How do you assure security of your internal network?

Hello there,
When it comes to network security, probably all of us would say 'firewall', as that comes to our minds firstly. That's true, you have to protect yourself from the entire spectrum of risks that are lurking from outside your network edge and trying to either get to your devices to make them botnet slaves, or to get to your data so it can be sold or used for identity theft or anything else. That's true and valid.

But what about the other edge? The edge of your local network?

What if your employer takes his laptop for a business trip, stops to enjoy a cup of coffee at the airport or shopping center, and uses public wireless network for Internet connectivity? Let's go back couple of quarters, when WannaCry was at its best and tried to make people cry. Your employee would get his laptop infected with ransomware or any other type of malware and bring that to your company network. Then, if your employee wasn't upgrading his OS frequently (who does?) or if he never reboots his laptop (habit from the good ol' HDD-inside times) and his local network connection allowed unnecessary UDP/TCP ports, he could unwillingly spread ransomware that eventually corrupts all your company essential data on the endpoints. Yeah, of course, take care of the backups (and their security) and endpoint protection by the way.
What if your employer wanted to disrupt your company right before leaving - so he will subtly fulfill his peculiar vengeance for years or decades of being treated inappropriately? He would try to access every network resource within his purview to inflict as much damage as possible - that could either be systems outage, data corruption or data theft, with plenty of flavors of consequences for the organization. In Poland we had quite a good example with 2be.pl fall. One of the biggest local hosting provider (couple of thousands of customers) went totally down within couple of months due to their storage ultimate failure (production and backup). It's not really known, whether it was their own IT admin responsible, or some external IT service, so maybe the example is not fully relevant. This shows alongside, that some kind of privileged access management is also good to consider.
What if somebody was interested about your organization, either some malware guy, or industrial spy, or some intelligence agency, and he could just come to the side of your facility, get to the guest network with simple password (or even obtain some employee's credentials) and scan the entire network without any containment? He could do the same as in the previous example, but this guy knows what he wants to get and how to get it.
What if your sophisticated equipment with LAN/WLAN connectivity (like IoT stuff or specialized tools like in medicine) got breached (it's not that difficult, such devices often are created without security-by-design approach) and became a point of attack of your network? Or if some bad guy got into your network and wanted to attack the device through the network?
Those are just few examples of risks that we have nowadays. Of course, two things should be treated as dogma when we discuss about IT security:

1. We will never ever be 100% secure with our IT infrastructure (unless we go 100% non-IT ;) ),
2. Human is most likely the weakest spot in your IT infrastructure security (take a look at all those phishing campaigns and other social engineering actions and their success rate, so remember about proper education of your team).

However, I believe today we should consider four components as the most critical pillars of organizations' IT infrastructure security:

• firewall,
• network access control,
• backups,
• privileged access management,

and while we might discuss whether PAM solutions can suit every organization, the first three are rather a must have. Why did I put 'network access control' bold? I believe it is complimentary to a firewall. While firewall is essential for LAN-WAN security, NAC is essential for endpoints-LAN security. It directly answers the issues mentioned at the beginning of this article. Of course NAC is nothing new, this technology is pretty mature, but which technology in networking wasn't mature at the time of it's biggest growth of popularity? Consider STP, VLANs, MPLS, SNMPv3 (!!!)... Even from a different technology area, popular MP3 audio file format is from the beginning of 90s. When did you got your first MP3 player? Mine was from ca. 2006 (Sandisk Sansa e130).
So what I would advice for every IT-assisted organization today is to implement couple of elements:

• VLAN separation between user roles, so the users and devices or services of different types (printers, cameras, VoIP phones, network management plane, network control plane, sales division, IT division, accountants etc.) will not see each other if not needed,
• authentication (EAP-TTLS or PEAP, MAC where credentials are not feasible to provide, EAP-TLS where you can deploy PKI),
• ACL or similar mechanism that will enable you to restrict end-systems' access to particular resources and/or subnets, or even apply some priorities and rate limits; personally I would try to implement organization security policy based on 'least privileges' approach.

