Security Tip of the Month: Network Access Control – Securing Your Front Door
In the current global panorama, the main focus has been towards supporting remote workers to connect to corporate networks to “keep the wheels turning”. This effort has not only been about expanding the infrastructure to support a very large amount of remote connections, but it has also encompassed, out of necessity, either the rushed acquisition of new workstations for collaborators or relying on personal ones.
None of the scenarios are ideal from a security standpoint. For all intents and purposes those “remote offices” are an extend of your own corporate network and the endpoint should be secured the same way as they would if they were physically connected inside your office space.
For any Host connecting to our network, weather they are local or remote, we have 2 main concerns when it comes to Access Control:
Authentication – Guarantee the subject identity by comparing one or more factors against a database of valid identities. Most often this is done by a memorized secret (password or pin), the National Institute of Standards and Technology (NIST) released its Special Publication 800-63B on Digital Identity Guidelines.
As we have been seeing in the numerous news about stolen credentials a strong password policy is not enough to prevent unwanted access to the network. The human component in this authentication factor has influenced its security with practices such as the reuse of passwords in multiple sites/services or the clustering of special characters at the end of the password length which facilitates the work of potential attackers.
A best practice to mitigate this is to use a second authentication factor such as a TOTP (as defined under RFC 6238) which has been made easier to implement with solutions such as Cisco DUO without the need for additional hardware.
Additionally, a zero-trust approach should be employed to further strengthen the access controls. NIST provides a description of Zero Trust Architecture as well as general guidelines and use cases in its Special Publication 800-207 currently in draft.
Authorization – Indicates what access the subject will have within the network. This is usually relying on the subject’s identity (group membership or clearance level) and on the sensitivity of the data to be accessed. Nowadays not only we want to restrict access to authorized identities, but we also need to make sure that the host itself is not compromised before allowing it to access the corporate network. This can pose an additional challenge in the current remote work paradigm as the same computer can be used for both professional and personal tasks.
The two approaches below can be used to mitigate this, both can be used by Cisco ISE (Identity Services Engine).
Posture Assessment – Checks the state of an endpoint connecting to the corporate network for compliance with the corporate security policies. This can include OS updates, Antivirus definitions, running processes, etc.
Depending on the state the endpoint can be granted full access to the network, placed under quarantine to address the problems found or being rejected completely.
Threat-Centric Network Access Control (TC-NAC) – Enables the administrator to design authorization policies based on a Threat Assessment done to the endpoint. Cisco ISE can receive Indications of Compromise (IoC) from different vulnerability and threat adapters such as Cisco AMP.
Managing network access control through the implementation of strong Authentication and Authorization policies is the first step towards securing a network, this will not only help you restrict access to sensitive resources but also provide strong Auditing capabilities.
Securing a network is a journey, we may as well start with the door.