Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
How to Overcome
NAC Limitations
Why a Software-Defined
Perimeter delivers
better network security
for today’s enterprises
Enterprise technology
has changed.
DYNAMICSTATIC
IDENTITY CENTRIC
NETWORK
CENTRIC
SOFTWAREHARDWARE
INTERCONNECTEDISOLATED
Work habits have
changed.
Home Mobile Contractors Third-party
partners
The network perimeter
has dissolved.
Enterprise resources –
applications, databases, and
infrastructure – are increasingly...
Network security
must change
to keep up with enterprise
technology and work
habits.
There’s a fundamental
shift in network security
happening right now.
The philosophical difference
is centered around trust:
Network Access
Control (NAC) Trusts Users
Inherently
Software-Defin...
Do you trust
users completely?
NAC solutions are designed to work inside
the perimeter, a trust-based model...
It's impossible to
identify trusted
interfaces
1
The mantra
"trust but verify"
is inadequate
2
Malicious insiders
are ofte...
Or are no users
trusted?
Abolishing the idea of a trusted network
inside (or outside) the corporate perimeter.
Instead opt...
…there is zero trust.
NAC was designed to work
inside the perimeter.
Build a perimeter around the internal network, verify
who users say they ar...
In this changing world,
NAC falls short
For SEVEN reasons
NAC doesn't extend to cloud1
So enterprises need another security solution for the cloud.
And that adds another layer of n...
NAC relies on VLANs, which
are complicated to manage2
Defining VLAN segments – Creating can
be easy…keeping them relative ...
NAC doesn’t encrypt traffic.3
If social networks can encrypt traffic,
why not corporate networks?
WhatsApp SnapchatFaceboo...
NAC isn’t fine-grained4
It can’t provide fine-grained
control of the network
resources users can access.
Instead, NAC reli...
– requiring yet another set of policies to
manage.
NAC’s remote user
support is non-existent5
Remote users need
yet anothe...
NAC struggles to support the
agile enterprise6
NAC causes management
issues because it’s not agile
or dynamic – it’s stati...
It doesn’t check specific
attributes such as location,
anti-virus or device posture
or broader system attributes
such as a...
A Software-Defined Perimeter
eliminates these limitations
A Software-Defined Perimeter is a
new network security model that
dynamically creates 1:1 network
connections between user...
A Software-
Defined
Perimeter has
MAIN BENEFITS
The Zero-Trust model
1 An “Authenticate first -
Connect second” approach
Everything on the network is invisible,
until aut...
for policy compliance.
2 Identity-centric (not IP-based)
access control
Know exactly
who accessed
what for how long
the co...
3 Encrypted Segment of One
Individualized perimeters for
each user and each user-session
– a Segment of One. All the other...
As new server instances are
created, users are granted or
denied access appropriately and
automatically.
As context change...
5 Simplicity
Much simpler – and
dramatically fewer –
firewall and security
group rules to maintain.
Consider the people
and time spent collecting,
consolidating, and making
sense of access logs.
Organizations have reduced ...
Consistent access policies across
7 Consistency
On-premises In the cloud
Hybrid
environments
Would you like to know more?
Watch the video
SDP to prevent malicious
insiders, over-privileged
users and compromised
thir...
Let’s put NAC vs. SDP
to the test…
Consider port scanning.
A tester uses credentials to
connect to the network
Do a simple port scan to see
how many services it finds:
• On the inte...
The tester would see
every single network
port and service
available for every server
that’s in that VLAN.
That could be t...
Port-scan test with a
Software-Defined Perimeter
The tester would
authenticate first,
connect second.
The only ports the
t...
(we’ll need to get techie for a bit)
Here’s why
SDP Architecture
37
Protected
Applications
SDP
Controller
SDP Gateway
(Accepting Host)
SDP Client
(Initiating host)
PKI
Id...
SDP Architecture
Protected
Applications
SDP
Controller
SDP Gateway
(Accepting Host)
SDP Client
(Initiating host)
PKI
Ident...
SDP Architecture
39
Protected
Applications
SDP
Controller
SDP Gateway
(Accepting Host)
SDP Client
(Initiating host)
PKI
Id...
SDP Architecture
40
Protected
Applications
SDP
Controller
SDP Gateway
(Accepting Host)
SDP Client
(Initiating host)
PKI
Id...
An SDP stops people like this from
abusing your network
Negligent Insiders Malicious Insiders
Compromised
Insiders
Cyber C...
Helping to Prevent These
Type of Attacks
Server Exploitation
Credential Theft
Connection Hijacking
Compromised Devices
Phi...
Software-Defined
Perimeter sounds great…
But what if a NAC is already in place?
NAC and SDP CAN Coexist
Enterprises
with existing NACs
• Can deploy SDP without
replacing NAC.
• Get the benefit of an SDP...
uncompromised network
security and compliance
A Software-Defined Perimeter delivers
across hybrid environments
Industry experts agree
Legacy, perimeter-based security
models are ineffective against
attacks. Security and risk pros
mus...
Cryptzone delivers the
market leading
Software-Defined
Perimeter:
AppGate
Learn more about
AppGate
Network Access Control
vs. Software-Defined
Perimeter – or both?
WEBINAR
The Zero Trust Model of
...
FREE TRIAL | START NOW
Email: info@cryptzone.com
Twitter: @Cryptzone
LinkedIn:
linkedin.com/company/cryptzone
GET IN TOUCH...
Upcoming SlideShare
Loading in …5
×