Those three are key points to minimize the risk at the edge, either wired or wireless, most likely being implemented as Role-Based Access Control. You could configure these by hand on every single access edge device as you wish, and you can bind such items to your ports/WLANs statically or dynamically thanks to AAA feature of authentication servers such as RADIUS. The former is far less convenient, needs a lot of work and thus time and thus is prone to human error. Moreover, if you will statically configure a port for your sales, that are allowed to reach SAP resources, what if some Kevin Mitnick in cleaning service disguise went there and connected to such port? You have containment but not much accurate. Thus, I would suggest you the latter.
You can achieve dynamic policy assignment based on AAA, it's nothing extraordinary, many networking vendors allow to bind users and devices to specific VLANs and/or ACLs and/or QoS thanks to couple of mechanisms. One of those is RFC 3580 for instance, simply saying it's a way to dynamically assign VLANs to authenticating endsystems. It's a responsibility of an authenticating server to decide, upon some criteria, what VLAN should the user or device be put into. Alongside you might want to use, and your vendor might support, many other RADIUS attributes, so you could assign some ACLs to user port or initiate scripts upon authentication or else. So in the end, wherever your printer gets connected, it will be contained in the network as a printer. Wherever your accountants will connect to the network, they can always get the same set of privileges. You don't have to preconfigure ports on your switches for that, thus you have much less work to do. More than that, you could use built-in capabilities of several AAA solutions (like on Windows Server) to decide, whether the set of privileges should be the same for particular user regardless the location, authentication time or device type, or should it be different.

What would we need NAC for, then?

NAC is a system that allows to implement security policy in more flexible and convenient manner. Let me show you this on an example of Extreme Access Control, which I know quite well. Extreme Access Control is a NAC solution with couple of main features:

1. As a NAC solution, it stands as an authentication server in front of so called RADIUS Clients or authenticators, i.e. edge switches and wireless access points or controllers. It is most likely an intermediate point between access edge and backend authentication server, e.g. your domain controller. This gives you visibility and awareness of who and what is or was connected to your network, what are their IPs, MACs, hostnames, usernames, location (switch + port or AP + SSID) etc. More than that, Extreme Access Control it is hidden under 'single pane of glass' GUI of Extreme Management Center with common database, so you can easily troubleshoot your users connectivity moving between end-system data, network devices' details and application layer data for your network.
2. Extreme Access Control lets you either to pass through all attributes from RADIUS server or take over the responsibility of authorization of endsystems, so you can decide in rather user-friendly interface, how endsystems should be authorized based on authentication type, user names, hostnames, LDAP or RADIUS attributes, IPs, MACs, device types, location and time of authentication. It can adjust to the actual circumstances or stay the same for a particular devices regardless the conditions.
3. EAC does also provide posture assessment capabilities. That means, you might check any connecting or already connected endsystems whether they meet your security requirements. For employees' laptops you might want to use agent-based assessment to check if their OS and antivirus are up to date, to check for some processes, registry keys and so on. On the other hand, in case of guests, mobile devices but employees as well, you might want to use agentless assessment that is a powerful tool based on popular vulnerability scanner which checks device's TCP/UDP ports and recognizes vulnerabilities that are recognized by CVE, CERT and IAVA. This allows you to isolate such non-compliant or vulnerable device to a quarantine VLAN for the time of remediation so all the other devices will not interact with such device. User can be redirected to a webpage that will show what are the problems with his device to be solved so he could enter the network as usual. You may also decide to adjust your security policy based on detected issues.
4. It provides customizable, multilingual captive portals for guests and BYOD devices that is suitable when your employee isn't able to install or configure 802.1X supplicant for credentials-based authentication.
5. Last, but not least, there is REST API on board with a lot of out-of-the-box integrations, like with firewalls or building access control solutions, so you can tighten the security and improve automation for couple of use cases. For instance, your firewall can inform Extreme Access Control that a user should be quarantined. Or, EAC will not authenticate particular user, if he didn't pass the building access control with his token, so there is less possible that someone could use his credentials to reach the network while he's on vacation.

If you had Extreme infrastructure, you could also bound aforementioned VLANs, ACLs and QoS settings into single Policy, that is not needed to be put to the switches through CLI. You can rather point 'n' click your roles, services and rules, and when you decide to enforce them, all the definitions go to your entire access edge within seconds. Flexible, consistent, fast and less erroneous. However, I know many customers that use Extreme Access Control on top of another vendor infrastructure, because there is no restriction to use exclusively Extreme equipment for EAC.
I believe network access control technology is a strong ally in today armaments race, that should be considered as one of the components to implement your organization's security policy. Based on your risk analysis and budget, you should have your security capabilities tailored. If you don't believe that NAC can improve your company's security, please just remember about the authentication, VLANs and traffic type restrictions, ok?
Please feel free to ask questions and to comment. I'm really interested what is your perspective on organizations' IT security. Maybe you would add another pillar or remove some of those I have suggested?

Take care!