Network Visibility: How Can You Protect What You Don’t Know Exists?
This is the third post in the series about Network Access Control (NAC) is and why it is a central element to keeping enterprise environments protected.
Network visibility or endpoint visibility, is the essence of cybersecurity. How can you protect something that you don’t know exists? How can you identify the weakest links in your network when you don’t know what they are?
I’m borrowing a cliché from San Tzu’s the Art of War to emphasize the importance of network visibility: “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” Clearly San Tzu believed in “knowing” yourself.
Regardless of whether you relate to war anecdotes old and new, knowledge, as always, is key.
In a recent lecture, Rob Joyce, NSA TAO Chief (NSA attack team), explained the first step to prevent the NSA from infiltrating your network: “…if you really want to protect your network, you really have to know your network[1]”.Knowing your network means you need to know the following information, at least:
- Which endpoints are connected or exist in your network (including those you don’t manage – BYOD, A/C controllers, etc.)
- The connected endpoint operating system and version.
- Where each endpoint is connected (physical port / access point / VPN) and in which segment (VLAN / SSID).
Download: The 802.1x Sting Whitepaper Now!
Once you have this basic information, firstly you’ll you’ll be surprised by your findings. Importantly, you’ll be able to map your weakest link and come up with a plan for mitigation.
Tip: The most common mitigation for older non-supported endpoints (such as the old non-supported Windows XP), is to upgrade the endpoints and replace them with a newer version. When this is not feasible, use segmentation, enhanced monitoring and auditing for changes.
Network visibility is even more important in the age of IoT. In order to be in control of your enterprise network, you need to know who connected, what is connected and where. Then you can come up with a plan – a new SSID for all mobile phones for example, or another SSID for printers that support only a WPA shared key.
Tip: Segmentation of wireless devices is usually conducted on two levels. The first level is spanning a new SSID with its own authentication and encryption level based on the type of devices that it will connect to. The second level is the wired network level, limiting the access of the SSID to only certain network segments / servers.
And another Tip (because sharing is caring ;): Some wireless access points allow you to span a number of VLANs on the same SSID. This is not a standard feature and varies between vendors.
SAN adopted the CIS 20 Critical Security Controls as best practice for the industry in order to build an effective security plan.
The following two controls combined enable network visibility:
Critical Security Control #1: Inventory of authorized and unauthorized devices
Critical Security Control #2: Inventory of authorized and unauthorized software
There is a good reason why they are the first and should form the basis for every security plan.
Download: The 802.1x Sting Whitepaper Now!
You can easily find products that cover either network endpoint or endpoint discovery, but there are also products e such as Portnox NAC which can do both for you. Portnox NAC also provides real time (event based) security posture assessment rather than time based scanners. Scanners will leave you with black spots in your visibility and real time products will give you 100% visibility of all that really exist in your network.
Related Reading
Try Portnox Cloud for Free Today
Gain access to all of Portnox's powerful zero trust access control free capabilities for 30 days!