Using NAC endpoint fingerprinting to inventory dumb devices

By Shamus McGillicuddy, News Editor 12 Jan 2010 | SearchNetworking.com

Network security news, advice and technical information Digg This!     StumbleUpon     Del.icio.us

The number and variety of nontraditional IP devices, so-called dumb devices, on corporate networks is exploding. From HVAC systems and IP-enabled door locks to IP cameras and printers, these devices are plugged into the network everywhere, presenting numerous challenges to network managers. New network access control (NAC) endpoint fingerprinting features may be able to address the problem.

Dumb devices on the network present a perfect opportunity for a hacker to perpetrate a man-in-the-middle attack, according to Usman Sindhu, an analyst at Forrester Research.

"If you are able to spoof the IP address of a device, you're essentially getting into the network environment," Sindhu said.

Dumb devices, complex problems

Unmanaged and non-computing IP endpoints are nothing new on corporate networks. After all, printers have been sitting on most networks for a long time. But the issue has become more acute in recent years as tradit...

Tags: Network Access Control,  Network Management Software, Tools and Utilities,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Access Control Cisco network security strategy: Where is it going? Using LAN edge switch security features for network defense-in-depth Integrating LAN edge switch security and network access control Configuring LAN edge switches for network access authentication Nonprofit secures guest access with network access control NAC appliance combats unwitting insider threats from infected devices How does Active Directory for Cisco ACS work? Two colleges switch to Enterasys in order to escape ACL programming Who said Network Access Control technology wouldn't survive? What are two common devices that control outbound network access? Network Management Software, Tools and Utilities Implementing networked enterprise energy management systems Enterprise energy management networks Mobile network management smartphone apps for on-the-go engineers Using network flow analysis to improve troubleshooting and performance How to plan an out-of-band network management system vSphere VLAN: Understanding 802.1Q VLAN tagging How to choose ITIL monitoring tools Service delivery management: Integrating IT management tools How to implement Wireshark filters Interop preview: Data center network design a hot topic

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary network access control  (SearchNetworking.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ional methods of securing these devices have broken down.

"This issue has been here for a long time," said Alok Agrawal, technical marketing manager for Cisco Systems. "Companies thought as long as they provided physical security, that was good enough. Anyone inside the company was a trusted user and a trusted device. But now you have IP phones, you have guest users and contractors coming into controlled environments. It's much bigger, and physical security is no longer enough. You can't assume any device within a physical boundary is trusted."

Many enterprises lack a complete inventory of all the non-computing devices on their networks, to say nothing of basic monitoring and authentication of these devices. Others inventory their dumb devices manually, a time-consuming process that provides only a static inventory.

"Just about every medical device you can imagine has networking capability built in these days," said Don Lester, senior engineer with Wenatchee Valley Medical Center. "But for the past several years, vendors have been kludging network connectivity together with interfaces that are really nothing more than a PC with custom software to translate traffic on the device's serial port into network frames. "So, even though it isn't something new for us, we don't have any innovative solution," Lester continued. "We keep an inventory of IP addresses, and most of these devices are statically assigned and have their own entries in the IP database. We know what they are, where they are, and what kind of traffic they generate, but that is about the extent of it."

Enter NAC endpoint fingerprinting

Forrester clients have complained recently that they have failed security audits because of a lack of comprehensive inventory and monitoring controls over many of these devices, Sindhu said. So Forrester recommends that enterprises start using endpoint fingerprinting, an add-on feature that many NAC vendors are offering. Endpoint fingerprinting is the discovery, classification and monitoring of endpoints on the network.

"Many of these devices, such as printers, are recorded and inventoried in various places, but there is not one central place where the system could go out and make a list of all of them," Sindhu said.

With endpoint fingerprinting, a NAC product can discover and inventory all devices on the network. It can collect IP and MAC addresses and communicate this information with a company's authentication, authorization and accounting control servers to determine location and verify device identity.

The enterprise can also set policies with its NAC system to monitor these devices and send alerts to networking teams if something changes.

Cisco's NAC product monitors the packets transmitted by dumb devices and analyzes whether anything suspicious is happening, Agrawal said.

"We continuously monitor the devices, and if there is a change, we do a change of authorization alert and take further action," he said. "If a device was acting as a printer yesterday and now it is acting as a Windows desktop today, I know it's changed its profile. I put it in quarantine and send someone to manually check on it. If that laptop opens up a browser, we will pick up on the HTTP traffic."

Several NAC vendors -- including Cisco, Juniper Networks, Forescout and Bradford Networks -- are starting to offer endpoint fingerprinting features as an add-on to their products.

"These nontraditional endpoints were not considered something NAC would cover before," Sindhu said. "We're now seeing vendors becoming more and more cognizant of it."

Let us know what you think about the story; email: Shamus McGillicuddy, News Editor