How to Overcome Network Access Control Limitations for Better Network Security

1,464 views

Published on

This eBook discusses network access control (NAC) limitations offering details on why a Software-Defined Perimeter delivers better network security for today's enterprise.

Published in: Technology
  • Be the first to comment

How to Overcome Network Access Control Limitations for Better Network Security

  1. 1. How to Overcome NAC Limitations Why a Software-Defined Perimeter delivers better network security for today’s enterprises
  2. 2. Enterprise technology has changed. DYNAMICSTATIC IDENTITY CENTRIC NETWORK CENTRIC SOFTWAREHARDWARE INTERCONNECTEDISOLATED
  3. 3. Work habits have changed. Home Mobile Contractors Third-party partners
  4. 4. The network perimeter has dissolved. Enterprise resources – applications, databases, and infrastructure – are increasingly outside the perimeter. And people are constantly working outside the perimeter.
  5. 5. Network security must change to keep up with enterprise technology and work habits.
  6. 6. There’s a fundamental shift in network security happening right now.
  7. 7. The philosophical difference is centered around trust: Network Access Control (NAC) Trusts Users Inherently Software-Defined Perimeter (SDP) Trusts No One
  8. 8. Do you trust users completely? NAC solutions are designed to work inside the perimeter, a trust-based model...
  9. 9. It's impossible to identify trusted interfaces 1 The mantra "trust but verify" is inadequate 2 Malicious insiders are often in positions of trust 3 Trust doesn't apply to packets 4 …a model that Forrester says is broken for these reasons Read: Forrester, No More Chewy Centers: The Zero Trust Model Of Information Security
  10. 10. Or are no users trusted? Abolishing the idea of a trusted network inside (or outside) the corporate perimeter. Instead opting for a Software-Defined Perimeter where…
  11. 11. …there is zero trust.
  12. 12. NAC was designed to work inside the perimeter. Build a perimeter around the internal network, verify who users say they are, and once in the door users gain full access to the network or at least a large portion of the network.
  13. 13. In this changing world, NAC falls short For SEVEN reasons
  14. 14. NAC doesn't extend to cloud1 So enterprises need another security solution for the cloud. And that adds another layer of network security. NAC
  15. 15. NAC relies on VLANs, which are complicated to manage2 Defining VLAN segments – Creating can be easy…keeping them relative and accurate as your environment changes is the real challenge. So most enterprises only have a limited number of VLAN segments defined.
  16. 16. NAC doesn’t encrypt traffic.3 If social networks can encrypt traffic, why not corporate networks? WhatsApp SnapchatFacebook Messenger Telegram
  17. 17. NAC isn’t fine-grained4 It can’t provide fine-grained control of the network resources users can access. Instead, NAC relies on existing (and separately managed) network segments, firewalls and VLANs.
  18. 18. – requiring yet another set of policies to manage. NAC’s remote user support is non-existent5 Remote users need yet another solution – like a VPN
  19. 19. NAC struggles to support the agile enterprise6 NAC causes management issues because it’s not agile or dynamic – it’s static. It’s complex for the security team to add firewall rules for thousands of workers and their many devices.
  20. 20. It doesn’t check specific attributes such as location, anti-virus or device posture or broader system attributes such as an alert status within a SIEM. NAC doesn’t provide deep, multi- faceted, context-aware access control7
  21. 21. A Software-Defined Perimeter eliminates these limitations
  22. 22. A Software-Defined Perimeter is a new network security model that dynamically creates 1:1 network connections between users and the data they access. Read: Why a Software-Defined Perimeter
  23. 23. A Software- Defined Perimeter has MAIN BENEFITS
  24. 24. The Zero-Trust model 1 An “Authenticate first - Connect second” approach Everything on the network is invisible, until authorization is granted and access is then only allowed to a specific application.
  25. 25. for policy compliance. 2 Identity-centric (not IP-based) access control Know exactly who accessed what for how long the context of the device when they connected
  26. 26. 3 Encrypted Segment of One Individualized perimeters for each user and each user-session – a Segment of One. All the other services that exist on the network are invisible to the user. Once a user obtains their entitlements, all network traffic to the protected network is encrypted.
  27. 27. As new server instances are created, users are granted or denied access appropriately and automatically. As context changes (time, location, device hygiene, etc.) dynamic access policies provide continuous and immediate security. 4 Dynamic policy management
  28. 28. 5 Simplicity Much simpler – and dramatically fewer – firewall and security group rules to maintain.
