Skip to content

Why It’s Important to Control What’s on Your Wireless Network at All Times


There is no doubt that your wireless network is a critical component of business operations. Strong wireless connectivity enhances productivity and flexibility, especially for organizations that have a Bring Your Own Device (BYOD) policy, IoT infrastructure components, contractors, guest users, and so forth. A wireless network is also inherently scalable, making it ideal for companies undergoing rapid growth. There are a number of daily usage scenarios, however, that can put your wireless network at risk.

Scenario 1: Rogue Devices
It’s inevitable…employees will bring their personal devices (smartphones, wearable watches, etc.) to the office, and a percentage of those will attempt to connect to your wireless network (some automatically). While they may only be connected briefly, they are nonetheless connected. If you can’t see them on the wireless network, you can’t control them – and that’s an unnecessary and avoidable risk to take.

Scenario 2: Guests
Occasionally, an employee might bring their kids to work. Kids being kids these days, they will likely want internet access to play a game or watch YouTube videos on their smartphones or tablets. If you’re lucky, they’ll simply rely on their cellular network to load this content, but if not…guess what? They will try to connect to the corporate wireless network. In this scenario, let’s hope you’ve set up some sort of accessible, internet-only, wireless network, designed to remain separate from the professional corporate network.

Scenario 3: Contractors
Many businesses hire contractors or consultancies to tackle specific projects. These individuals and groups will need network access for extended periods of time and will need to be granted access to company resources and sensitive, proprietary data. In this instance, you should be employing NAC across your wireless network in order to dictate and enforce the level of access these types of individuals receive based on internal policies.

How to Protect Your Wireless Network
Of course, these scenarios will mostly be harmless. Mostly. They could, however, serve as an additional attack surface against your network or a base-station from which to launch a wider DDOS attack. In the past few years, there have been several DDOS attacks on corporate networks via hacked IoT devices that were used as a springboard to dive into networks, such as the 2016 Dyn cyber-attack.

Considering all of these potential risks to your enterprise network, here are a few security focus points to keep your operations safe:

100% coverage and awareness of all access scenarios to your wireless network (via simplified 802.1x based authentication and authorization services). This way you will have full awareness of all connecting devices on your networks at all times.
Auto-segmentation – automatically push unmanaged/unwanted devices from your wireless network to a different network (e.g. internet-only). You should be able to automatically classify and place every device connecting to your network in its correct segment based on your own classification. The right technology affords micro-segmentation by diving deeper and fine-tuning the segmentation options in your internal network and offers automated actions to enforce it.
Immediate disconnect options – you should be able to remove devices from your wireless network, both automatically and manually, no matter where the devices are connecting from.
WiFi provides fast and reliable connectivity for employees and visitors and enhances productivity but if you do not know (or have technology that keeps track) of devices as they attempt to connect to your network, there is not much that you can do to stop it, or to make sure that they are connecting to a harmless section of it. Awareness combined with automated protective actions will allow you to effectively navigate all scenarios while at the same time handling a large number of wireless devices in the enterprise.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。

What is 802.1X Extensible Authentication Protocol (EAP)?

EAP
802.1X uses an Extensible Authentication Protocol (EAP) for a challenge and response-based authentication protocol that allows a conversation between a Supplicant (the wireless/wired client) and the RADIUS (the authentication server), via an Authenticator (a wired switch or wireless access point which acts as a proxy). EAP supports multiple authentication methods, some of them are secure and some of them are vulnerable (although old endpoints still support them).

802.1X authentication with Portnox CLEAR
DIAGRAM: An example of how EAP works with Portnox CLEAR.

EAP-TLS
With 802.1X authentication via EAP Transport Layer Security (or EAP-TLS), there is a mutual certificate authentication, as it relies on the Supplicant (endpoint) and RADIUS certificate’s “handshake.”

Advantages:

Mutual certificate authentication
The authentication process takes place inside a secure SSL tunnel
The user/machine certificate is linked to the relevant user/computer identity, which makes stealing attempts useless (in contrast to stolen credentials)
Disadvantages:

The identities are sent in a clear text before the certificates exchange process starts
Deployment and lifecycle maintenance of endpoint certificates might be costly in small environments

EAP-TTLS
By using 802.1X EAP Tunneled Transport Layer Security (or EAP-TTLS) is an extension of EAP-TLS. After the RADIUS is authenticated to the Supplicant by its certificate (including an optional TLS authentication of the Supplicant to the RADIUS), the Supplicant proves its identity via PAP or MSCHAPv2

Advantages:

