A global manufacturer of power semiconductors implemented network access control (NAC) technology to enable wireless guest network access while still being able to lock down unauthorized connections to network
International Rectifier, based in El Segundo, Calif., recently deployed ForeScout NAC CounterACT appliances in 35 offices across 20 countries to control access to both its wireless LAN and its wired LAN, according to James Tu, director of information security. The technology is managing network access and enforcing security posture policies for 8,500 endpoint devices.
ForeScout NAC is also simplifying operations for guest access. Until recently, guest access for visitors and contractors was limited to a dedicated Internet-only VLAN on the wireless LAN, which was deployed strictly in conference rooms.
More on network access control
Network Evolution Ezine: Coping with BYOD
Vendor comparison for mobile network access control
Using NAC endpoint fingerprinting to inventory dumb devices
"People would come into the conference room and we would tell them to call a number to get a guest password so people could get to the Internet," Tu said.
Tu had piecemeal control over the small wireless footprint in his enterprise, but wired ports were another story.
"We didn't have any way to secure a wired network jack. People could plug into a data jack. We had no security for that. We wanted to close all these holes so we could prevent people from plugging in."
Many large enterprises struggle with locking down individual network ports because of their sheer volume. Mapping out exposed ports is an inexact science, but a network access control system can blanket an entire enterprise, across wired ports and wireless access points.
ForeScout NAC: Easy to install, light footprint
ForeScout's approach to NAC was particularly appealing to Tu because he wanted a solution that was easy to install and required few changes to his network.
"Many [NAC vendors] say my appliance will take over as the DHCP server in your company and give you IP addresses, put you into a secure VLAN, check you against policy, and then if you have compliance, allow you into a different VLAN inside the network," Tu said. "It sounds pretty simple on paper, but it's intrusive. Replacing my current DHCP server to me is very risky."
Other NAC solutions that Tu tested required the installation of multiple components, the use of agents for an 802.1x solution, and upgrades to core routers. Tu said ForeScout was ready to go with the infrastructure he had in place and required no agents.
"Personally, I don't like to have an agent to maintain. It's difficult to maintain agents on 10,000 endpoints," he said.
The ForeScout NAC product also has minimal impact on user experience. When a new device connects to International Rectifier's network, it is immediately isolated on an Internet-only VLAN while CounterACT checks the device for compliance with the company's security policies. If a device is unknown or out of compliance, the user can still access the Internet to remain productive while remediation is taking place.
Faster response to network access alarms
ForeScout's ability to map switches and IP addresses to individual hosts has simplified Tu's response to access problems and alerts.
"Before [ForeScout] we would get an alert [from a McAfee vulnerability scanner] that a machine has a virus," Tu said. "The IT team would have a difficult time tracing that alert to a particular machine. Now with ForeScout you can do a search for a particular IP address and it will give you more information for that host and also tell you which switch port it is connected to."
Network access control is no gateway to BYOD
Although the access control offered by ForeScout could enable a bring-your-own-device (BYOD) environment at International Rectifier, Tu has no plans to pursue one.
"I've talked to a lot of big companies [about BYOD] and there are no savings. They think they have savings, but there is really no justification," Tu said.
Employees will seek reimbursement from employers for using their personal mobile devices on the job, Tu said, erasing any savings from a BYOD plan. And mobile costs for individual data plans are much higher than for a corporate plan covering hundreds or thousands of users. Tu said his company has responded to employee demands by standardizing on iPhones as a company-owned device.
Let us know what you think about the story; email: Shamus McGillicuddy, News Director.