The number and variety of nontraditional IP devices, so-called dumb devices, on corporate networks is exploding....
From HVAC systems and IP-enabled door locks to IP cameras and printers, these devices are plugged into the network everywhere, presenting numerous challenges to network managers. New network access control (NAC) endpoint fingerprinting features may be able to address the problem.
Dumb devices on the network present a perfect opportunity for a hacker to perpetrate a man-in-the-middle attack, according to Usman Sindhu, an analyst at Forrester Research.
"If you are able to spoof the IP address of a device, you're essentially getting into the network environment," Sindhu said.
Dumb devices, complex problems
Unmanaged and non-computing IP endpoints are nothing new on corporate networks. After all, printers have been sitting on most networks for a long time. But the issue has become more acute in recent years as traditional methods of securing these devices have broken down.
"This issue has been here for a long time," said Alok Agrawal, technical marketing manager for Cisco Systems. "Companies thought as long as they provided physical security, that was good enough. Anyone inside the company was a trusted user and a trusted device. But now you have IP phones, you have guest users and contractors coming into controlled environments. It's much bigger, and physical security is no longer enough. You can't assume any device within a physical boundary is trusted."
Many enterprises lack a complete inventory of all the non-computing devices on their networks, to say nothing of basic monitoring and authentication of these devices. Others inventory their dumb devices manually, a time-consuming process that provides only a static inventory.
"Just about every medical device you can imagine has networking capability built in these days," said Don Lester, senior engineer with Wenatchee Valley Medical Center. "But for the past several years, vendors have been kludging network connectivity together with interfaces that are really nothing more than a PC with custom software to translate traffic on the device's serial port into network frames. "So, even though it isn't something new for us, we don't have any innovative solution," Lester continued. "We keep an inventory of IP addresses, and most of these devices are statically assigned and have their own entries in the IP database. We know what they are, where they are, and what kind of traffic they generate, but that is about the extent of it."
Enter NAC endpoint fingerprinting
Forrester clients have complained recently that they have failed security audits because of a lack of comprehensive inventory and monitoring controls over many of these devices, Sindhu said. So Forrester recommends that enterprises start using endpoint fingerprinting, an add-on feature that many NAC vendors are offering. Endpoint fingerprinting is the discovery, classification and monitoring of endpoints on the network.
"Many of these devices, such as printers, are recorded and inventoried in various places, but there is not one central place where the system could go out and make a list of all of them," Sindhu said.
With endpoint fingerprinting, a NAC product can discover and inventory all devices on the network. It can collect IP and MAC addresses and communicate this information with a company's authentication, authorization and accounting control servers to determine location and verify device identity.
The enterprise can also set policies with its NAC system to monitor these devices and send alerts to networking teams if something changes.
Cisco's NAC product monitors the packets transmitted by dumb devices and analyzes whether anything suspicious is happening, Agrawal said.
"We continuously monitor the devices, and if there is a change, we do a change of authorization alert and take further action," he said. "If a device was acting as a printer yesterday and now it is acting as a Windows desktop today, I know it's changed its profile. I put it in quarantine and send someone to manually check on it. If that laptop opens up a browser, we will pick up on the HTTP traffic."
Several NAC vendors -- including Cisco, Juniper Networks, Forescout and Bradford Networks -- are starting to offer endpoint fingerprinting features as an add-on to their products.
"These nontraditional endpoints were not considered something NAC would cover before," Sindhu said. "We're now seeing vendors becoming more and more cognizant of it."
Let us know what you think about the story; email: Shamus McGillicuddy, News Editor