Why NAC Should Be Integrated Into Every LAN
IoT devices are a double-edged sword for IT and security teams everywhere. These devices are undoubtedly a catalyst for digital transformation efforts and pave the way for new operational efficiencies. But they also introduce new risks by expanding an organization’s attack surface. This is especially true in industries like manufacturing that rely on operational technology (OT)—especially as businesses start to converge their IT and OT networks to take greater advantage of connected tools like sensors and security cameras.
Despite the benefits to an organization’s bottom line, this influx of newly connected devices leaves IT grappling with how to quickly onboard these technologies to the network, yet without compromising security. And it turns out that their concerns are warranted: Analysts predict 27 billion connected IoT devices will be in place by 2025, comprising 30% of all network-connected endpoints. And yet 43% of those organizations don’t completely protect their IoT infrastructure. This is despite nearly a billion IoT devices being attacked in 2021, leaving organizations open to potentially catastrophic network breaches.
Here’s where profiling and integrated Network Access Control (NAC) solutions can help. While some may view the concept of access control as overly simplistic, the reality is that embedded NAC technology is a foundational attribute of any secure Local Area Network (LAN). NAC security technology has existed for nearly two decades but still doesn’t have widespread adoption. It’s used most often in large corporate networks but is considered too expensive and complex for your average network administrator to implement and manage.
However, a new generation of integrated and converged tools is now helping organizations secure their always-expanding attack surfaces. Embedded profiling and NAC solutions are particularly useful for reducing the complexities and costs associated with taking inventory of and connecting new IoT devices to the network. And an increasing number of IT organizations are looking to native NAC technology for this purpose.
Challenges of Onboarding New IoT Devices
The sheer volume of new devices being added to networks presents a challenge for overburdened and under-resourced IT teams. But there are several complexities to consider regarding the integration process to properly address this challenge.
One of the most substantial challenges is that many of the IoT devices being added to networks are headless. They lack a traditional operating system, have little to no built-in security, and can’t be accessed through a username and password. Without an associated user, these IoT devices can’t be authenticated and secured by most existing firewalls or other security solutions that grant or deny access based on identity. These attributes (or the lack thereof) make it harder for IT teams to assess whether a device should be on the network in the first place and what level of network access it should have once connected.
Headless devices have also historically required a manual onboarding process, which means IT teams are spending countless hours on tasks such as creating allow lists of MAC addresses and pivoting to multiple consoles to set up rules that’ll help segment new devices as they’re introduced to the network. Even the largest IT organizations don’t have the resources to do this for all the devices in use, and their reliance on manual processes inevitably opens the door to human errors and security breaches. Additionally, once a device is added, it’s nearly impossible to have visibility into the device type. A printer, phone, and industrial machine on the LAN all appear the same to a network administrator when added manually.
NAC: A Foundational Part of Your IoT Device Onboarding Strategy
While onboarding IoT devices has historically been a bane for IT, NAC simplifies the process by offering a single, accurate inventory of all connected devices.
In its most basic form, a NAC solution allows IT to profile, identify, and log each device added to the network and then segment it according to what that the device needs to do (or shouldn’t do) once connected. But historically, NAC has been complex to deploy and manage. Modern converged NAC solutions, however, allow NAC policies to interoperate directly with the network infrastructure. In these converged architectures, rules applied at the point of access can be extended across the distributed network, ensuring consistent policy enforcement across on-premises, branch, and cloud environments.
These more advanced NAC solutions offer additional benefits, like:
- Native device onboarding. Converged NAC solutions have built-in profiling capabilities, allowing administrators to set up security and access rules directly within networking equipment, such as automatically assigning digital cameras to a predefined network segment and then restricting their activity. For example, a digital camera should be allowed to capture and send data but never request it. If it does, the network then needs to be able to automatically isolate the device so it can be inspected and removed. This way, when a new device is onboarded,these rules are automatically applied, and the device is segmented accordingly without requiring any manual intervention from IT.
- Enforcement of Zero Trust access Modern converged NAC tools offer the ability to add security context that’s applied automatically every time a device attempts to connect, not just when it’s first inventoried. This is especially important in virtual environments where assets constantly connect and disconnect from the network. This saves IT analysts from having to log on repeatedly to review and then grant or deny privileges to the same device while also reducing the chances of error.
Integrated NAC Technology Plays a Leading Role in Network Convergence
As IT and OT networks continue to converge and an influx of new devices come online, creating a straightforward, automated, and secure solution for onboarding new technologies has never been more critical.
An embedded NAC solution supports and accelerates this convergence by simplifying day-to-day operations and making it easier to troubleshoot issues. It’s an easy, cost-effective way to reduce the manual work required by IT, offering greater visibility across the entire network while shrinking the time and effort it takes to maintain a strong security posture.
While NAC isn’t a silver bullet, it’s a core building block of any smart network security program, particularly as businesses of all shapes and sizes accelerate their digital transformation strategies. What’s more, it helps shorten the to-do list of already-overburdened IT teams.
Learn more about securing the LAN edge with Fortinet’s security-driven wired and wireless networking products.
Copyright © 2022 IDG Communications, Inc.