  29. 29. Consider the people and time spent collecting, consolidating, and making sense of access logs. Organizations have reduced this by up to 90% when using a Software-Defined Perimeter. A Software-Defined Perimeter offers: • Auditable, uniform policy enforcement across hybrid systems. • Dramatically reduced audit- preparation time: no need to correlate IP addresses to users. 6 Compliance
  30. 30. Consistent access policies across 7 Consistency On-premises In the cloud Hybrid environments
  31. 31. Would you like to know more? Watch the video SDP to prevent malicious insiders, over-privileged users and compromised third-party access Get a demo Let us show you how an SDP can work for your organization
  32. 32. Let’s put NAC vs. SDP to the test… Consider port scanning.
  33. 33. A tester uses credentials to connect to the network Do a simple port scan to see how many services it finds: • On the internal network? • On Wi-Fi? • On other organization’s services? *If using a hosting provider.
  34. 34. The tester would see every single network port and service available for every server that’s in that VLAN. That could be thousands and thousands of resources. Port-scan test with NAC
  35. 35. Port-scan test with a Software-Defined Perimeter The tester would authenticate first, connect second. The only ports the tester would see are the ones he has explicit rights to through his digital identity. Everything else would be completely invisible.
  36. 36. (we’ll need to get techie for a bit) Here’s why
  37. 37. SDP Architecture 37 Protected Applications SDP Controller SDP Gateway (Accepting Host) SDP Client (Initiating host) PKI Identity Management Policy Model The SDP controller is the authentication point, containing user access policies
  38. 38. SDP Architecture Protected Applications SDP Controller SDP Gateway (Accepting Host) SDP Client (Initiating host) PKI Identity Management Policy Model Controller is the authentication point, containing user access policies Clients are securely onboarded
  39. 39. SDP Architecture 39 Protected Applications SDP Controller SDP Gateway (Accepting Host) SDP Client (Initiating host) PKI Identity Management Policy Model Controller is the authentication point, containing user access policies Clients are securely onboarded All connections are based on mutual TLS connectivity
  40. 40. SDP Architecture 40 Protected Applications SDP Controller SDP Gateway (Accepting Host) SDP Client (Initiating host) PKI Identity Management Policy Model Controller is the authentication point, containing user access policies Clients are securely onboarded All connections based on mutual TLS connectivity Traffic is securely tunneled from Client through Gateway
  41. 41. An SDP stops people like this from abusing your network Negligent Insiders Malicious Insiders Compromised Insiders Cyber Criminals Advanced Persistent Threat (APT) Agents State Sponsored Actors Compromised Third Party Users Over-privileged / Super-privileged Users
  42. 42. Helping to Prevent These Type of Attacks Server Exploitation Credential Theft Connection Hijacking Compromised Devices Phishing DDoS Insider Threats Malware Man in the Middle
  43. 43. Software-Defined Perimeter sounds great… But what if a NAC is already in place?
  44. 44. NAC and SDP CAN Coexist Enterprises with existing NACs • Can deploy SDP without replacing NAC. • Get the benefit of an SDP solution without a rip and replace program. Enterprises without NACs • Should consider SDP as a simpler alternative. • There’s no compelling reason to deploy a new NAC solution because SDP offers better security, removes complexity, enforces uniform compliance, lowers cost of ownership.
  45. 45. uncompromised network security and compliance A Software-Defined Perimeter delivers across hybrid environments
  46. 46. Industry experts agree Legacy, perimeter-based security models are ineffective against attacks. Security and risk pros must make security ubiquitous throughout the ecosystem.” “ Through the end of 2017, at least 10% of enterprise organizations (up from less than 1% today) will leverage software-defined perimeter technology… by 2021, 60% of enterprises will phase out network VPNs for digital business communications in favor of software-defined perimeters, up from less than 1% in 2016” SDP enables organizations to provide people-centric, manageable, secure and agile access to networked systems.” “ “
  47. 47. Cryptzone delivers the market leading Software-Defined Perimeter: AppGate
  48. 48. Learn more about AppGate Network Access Control vs. Software-Defined Perimeter – or both? WEBINAR The Zero Trust Model of Information Security WHITEPAPER Forrester Report No More Chewy Centers: AppGate VIDEO Network Security is Changing See How AppGate Works
  49. 49. FREE TRIAL | START NOW Email: info@cryptzone.com Twitter: @Cryptzone LinkedIn: linkedin.com/company/cryptzone GET IN TOUCH Get access to a 15-day free trial on AWS marketplace. Want to know more? www.cryptzone.com

×