Traditional security measures, such as VPNs, intrusion prevention and anti-virus software, can no longer suffice when it comes to handling network access for employee-owned mobile devices. To handle new kinds of access, a certain level of network access security intelligence must be added to components throughout the network.
Major network equipment vendors have all recognized the pressing need to meet new security challenges. This is in light of the fact that employees are starting to work outside the physical office more frequently, and thus requiring access to applications regardless of their location.
Recent security offerings combine local and remote security to offer unified access and a reduction in administrative work. Access to applications and data is now based on the identity and role of the individual, as well as their location and other factors. In addition, network administrators define access policies that apply across the entire network, including internal wired and wireless networks, remote Wi-Fi hotspots, and cellular data networks.
Vendors offer a variety of authentication methods such as IEEE 802.1X or authentication techniques based on device MAC address or WebAuth, a web based technique, which are all are commonly used with RADIUS. Once authenticated, a user is granted access based on a policy established by network administrators. These policies can be stored in LDAP or in other types of directory.
Network access security and wireless devices
In some cases, a policy may include limitations based on user location. Enterprise security software can utilize the GPS facility on mobile devices or the identity of the connected 802.11 access point (AP), to detect location and block access when necessary.
Another issue that vendors have addressed is that a mobile device which is infected with a key logger can capture a username and password. This means that unauthorized users can then gain the same level of network access as the owner of the infected device.
Vendors now offer software packages for each mobile device operating system and device type. These packages are downloaded onto the device and include anti-virus software that is updated automatically to address the latest threat types. They also verify that mobile applications are at the appropriate revision and patch level. Included VPN software encrypts transmissions to the enterprise network.
Mobile devices located inside a facility and utilizing the 802.11 network offer the same dangers encountered with remote network access. Downloaded security software provides the same protection inside a building as well as outside.
Internal 802.11 networks are also vulnerable to attacks. The weaknesses of WEP and WPA are well known and because of this, most networks have been moved to WPA2. This move greatly reduces the probability of a hacker gaining access by cracking encryption.
APs detect and report other APs or devices introduced by an employee to create a private network. Vendors have also enhanced APs with radio frequency management to lessen the danger that signals will extend beyond the walls of a facility.
Switches get intelligent to handle network access security
Switches have been enhanced to protect against unauthorized intruders who gain access to the internal network. For instance, a rogue device can attempt to flood switches with MAC addresses causing MAC tables to overflow. Switches then flood traffic to all ports and the resulting traffic increase disrupts the network. To address this vulnerability, switches can discard MAC addresses before an overflow occurs.
Switch vendors have also added the ability to detect an unauthorized DHCP server attack, caused either by an intruder or inadvertently due to a software configuration error. An unauthorized DHCP server attack could supply a DNS server address to legitimate devices. The DNS server would then direct web traffic to a site that captures user names and passwords. Switches can also monitor ARP requests and detect devices that respond to requests aimed at another device.
Layer 2 encryption using IEEE 802.1AE (MACsec) can be configured to protect highly sensitive data as it moves between switches. By encrypting at Layer 2 rather than using IPsec, intermediate devices such as firewalls and IPS devices can decrypt packets and inspect its contents before re-encrypting them so that they can continue their path through the network.
Vendors have proactively attempted to reduce security vulnerabilities by building extensive facilities into network components. Yet 100% protection is not a guarantee. As hacker techniques continue to evolve, device and network access security must be continually enhanced to protect network security against risks from multiple fronts.
About the author: David B. Jacobs of The Jacobs Group has more than twenty years of networking industry experience. He has managed leading-edge software development projects and consulted to Fortune 500 companies as well as software start-ups.