how to overcome network access control limitations for better network security
TRANSCRIPT
How to Overcome NAC Limitations Why a Software-Defined Perimeter delivers better network security for today’s enterprises
Enterprise technology has changed.
DYNAMICSTATIC
IDENTITY CENTRICNETWORK CENTRIC
SOFTWAREHARDWARE
INTERCONNECTEDISOLATED
Work habits have changed.
Home Mobile Contractors
Third-party
partners
The network perimeter has dissolved.
Enterprise resources – applications, databases, and infrastructure – are increasingly outside the
perimeter.
And people are constantly working
outside the perimeter.
Network security must change
to keep up with enterprise technology
and work habits.
There’s a fundamental shift in network security
happening right now.
The philosophical difference is centered around trust:
Network Access Control (NAC) Trusts Users
Inherently
Software-Defined Perimeter (SDP) Trusts No One
Do you trust users completely?NAC solutions are designed to work inside the perimeter, a trust-based model...
Forrester, No More Chewy Centers: The Zero Trust Model Of Information Security
It's impossible to identify trusted
interfaces
1The mantra
"trust but verify" is inadequate
2Malicious insiders
are often in positions of trust
3Trust doesn't
apply to packets
4
…a model that Forrester says is broken for these reasons
Or are no users trusted?Abolishing the idea of a trusted network inside (or outside) the corporate perimeter. Instead opting for a Software-Defined Perimeter where…
…there is zero trust.
NAC was designed to work inside the perimeter.
Build a perimeter around the internal network, verify who users say they are, and once in the door users
gain full access to the network or at least a large portion of the network.
In this changing world, NAC falls short
For SEVEN reasons
NAC doesn't extend to cloud1
So enterprises need another security solution for the cloud. And that adds another layer of network
security.
NAC
NAC relies on VLANs, which are complicated to manage 2
Defining VLAN segments – Creating can be easy…keeping them relative and accurate as your environment changes
is the real challenge.
So most enterprises only have a limited number of VLAN
segments defined.
NAC doesn’t encrypt traffic.3
If social networks can encrypt traffic,why not corporate networks?
WhatsApp SnapchatFacebook Messenger
Telegram
NAC isn’t fine-grained4It can’t provide fine-grained control of the network resources users can access.Instead, NAC relies on existing (and separately managed) network segments, firewalls and VLANs.
– requiring yet another set of policies to manage.
NAC’s remote user support is non-existent5
Remote users need yet another solution – like a VPN
NAC struggles to support the agile enterprise6
NAC causes management issues because it’s not agile or dynamic – it’s static.It’s complex for the security team to add firewall rules for thousands of workers and their many devices.
It doesn’t check specific attributes such as location, anti-virus or device posture or broader system attributes such as an alert status within a SIEM.
NAC doesn’t provide deep, multi-faceted, context-aware access control7
A Software-Defined Perimeter eliminates these
limitations
A Software-Defined Perimeter is a new network security model that dynamically creates 1:1 network connections between users and the data they access.
A Software-
Defined Perimeter
has
MAIN BENEFITS
7
The Zero-Trust model
1 An “Authenticate first - Connect second” approach
Everything on the network is invisible,
until authorization is granted and access is then only allowed to a
specific application.
for policy compliance.
2 Identity-centric (not IP-based) access control
Know exactly
who accessed
whatfor how
longthe context of the device when they
connected
3 Encrypted Segment of One
Individualized perimeters for each user and each user-session – a Segment of One. All the other services that exist on the network are invisible to the user.Once a user obtains their entitlements, all network traffic to the protected network is encrypted.
As new server instances are created, users are granted or denied access appropriately and automatically.As context changes (time, location, device hygiene, etc.) dynamic access policies provide continuous and immediate security.
4 Dynamic policy management
5 Simplicity
Much simpler – and dramatically fewer – firewall and security group rules to maintain.
Consider the people and time spent collecting, consolidating, and making sense of access logs. Organizations have reduced this by up to 90% when using a Software-Defined Perimeter.
A Software-Defined Perimeter offers:• Auditable, uniform
policy enforcement across hybrid systems.
