Over coming traditional network limitations with open source.
How to Overcome Network Access Control Limitations for Better Network Security
-
Upload
cryptzone -
Category
Technology
-
view
210 -
download
3
Transcript of How to Overcome Network Access Control Limitations for Better Network Security
![Page 1: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/1.jpg)
How to Overcome NAC Limitations Why a Software-Defined Perimeter delivers better network security for today’s enterprises
![Page 2: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/2.jpg)
Enterprise technology has changed.
DYNAMICSTATIC
IDENTITY CENTRICNETWORK CENTRIC
SOFTWAREHARDWARE
INTERCONNECTEDISOLATED
![Page 3: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/3.jpg)
Work habits have changed.
Home Mobile Contractors
Third-party
partners
![Page 4: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/4.jpg)
The network perimeter has dissolved.
Enterprise resources – applications, databases, and infrastructure – are increasingly outside the
perimeter.
And people are constantly working
outside the perimeter.
![Page 5: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/5.jpg)
Network security must change
to keep up with enterprise technology
and work habits.
![Page 6: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/6.jpg)
There’s a fundamental shift in network security
happening right now.
![Page 7: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/7.jpg)
The philosophical difference is centered around trust:
Network Access Control (NAC) Trusts Users
Inherently
Software-Defined Perimeter (SDP) Trusts No One
![Page 8: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/8.jpg)
Do you trust users completely?NAC solutions are designed to work inside the perimeter, a trust-based model...
![Page 9: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/9.jpg)
Forrester, No More Chewy Centers: The Zero Trust Model Of Information Security
It's impossible to identify trusted
interfaces
1The mantra
"trust but verify" is inadequate
2Malicious insiders
are often in positions of trust
3Trust doesn't
apply to packets
4
…a model that Forrester says is broken for these reasons
![Page 10: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/10.jpg)
Or are no users trusted?Abolishing the idea of a trusted network inside (or outside) the corporate perimeter. Instead opting for a Software-Defined Perimeter where…
![Page 11: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/11.jpg)
…there is zero trust.
![Page 12: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/12.jpg)
NAC was designed to work inside the perimeter.
Build a perimeter around the internal network, verify who users say they are, and once in the door users
gain full access to the network or at least a large portion of the network.
![Page 13: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/13.jpg)
In this changing world, NAC falls short
For SEVEN reasons
![Page 14: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/14.jpg)
NAC doesn't extend to cloud1
So enterprises need another security solution for the cloud. And that adds another layer of network
security.
NAC
![Page 15: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/15.jpg)
NAC relies on VLANs, which are complicated to manage 2
Defining VLAN segments – Creating can be easy…keeping them relative and accurate as your environment changes
is the real challenge.
So most enterprises only have a limited number of VLAN
segments defined.
![Page 16: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/16.jpg)
NAC doesn’t encrypt traffic.3
If social networks can encrypt traffic,why not corporate networks?
WhatsApp SnapchatFacebook Messenger
Telegram
![Page 17: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/17.jpg)
NAC isn’t fine-grained4It can’t provide fine-grained control of the network resources users can access.Instead, NAC relies on existing (and separately managed) network segments, firewalls and VLANs.
![Page 18: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/18.jpg)
– requiring yet another set of policies to manage.
NAC’s remote user support is non-existent5
Remote users need yet another solution – like a VPN
![Page 19: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/19.jpg)
NAC struggles to support the agile enterprise6
NAC causes management issues because it’s not agile or dynamic – it’s static.It’s complex for the security team to add firewall rules for thousands of workers and their many devices.
![Page 20: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/20.jpg)
It doesn’t check specific attributes such as location, anti-virus or device posture or broader system attributes such as an alert status within a SIEM.
NAC doesn’t provide deep, multi-faceted, context-aware access control7
![Page 21: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/21.jpg)
A Software-Defined Perimeter eliminates these
limitations
![Page 22: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/22.jpg)
A Software-Defined Perimeter is a new network security model that dynamically creates 1:1 network connections between users and the data they access.
![Page 23: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/23.jpg)
A Software-
Defined Perimeter
has
MAIN BENEFITS
7
![Page 24: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/24.jpg)
The Zero-Trust model
1 An “Authenticate first - Connect second” approach
Everything on the network is invisible,
until authorization is granted and access is then only allowed to a
specific application.
![Page 25: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/25.jpg)
for policy compliance.
2 Identity-centric (not IP-based) access control
Know exactly
who accessed
whatfor how
longthe context of the device when they
connected
![Page 26: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/26.jpg)
3 Encrypted Segment of One
Individualized perimeters for each user and each user-session – a Segment of One. All the other services that exist on the network are invisible to the user.Once a user obtains their entitlements, all network traffic to the protected network is encrypted.
![Page 27: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/27.jpg)
As new server instances are created, users are granted or denied access appropriately and automatically.As context changes (time, location, device hygiene, etc.) dynamic access policies provide continuous and immediate security.
4 Dynamic policy management
![Page 28: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/28.jpg)
5 Simplicity
Much simpler – and dramatically fewer – firewall and security group rules to maintain.
