defined Perimeter

The tester would

authenticate first,

connect second.

The only ports the tester would see are the ones he

has explicit rights to through his digital identity.

Everything else would be

completely invisible.

(we’ll need to get techie for a bit)Here’s why

SDP Architecture

36

Protected Applications

SDP Controlle

r

SDP Gateway(Accepting Host)

SDP Client (Initiating

host)

PKI

IdentityManagement

Policy Model

The SDP controller is the authentication point, containing user access policies

SDP Architecture

Protected Applications

SDP Controller

SDP Gateway(Accepting Host)

SDP Client

(Initiating host)

PKI

IdentityManagement

Policy Model

Controller is the authentication point, containing user access policies Clients are securely onboarded

SDP Architecture

38

Protected Applications

SDP Controller

SDP Gateway(Accepting Host)

SDP Client (Initiating

host)

PKI

IdentityManagement

Policy Model

Controller is the authentication point, containing user access policies Clients are securely onboardedAll connections are based on mutualTLS connectivity

SDP Architecture

39

Protected Applications

SDP Controller

SDP Gateway(Accepting Host)

SDP Client (Initiating

host)

PKI

IdentityManagement

Policy Model

Controller is the authentication point, containing user access policies Clients are securely onboardedAll connections based on mutualTLS connectivityTraffic is securely tunneled fromClient through Gateway

An SDP stops people like this from abusing your network

Negligent Insiders

Malicious Insiders

Compromised Insiders

Cyber Criminals

Advanced Persistent

Threat (APT) Agents

State Sponsored

Actors

Compromised Third Party

Users

Over-privileged /

Super-privileged

Users

Helping to Prevent These Type of Attacks

Server Exploitation

Credential Theft

Connection Hijacking

Compromised Devices

Phishing

DDoS Insider Threats

Malware

Man in the Middle

Software-Defined Perimeter sounds great…But what if a NAC is already in place?

NAC and SDP CAN Coexist

Enterpriseswith existing NACs • Can deploy SDP without

replacing NAC. • Get the benefit of an

SDP solution without a rip and replace program.

Enterprises without NACs • Should consider SDP as

a simpler alternative. • There’s no compelling

reason to deploy a new NAC solution because SDP offers better security, removes complexity, enforces uniform compliance, lowers cost of ownership.

uncompromised network security and compliance

A Software-Defined Perimeter delivers

across hybrid environments

Industry experts agree

Legacy, perimeter-based security models are ineffective against attacks. Security and risk pros must make security ubiquitous throughout the ecosystem.”

“ Through the end of 2017, at least 10% of enterprise organizations (up from less than 1% today) will leverage software-defined perimeter technology… by 2021, 60% of enterprises will phase out network VPNs for digital business communications in favor of software-defined perimeters, up from less than 1% in 2016”

SDP enables organizations to provide people-centric, manageable, secure and agile access to networked systems.”

“

“

Cryptzone delivers the market leadingSoftware-Defined Perimeter:AppGate

Learn more about AppGate

Network Access Control vs. Software-Defined Perimeter – or both?

WEBINAR

The Zero Trust Model of

Information Security

WHITEPAPER

Forrester ReportNo More Chewy Centers:

AppGateVIDEO

Network Security is Changing

See How AppGate Works

FREE TRIAL | START NOW

Email: info@cryptzone.com

Twitter: @Cryptzone

LinkedIn: linkedin.com/company/cryptzone

GET IN TOUCH

Get access to a 15-day free trial on AWS marketplace.

Want to know more?

www.cryptzone.com