Rethink Network Access Control (NAC) in the era of IoT
Network access control (NAC) is the process of controlling users’ and devices’ access to a corporate or private network. NAC ensures that only authenticated and authorized devices can get connected and communicate with the network in a secure and compliant manner.
Today, the increasing prevalence of IoT devices poses large security risks to the corporate network. IT teams are tasked with onboarding those unmanaged devices securely, determining the level of access allowed, and monitoring devices’ behavior on the network.
The traditional NAC solutions have three fundamental capabilities - authentication, authorization, and accounting (AAA). Below, we will discuss how NAC solutions can evolve to offer more robust capacities that meet the need for IoT security.
Authentication is the process of identifying a user and device. The endpoint devices must identify themselves and provide login credentials to gain network access. Requiring users to enter usernames and passwords is a common authentication practice.
Typically, Remote Authentication Dial-in User Service (RADIUS) servers, also known as the AAA server, would compare a user’s credentials to a set of credentials stored in a native or external database. In most cases, instead of maintaining a native database, the RADIUS server will query an external database to validate users or device credentials. The most commonly used database is the Active Directory. If the user’s login credential matches, the user can gain the access to the network. Otherwise, the users’ access request will be denied.
While this password authentication approach is useful for most on-premise PCs and BYOD devices, it seems not compatible with IoT devices, as they are usually useless and agentless. Thus, instead of verifying something you know/possess, such as passwords, the evolved NAC solutions should verify something you are. This process is called device fingerprinting.
Device fingerprinting provides network administrators visibility as to what type of devices are connecting to the corporate network as well as controlling secure access to certain types of devices. Here, we will introduce two fingerprinting methods that can be used in IoT device identification. The organizationally unique identifier (OUI) address matching is usually the first level of fingerprinting. OUI is the first six digits of a device MAC address and it can help identify the manufacturer of the devices. For example, with OUI matching, the network administrator can easily distinguish Samsung devices from other brands.
DHCP fingerprinting is a technique to identify the endpoint devices based on their DHCP request. Each device has a vendor-specific procedure to connect with the gateway, so the goal of DHCP fingerprinting is to capture the distinguishable elements in the DHCP exchange packets. For example, along with the IP address request, the devices also request a set of configuration parameters or options, such as subnet mask and domain name, from the DHCP server. These options can be used to uniquely identify the vendor name, device type, and OS type.
Nowadays, many corporates already have had the physical DHCP servers in place, but it remains to be a challenge for them to integrate DHCP servers into their cloud infrastructure.
Once the authentication is done, the NAC solutions will enforce a set of policies - determines what kind of resources, activities, and services users or devices are permitted, based on their roles and fingerprinting.
Due to the complex nature of IoT appliances, the next-generation NAC solution shall be able to enforce granular policy control and ensure lest-privileged access. It means IoT devices are given the minimum level of access or permissions necessary to perform their job. As an example, a security camera should only be allowed to communicate video traffic to a storage server or a sound system to its audio streaming services.
To implement the principle of least privilege, the advanced solutions need to first identify IoT devices and understand their needs. By analyzing all logs and traffics generated by a vast variety of IoT devices, machine learning can be utilized to identify the business need of IoT devices, decide their vulnerability levels, and therefore support security policy automation and threat discoveries.
For instance, once the security camera is discovered, the firewall policy will be automatically enforced to block the traffic between the security camera and applications other than those mentioned above. If the system detects prohibited communication between the security camera and the CRM database, it shall send the real-time threat alert to administrators so that they can take further action to prevent the possible cyber attacks.
Accounting is the act of monitoring the use of network resources by users and devices. This process keeps track of the information, such as how long they were logged in, the resources they visited, the data they assessed, and the like. Accounting is critical for security and compliance.
The next-generation solutions should be able to perform continuous post-admission checks after devices are connected. The administrators can remove the non-compliant devices from the corporate network and put them into quarantine until the problem is solved. This process can ensure the devices on the network stay secure over time and will not spread viruses across the network. The remediation process should be automated, either the software can perform automatic remediation, e.g., downloading the up-to-date versions of OS automatically, or the administrators can opt to guide the end-user to solve the problem.
To conclude, the legacy NAC solutions fail to identify the IoT devices and apply an all-in-one open internet security policy. To fully secure IoT devices, the next-generation solutions should be able to:
- Identify and evaluate a full array of IoT endpoints
- Automate device onboarding
- Enforce granular control policies based on the devices’ needs and vulnerability
- Facilitate real-time threat discoveries
- Be integrated into the cloud environment