![Page 29: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/29.jpg)
Consider the people and time spent collecting, consolidating, and making sense of access logs. Organizations have reduced this by up to 90% when using a Software-Defined Perimeter.
A Software-Defined Perimeter offers:• Auditable, uniform
policy enforcement across hybrid systems.
• Dramatically reduced audit-preparation time: no need to correlate IP addresses to users.
6 Compliance
![Page 30: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/30.jpg)
Consistent access policies across
7 Consistency
On-premises In the cloud Hybrid environments
![Page 31: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/31.jpg)
Let’s put NAC vs. SDP to the test…
Consider port scanning.
![Page 32: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/32.jpg)
A tester uses credentials to connect to the network
Do a simple port scan to see how many services it finds:• On the internal
network? • On Wi-Fi? • On other
organization’s services? *If using a hosting provider.
![Page 33: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/33.jpg)
The tester would see every single network port and service available for every server that’s in that VLAN.That could be thousands and thousands of resources.
Port-scan test with NAC
![Page 34: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/34.jpg)
Port-scan test with a Software-Defined Perimeter
The tester would
authenticate first,
connect second.
The only ports the tester would see are the ones he
has explicit rights to through his digital identity.
Everything else would be
completely invisible.
![Page 35: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/35.jpg)
(we’ll need to get techie for a bit)Here’s why
![Page 36: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/36.jpg)
SDP Architecture
36
Protected Applications
SDP Controlle
r
SDP Gateway(Accepting Host)
SDP Client (Initiating
host)
PKI
IdentityManagement
Policy Model
The SDP controller is the authentication point, containing user access policies
![Page 37: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/37.jpg)
SDP Architecture
Protected Applications
SDP Controller
SDP Gateway(Accepting Host)
SDP Client
(Initiating host)
PKI
IdentityManagement
Policy Model
Controller is the authentication point, containing user access policies Clients are securely onboarded
![Page 38: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/38.jpg)
SDP Architecture
38
Protected Applications
SDP Controller
SDP Gateway(Accepting Host)
SDP Client (Initiating
host)
PKI
IdentityManagement
Policy Model
Controller is the authentication point, containing user access policies Clients are securely onboardedAll connections are based on mutualTLS connectivity
![Page 39: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/39.jpg)
SDP Architecture
39
Protected Applications
SDP Controller
SDP Gateway(Accepting Host)
SDP Client (Initiating
host)
PKI
IdentityManagement
Policy Model
Controller is the authentication point, containing user access policies Clients are securely onboardedAll connections based on mutualTLS connectivityTraffic is securely tunneled fromClient through Gateway
![Page 40: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/40.jpg)
An SDP stops people like this from abusing your network
Negligent Insiders
Malicious Insiders
Compromised Insiders
Cyber Criminals
Advanced Persistent
Threat (APT) Agents
State Sponsored
Actors
Compromised Third Party
Users
Over-privileged /
Super-privileged
Users
![Page 41: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/41.jpg)
Helping to Prevent These Type of Attacks
Server Exploitation
Credential Theft
Connection Hijacking
Compromised Devices
Phishing
DDoS Insider Threats
Malware
Man in the Middle
![Page 42: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/42.jpg)
Software-Defined Perimeter sounds great…But what if a NAC is already in place?
![Page 43: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/43.jpg)
NAC and SDP CAN Coexist
Enterpriseswith existing NACs • Can deploy SDP without
replacing NAC. • Get the benefit of an
SDP solution without a rip and replace program.
Enterprises without NACs • Should consider SDP as
a simpler alternative. • There’s no compelling
reason to deploy a new NAC solution because SDP offers better security, removes complexity, enforces uniform compliance, lowers cost of ownership.
![Page 44: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/44.jpg)
uncompromised network security and compliance
A Software-Defined Perimeter delivers
across hybrid environments
![Page 45: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/45.jpg)
Industry experts agree
Legacy, perimeter-based security models are ineffective against attacks. Security and risk pros must make security ubiquitous throughout the ecosystem.”
“ Through the end of 2017, at least 10% of enterprise organizations (up from less than 1% today) will leverage software-defined perimeter technology… by 2021, 60% of enterprises will phase out network VPNs for digital business communications in favor of software-defined perimeters, up from less than 1% in 2016”
SDP enables organizations to provide people-centric, manageable, secure and agile access to networked systems.”
“
“
![Page 46: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/46.jpg)
Cryptzone delivers the market leadingSoftware-Defined Perimeter:AppGate
![Page 47: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/47.jpg)
Learn more about AppGate
Network Access Control vs. Software-Defined Perimeter – or both?
WEBINAR
The Zero Trust Model of
Information Security
WHITEPAPER
Forrester ReportNo More Chewy Centers:
AppGateVIDEO
Network Security is Changing
See How AppGate Works
![Page 48: How to Overcome Network Access Control Limitations for Better Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050803/58ed31e61a28ab7a1d8b45d3/html5/thumbnails/48.jpg)
FREE TRIAL | START NOW
Email: [email protected]
Twitter: @Cryptzone
LinkedIn: linkedin.com/company/cryptzone
GET IN TOUCH
Get access to a 15-day free trial on AWS marketplace.
Want to know more?
www.cryptzone.com