Post-Connect Access Controls
In my last blog, I discussed how the concepts of 802.1X and access controls are not necessarily married together. Today, we’ll talk about an increasingly more common alternative: post-connect controls.
“Post-connect” is described as treating endpoints as innocent until they are proven guilty. They can connect to the network, during and after which they are assessed for acceptance criteria. These criteria can be just about anything, but usually always involves a check to ensure the endpoint is a company asset, as well as some assurance of security compliance. Though the list is exhaustive, common compliance examples include running an up-to-date antivirus, patch levels, disk encryption status, and functioning software/agents from other security tools.
Acceptance Criteria – Corporate Asset:
This stage of acceptance is the most critical when your goal is to prevent rogue systems from connecting to your networks, and is impossible without having full visibility of endpoints on your network. Specifically, you need to know what devices are connected and whether they belong to you or not. If they do, they pass these criteria and may move on to the next one. Devices that don’t pass are a potential threat to the assets you are trying to protect, and should have their access restricted. Commonly, the approach is to completely deny access to the network for these devices. I like to refer to this as a “block.”
Acceptance Criteria – Compliance:
This stage of acceptance assumes that the endpoint is a corporate asset. When a device is determined to be non-compliant, your security tools may have the ability to resolve the problem using the device’s existing access without user intervention. If auto-remediation isn’t possible, we may not want to block the device as we do with non-corporate systems, but instead treat it like it has the black plague, and put it into what I like to call “quarantine,” to prevent it from affecting other endpoints on your network. Ideally, this quarantine provides access to whatever services they need to fix their specific compliance issue, but nothing else.
The greatest benefit to the post-connect approach is a positive user experience. Unless a system is out of compliance and ends up in a quarantine, your company’s users have no idea access controls are even taking place on the network. And even in the case of quarantine, because the systems are corporate-owned and manageable, you likely can directly message users, describing what is happening and what steps they may need to take. This is a very soft way to deploy access control, but does have the side effect of allowing potential threats on your network for a limited amount of time. However, with the right tools, some good planning and good design, you should easily be able to get this time frame under two minutes; even well under in the right circumstances.
If a post-connect approach allows too much risk for your organization, stay tuned for my next blog. I’ll talk about non-802.1X pre-connect methods that trade user experience for greater security.
Are you looking for an agentless visibility and control solution? Maybe you already use Forescout CounterACT®? Either way, check out the best practices guide for post-connect for a closer look at the technical details.