In my last blog, I described what main features to look for in a NAC solution. In this blog, I’ll discuss NAC’s graduation from a simple 802.1X solution, and what access controls mean today with the advent of the Internet of Things (IoT).
I think we all understand that IoT devices are here, and here to stay. More and more things are becoming network-addressable, and there are lots of predictions out there that describe what the future will be for IoT, which is clearly only trending upward. The issue with securing IoT devices is that they are “headless.” By that I mean there is no user interface, and there typically isn’t a way to load any software packages or certificates on them. This defies the very basis on which NAC is commonly thought to be built on: 802.1X pre-authentication.
802.1X is an effective but dated protocol. While easy to set up on wireless networks, on wired networks, it can be cumbersome to implement and maintain, and many organizations give up on it months after starting to deploy. 802.1X’s solution to the problem of headless devices that cannot install a supplicant, such as printers, has been to allow them to bypass authentication based on their MAC address. This is called MAC Authentication Bypass (MAB), and is similar to the even older concept of port security, except that it is managed at the RADIUS level rather than on the switch port itself, allowing the device to move around the network without needing port reconfiguration each time. Traditionally, this has been an effective solution, as the vast majority of endpoints were user-operated, and there were very few headless systems to manage. But now, with the increasing number of headless devices, it cannot be considered a complete solution.
If you use 802.1X on your wired networks now, there is no reason to move away from it. It does its job well on traditional devices. But we need to cover the gaps left by MAB. What appears to be a printer could actually be a Windows laptop with a spoofed MAC address. Anyone can do this natively in Windows, and it does not require any special skills. We need tools with advanced profiling capabilities, so we can use MAB with confidence knowing that when that printer bypasses authentication, it is in fact a printer. And once we have these tools, what we end up with is less a NAC solution and more a dynamic segmentation solution that can make complex decisions on hundreds of different variables, most of which would never be visible to an 802.1X-only solution.
If you don’t use 802.1X on your wired network now, consider another approach. In my next blog, I’ll write about post-connect—a modern, dynamic segmentation methodology that validates devices after they connect.
