About the Author
Mark Verbloot是惠普企业公司Aruba的亚太日本系统工程总监。马克(Mark)自2006年成为阿鲁巴(Aruba),当时他成为澳大利亚的第一位技术员工。
全文想象一下,承包商或员工进入您的办公室,并将打印机或安全摄像机插入交换机上的开放端口。如果端口不固定(大多数端口),它们会立即连接。如果他们的设备受到损害,他们可能会无意中传播可能在组织的整个网络中造成严重破坏的恶意软件。现在想象一下,一个心怀不满的员工或不道德的访客插入了无安全的有线端口,并开始嗅探您的网络以查找高价值资产或启动攻击。
在许多组织的网络安全剧本中,无抵押开关端口是一个大漏洞。开关端口在开放式办公室中可见且可访问,即使开关在布线壁橱中物理锁定,无安全的端口仍然有风险。太多的IT经理人低估了,这是一种风险。
物联网的崛起还推动了对有线网络访问的更好控制的需求。智能连接的设备(例如安全摄像机,智能电视和建筑管理系统)正在创建新价值,但是许多物联网设备都充满了安全缺陷。尽管许多物联网设备都是无线设备,但我们开始看到更多利用以太网(POE)的功率,从而插入有线网络。
连线的网络访问控制
在无线LAN行业的早期,安全是客户的主要关注点。阿鲁巴(Aruba)是建立安全无线网络解决方案的领导者,实际上,我们很长一段时间以来一直说,无线比有线更安全。这是因为,由于WPA2 Enterprise的实现,每个无线设备都不仅对其数据进行加密,而且还需要对网络进行身份验证,而当今大多数企业无线网络都使用基于证书的身份验证。传统上,有线设备被允许在没有身份验证形式的情况下“插入”。端口启动后,设备可以访问端口所配置的任何VLAN。
许多客户已经使用Aruba ClearPass来控制移动设备和其他无线设备如何连接到其网络。使用ClearPass用于安全的网络访问控制,他们可以确信只有授权的用户和设备才能访问其有线或无线网络,并且可以自由地构建任何访问策略满足业务需求。
We're seeing more customers adopt ClearPass for wired network access control. Here in Australia, we've been working with several banks to use ClearPass to control access across their campus networks – both wired and wireless. Many industries, especially banking and finance, have regulations that mandate organizations to create effective controls to mitigate security risks. That includes ensuring only authorized users to have access to the appropriate resources, and that rogue or compromised devices are kept off the network. There is also a greater awareness of the need to take wired access control much more seriously with the rise of IoT.
查看,控制和响应ClearPass
ClearPassgives you visibility into what devices are on your network, regardless of wired, wireless or VPN, and then allows you to control network access for those devices and respond when a potential situation arises.
The reality is that most IT managers simply are unaware of all of the devices that are connected to their network at any moment. ClearPass gives you that visibility with profiling. It is very common for a new ClearPass customer to discover many more devices on the network than they had ever anticipated simply because they had no way of "looking" previously. Visibility is the key to control. Once you have visibility, you can create the right access policies.
ClearPass支持多种身份验证方法,,,,including 802.1X and MAC authentication, to support a broad variety of device types. These days, many wired and wireless devices can use 802.1X, but there is still a large selection that cannot – especially low-cost IoT wired connected devices. Whilst MAC authentication is one way to secure these devices, it has its limitations. ClearPass also support OnConnect, a non-802.1X mechanism to validate the device type and usage. OnConnect is a very useful tool as part of your wired access control framework.
ClearPass使您可以为所有用户,设备类型或位置执行适当的用户和设备访问的公司策略。授权的用户和设备可以快速,轻松地连接,同时阻止其他所有内容连接。当然,您会充分意识到所有未经授权的连接尝试。
ClearPass可以通过动态政策控制来保护您的信息资源,并与第三方系统合作地对威胁进行补救。ClearPass与100多个第三方产品的生态系统合作,因此它可以自动化威胁补救或增强服务,以使用领先的防火墙,移动设备管理,多因素身份验证和访问者注册系统来自动化服务。借助ClearPass提供的上下文,您的组织可以确保设备,网络,交通检查和威胁保护级别的安全性和可见性。
Go Deeper
带我们企业安全风险评估。
学习更多关于ClearPass用于安全网络访问控制。
