Identifying The Need For MDM & Access/Policy Control
Mobile devices aren’t just something you carry in your pocket to make calls anymore. Being mobile is a way of life. For organizations that need to keep productivity levels high, a lack of wireless access can put a dent in the way you do business. And it’s not just access to the Internet that is important – having the proper privileges is just as crucial. Imagine the implications of a neurosurgeon’s iPad not being able to access a patient’s medical records while walking in the hallway 15 minutes before surgery. Then layer on the task of keeping that patient’s medical records safeguarded from outsiders who should not have access. The management of seemingly endless combinations of diverse devices and applications in an enterprise network is enough to make any IT admin’s head spin.
Enter: Network Access Control Solutions (NACs)
Business-critical organizations like hospitals, financial institutions, and government agencies need the ability to not only grant access to networks but also identify each device and delegate control based on the organization’s unique preferences. Situations like these are where next-generation identity and access control policy platforms like Cisco Identity Services Engine (ISE) offer value to IT administrators.
Identity-based access and control policy platforms allow IT admins to take control of who can access their network by relating identities to access switches, WLCs, VPN gateways, and data center switches. In addition, platforms like Cisco ISE can enable organizations to gather real-time information about who is accessing their networks and what devices they are using. From there, IT admins can make proactive governance decisions to optimize the performance and safety of their network and endpoints.
In short, IT admins can perform the following things (not all-inclusive) with identity-based access and control policy platform:
- Figure out whether users are using an approved devices to access the network
- Create a record of that device’s identity, access history, and location
- Assign access to services based on things job role, location, device type, etc.
- Granularize access to only specific parts of the network or even select applications/services
- Manage guest access to networks and create specific internal control policies
- Enforce endpoint compliance so that all devices that are accessing the network are up to standards by checking for OS patches, antivirus software, etc.
- Create and deliver reports for increased transparency
Is an NAC The Right Choice For My IT Infrastructure?
Network access control platforms can be implemented in networks of any size, both large and small. However, the cost and learning curve for implementation can be somewhat sizeable and therefore overkill for smaller networks. Therefore, identity-based access and control policy platforms make the most sense for larger networks, like those found in enterprise organizations.
Organizations with the following characteristics would save the most time and benefit the most from the streamlined nature of identity-based access and control policy platforms:
- A mixture of secure wired, wireless, and VPN network that need reliable identity enforcement and security compliance
- A mixture of roles where not only employees but guests and subcontractors need to access the network with their personal devices (with granular control)
- A mixture of network equipment and endpoints that comprise your active IT infrastructure
- Business nature where worker productivity relies on dependable and specific access
- Organizations that need to take identification a step further toward device profiling by specific device types, software, and other variables attributed to each unique endpoint
- IT management workflow that is cumbersome when it comes to mobile device management
- Organizational dependence on malware, threat, and endpoint security
The Top Network Access Control (NAC) Players
If any of the previously listed situations have struck a nerve, you’re probably overdue for a solution. Based on input from a variety of IT professionals, we’ve found the following solutions to offer the most value:
Cisco Identity Services (ISE)
Cisco hardware is relatively popular within the enterprise network realm, making Cisco’s solution is one of the leaders in the NAC space. Cisco ISE offers comprehensive access and control configuration based on not only a device’s identity, but more specific variables like the role of the device’s owner, the location, the device vendor, and even the OS that the device is running.
Cisco ISE can also be used with non-Cisco hardware through an agentless solution or by using AnyConnect, which is a more complete solution. Cisco’s TrustSec takes ISE to the next level by creating even more granular access policies by using Security Group Tags (SGT) which allow access based on things like the physical location of the device within a network.
Cisco’s ISE also integrates with Active Directory, RADIUS RFC 2865 compliant token servers, and other authentication providers and protocols. SIEM, DMD, and other security integrations are also available for Cisco ISE. For a full list of available integrations, visit Cisco’s website at http://www.cisco.com/c/m/en_us/products/security/technical-alliance-partners.html.
Aruba ClearPass is another widely-chosen NAC option on the market. At its base, Aruba ClearPass is a RADIUS and TACACS server that is supplemented with a web user interface. Aruba ClearPass is known for its ease-of-use in helping IT admins create wireless access policies based on individual device identities.
Aruba ClearPass’s built-in profiling engine has similar capabilities to Cisco ISE’s device posture identification and allows compliance to be based on device categories, vendors, and OS versions. ClearPass’s Universal Profiler is also available for less complex networks that don’t have the need for full policy enforcement.
Aruba’s ClearPass Policy Manager and ClearPass Exchange ecosystem work hand-in-hand to integrate a variety of solutions into Aruba ClearPass, allowing IT admins to have a full end-to-end security solution
ForeScout CounterACT is an agentless solution, like Aruba ClearPass, which makes authentical and network access control more streamlined for the end user. ForeScout CounterACT also works with a variety of popular switches, routers, VPNs, firewalls, endpoint operating systems, antiviruses, etc.
Like Aruba ClearPass and Cisco ISE, ForeScout CounterACT also allows for policy-based access and security with 802.1X authentication and is compatible with authentication technologies like Active Directory, RADIUS, and LDAP. ForeScout CounterACT can also be set to hybrid mode if your IT infrastructure uses multiple technologies at once.
Which NAC is Right For My Network?
In the end, we’ve found that between the three solutions, Cisco ISE is best suited for organizations that need a completely customizable and robust NAC solution or have mostly Cisco hardware in their networks. Aruba ClearPass and ForeScout CounterACT are both popular choices because of the ease of onboarding through their agentless solutions, however, if granular control and security is top of mind, Cisco ISE comes out on top.
Aruba ClearPass and ForeScout CounterACT, on the other hand, beat out Cisco ISE based on the user interface, as some IT professionals have complained that in order versions, Cisco ISE’s UI is heavy and clunky. In the recent months, Cisco has been working hard to improve the user experience on their NAC solution, and we believe that they have the potential to come out on top in this arena as well.
Need Help Engineering The Right NAC Solution?
At CTC Technologies, our IT infrastructure engineers have extensive experience in implementing complex NAC solutions for organizations in industries like finance, healthcare, and government. Successfully solving time-consuming IT issues is our specialty, so if NAC is something you need, but it’s been on the backburner for X months, reach out to one of our engineers today for any questions around implementing an NAC solution into your network.