Managing network access control has become a multi-dimensional problem, thanks to the security risks that multiple wireless networks and the influx of mobile devices pose to the enterprise.
Not only do network administrators need to control who and what get access to the enterprise network, but they also must ensure the secure movement of corporate data across the devices users bring onto the network. Vendors are increasingly integrating mobile device management (MDM) and network access control (NAC) products to provide IT organizations with a one-stop management offering that can enable secure and flexible enterprise mobility.
ForeScout CounterACT: Network access, mobile device management in one place
MDM doesn't identify the user and device on its own. But combining NAC with MDM can provide better awareness of what devices are coming on the network, said Chris Hazelton, research director for mobile and wireless at London-based 451 Research.
ForeScout, a Cupertino, Calif.-based network security vendor, recently announced partnerships with MDM vendors AirWatch and MobileIron, and extended enterprise mobile device visibility and security of both corporate-sanctioned and employee-owned devices. ForeScout will integrate both companies' products into ForeScout Mobile, an add-on module to its NAC product, CounterACT.
ForeScout Mobile will give enterprises visibility, control and compliance reporting for all mobile endpoint devices -- including smartphones, tablets and laptops -- through one unified ForeScout CounterACT platform, said Gil Freidrich, vice president of technology for ForeScout.
Enterprise employees will be able to easily install MobileIron and AirWatch's MDM agents on unmanaged devices through an automated self-enrollment process, which will allow IT to instantly provision access to corporate email, wireless and virtual private networks (VPN) and applications. IT will also have the capability to blacklist mobile applications, and remotely locate, lock and fully or selectively wipe lost or stolen devices, he said.
The Hadassah Medical Center had provisioned a wireless guest network for patients and visitors, but the Israeli hospital's IT organization had prohibited personal mobile devices from connecting to its administration network due to security concerns, said Barak Shrefler, chief information security officer for Hadassah Medical Center.
Doctors and researchers were bringing in their personal smartphones and tablets last year in earnest, and their only option with those devices was to connect to the guest Wi-Fi network. Shrefler's team realized that timely data access for doctors and researchers could ultimately lead to better care for the hospital's patients, so it explored options for giving them access to the administrative network. "IT began to search for a solution that offered a balance between security and mobility, and one that improved overall network security oversight."
Shrefler wanted one system that was effective for both mobile and network security, and he chose ForeScout CounterACT with the AirWatch-based ForeScout Mobile add-on. It gives his team real-time visibility -- including to whom the device belongs and the activity in which each individual device is engaged – as well as control over all connected endpoints on the network to enforce policies, he said.
More on ForeScout CounterACT
Product of the year: ForeScout CounterACT
Case Study: Revamping network access control with ForeScout
College secures campus network with CounterACT
The same CounterACT system monitoring employee-owned devices also controls all device access for the hospital's computers, laptops, portable medical kiosks and connected medical devices, including patient monitoring systems, drug dispensers and CT Scanners -- a managerial benefit for IT.
ForeScout's CounterACT Mobile was the only offering that allowed the medical center to implement a bring-your-own-device (BYOD) policy that was restrictive enough that non-complaint devices could be blocked, but effective enough to secure compliant mobile devices without the cost and limitations of having to offer hospital-sanctioned mobile devices, Shrefler said.
"If a doctor wants to use a personal device for an activity such as downloading music or accessing Dropbox, which isn't allowed on the internal wireless network, [they] would often disconnect [and reconnect] to any available public or unsecured Wi-Fi to complete the task," Shrefler said. "Today, if a wireless hop occurs, CounterACT immediately blocks the device's access to all networks and then alerts the IT team to the issue."
Mobile device management and network access control combating BYOD
While many traditional networking vendors -- like Citrix, Juniper and Fiberlink -- offer mobile device or application management, many do not offer NAC. Joint MDM and NAC offerings will be most likely made available through vendor partnerships -- similar to ForeScout and AirWatch, 451's Hazelton said.
Separately, MDM and NAC are not new technologies. But as large numbers of mobile devices access the enterprise Wi-Fi networks, IT needs an easier way to determine if the user device belongs to an employee, and what kinds of access and control should be immediately imposed on the device, he said.
"Without MDM, it would only be a question of, 'Can the user be on the network, or can they not?' MDM is really an ideal partnering tool for NAC to provide in-depth control of a device, as it runs on a corporate network with the policies and control in place for that specific person or device," he said.
MDM and NAC technologies -- like ForeScout CounterACT Mobile -- allow for easy identification and monitoring of personal devices without a call to the IT department, Hazelton said. "All those steps are done in the background, and it can be done hundreds of times, without any impact to IT. If a business or organization of several thousand people are bringing in new devices every day, this technology can really help IT deal with the bring-your-own-device phenomenon."