• Dramatically reduced audit-preparation time: no need to correlate IP addresses to users.
6 Compliance
Consistent access policies across
7 Consistency
On-premises In the cloud Hybrid environments
Let’s put NAC vs. SDP to the test…
Consider port scanning.
A tester uses credentials to connect to the network
Do a simple port scan to see how many services it finds:• On the internal
network? • On Wi-Fi? • On other
organization’s services? *If using a hosting provider.
The tester would see every single network port and service available for every server that’s in that VLAN.That could be thousands and thousands of resources.
Port-scan test with NAC
Port-scan test with a Software-Defined Perimeter
The tester would
authenticate first,
connect second.
The only ports the tester would see are the ones he
has explicit rights to through his digital identity.
Everything else would be
completely invisible.
(we’ll need to get techie for a bit)Here’s why
SDP Architecture
36
Protected Applications
SDP Controlle
r
SDP Gateway(Accepting Host)
SDP Client (Initiating
host)
PKI
IdentityManagement
Policy Model
The SDP controller is the authentication point, containing user access policies
SDP Architecture
Protected Applications
SDP Controller
SDP Gateway(Accepting Host)
SDP Client
(Initiating host)
PKI
IdentityManagement
Policy Model
Controller is the authentication point, containing user access policies Clients are securely onboarded
SDP Architecture
38
Protected Applications
SDP Controller
SDP Gateway(Accepting Host)
SDP Client (Initiating
host)
PKI
IdentityManagement
Policy Model
Controller is the authentication point, containing user access policies Clients are securely onboardedAll connections are based on mutualTLS connectivity
SDP Architecture
39
Protected Applications
SDP Controller
SDP Gateway(Accepting Host)
SDP Client (Initiating
host)
PKI
IdentityManagement
Policy Model
Controller is the authentication point, containing user access policies Clients are securely onboardedAll connections based on mutualTLS connectivityTraffic is securely tunneled fromClient through Gateway
An SDP stops people like this from abusing your network
Negligent Insiders
Malicious Insiders
Compromised Insiders
Cyber Criminals
Advanced Persistent
Threat (APT) Agents
State Sponsored
Actors
Compromised Third Party
Users
Over-privileged /
Super-privileged
Users
Helping to Prevent These Type of Attacks
Server Exploitation
Credential Theft
Connection Hijacking
Compromised Devices
Phishing
DDoS Insider Threats
Malware
Man in the Middle
Software-Defined Perimeter sounds great…But what if a NAC is already in place?
NAC and SDP CAN Coexist
Enterpriseswith existing NACs • Can deploy SDP without
replacing NAC. • Get the benefit of an
SDP solution without a rip and replace program.
Enterprises without NACs • Should consider SDP as
a simpler alternative. • There’s no compelling
reason to deploy a new NAC solution because SDP offers better security, removes complexity, enforces uniform compliance, lowers cost of ownership.
uncompromised network security and compliance
A Software-Defined Perimeter delivers
across hybrid environments
Industry experts agree
Legacy, perimeter-based security models are ineffective against attacks. Security and risk pros must make security ubiquitous throughout the ecosystem.”
“ Through the end of 2017, at least 10% of enterprise organizations (up from less than 1% today) will leverage software-defined perimeter technology… by 2021, 60% of enterprises will phase out network VPNs for digital business communications in favor of software-defined perimeters, up from less than 1% in 2016”
SDP enables organizations to provide people-centric, manageable, secure and agile access to networked systems.”
“
“
Cryptzone delivers the market leadingSoftware-Defined Perimeter:AppGate
Learn more about AppGate
Network Access Control vs. Software-Defined Perimeter – or both?
WEBINAR
The Zero Trust Model of
Information Security
WHITEPAPER
Forrester ReportNo More Chewy Centers:
AppGateVIDEO
Network Security is Changing
See How AppGate Works
FREE TRIAL | START NOW
Email: [email protected]
Twitter: @Cryptzone
LinkedIn: linkedin.com/company/cryptzone
GET IN TOUCH
Get access to a 15-day free trial on AWS marketplace.
Want to know more?
www.cryptzone.com