The authentication process takes place inside a secure SSL tunnel
User identity is not exposed
Can use multiple methods to authenticate inside the tunnel – certificates / user identities
EAP-TTLS can be used for network authentication by Azure Identity when AD-DS is not enabled (MSCHAPv2 is not available)
Disadvantages:

It does not support MSCHCAPv2 without enabling Directory Services with Azure AD (a limitation of Azure AD itself)
Client-side certificate is not required, only optional

EAP-PEAP
With 802.1X authentication via EAP Protected Extensible Authentication Protocol (or EAP-PEAP), only the RADIUS needs a certificate. With that certificate, the endpoints create an encrypted TLS tunnel to pass the authentication details. The most common protocol used to authenticate the endpoints, when using PEAP, is MSCHAPv2 challenge and response, which is used to authenticate both the server (usually Active Directory / Azure AD) and the supplicant (endpoint). The process involves challenge – response where both share a random hash that’s computed with the identity’s credential without sending the password across the network.

The authentication process takes place inside a secured SSL tunnel
User identity is not exposed
Simple deployment – allow the usage of username and password which the end-user is already familiar wit,h such as Active Directory or local account credentials
Disadvantages:

This method requires a password changing policy to remain secure
If the endpoints are not hardened they are exposed to “evil twin” attacks

EAP-MD5
One of the legacy 802.1X approaches of EAP is Message Digest 5 (or EAP-MD5), the RADIUS server sends a random challenge to the Supplicant which generates an MD5 Hash of its credentials and the challenge, which is then sent back to the RADIUS for validation. By using this method of 802.1X authentication, however, the supplicants don’t send their passwords to the RADIUS for validation, but rather use hashes.

Advantages:

EAP-MD5 is compatible with legacy network equipment and older type of endpoints
Disadvantages:

It is exposed to dictionary attack – password “guessing”
Vulnerable to man-in-the-middle attacks since there is no mutual authentication

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。

SASE & the Future of Network Access Control

Gartner Reviews NAC Tools for 2021

The current enterprise network security practices focus on verifying the identity of the user and the device in a perimeter-less environment, where cloud-hosted technologies prevail in the enterprise and where remote sites include branch offices and employees working from home.

In Gartner’s paper “The Future of Network Security is in the Cloud”, one of the key findings is that “network security architectures that place the enterprise data center at the center of connectivity requirements are an inhibitor to the dynamic access requirements of digital business.” And there is a recommendation for enterprises to move their security into the cloud, based on a networking and security model called Secure SASE, a term coined by Gartner’s leading security analysts.

What is SASE?

SASE, pronounced “sassy”, stands for Secure Access Service Edge. It is a cloud-based network security model and category, proposed by Gartner in 2019, to support agile secure access to enterprise assets. This model includes the network security solutions in a global and cloud-native service that allows IT teams to easily connect and secure all of their organization’s networks and users in an agile, cost-effective, and scalable way. This is especially useful in the currently globally dispersed digital enterprise.

According to Gartner’s analysis, SASE can be characterized as an identity-driven, cloud-native, globally distributed technology that supports and impacts all enterprise edges and IT domains. For example, this would include a branch office in LA along with the main HQ in London, while traveling/mobile team members can connect on the go.

“SASE capabilities are delivered as a service-based upon the identity of the entity, real-time context, enterprise security/compliance policies and continuous assessment of risk/trust throughout the sessions. Identities of entities can be associated with people, groups of people (branch offices), devices, applications, services, IoT systems, or edge computing locations.” (Gartner)

SASE addresses the numerous problems with traditional network security methods, many of which are rooted in the idea that network security architectures should be placed at the center of connectivity in the HQ or data center, where typically branch locations are more vulnerable to attack.

Why should I care? What’s the problem?

Network security legacy applications cannot efficiently support newer networking use cases that have moved to “the edge”, such as cloud applications, dynamic services, and distributed data in remote branch offices. Traditional on-premises architectures introduce challenges such as latency, large management overhead, networking blind spots, and continuous reconfiguration work by the IT team as vendors, services, and equipment change. Even though the SASE model is not without its own challenges, it can eliminate these issues by removing cumbersome technologies and networking complexities, while moving the entire security process to the network edge (The point where the enterprise-owned network connects to a third-party, particularly cloud technologies. Oftentimes, network administrators refer to their “WAN edge” or “internet edge”).

If enterprises try to solve IT challenges as they emerge, with ad-hoc/point solutions, they will be leading themselves into technical compounds that are complex and costly to manage, and that will not necessarily work well with each other in terms of efficiency and speed. Complex and cumbersome communications between IT components slow down IT and its response rate to different business requirements.

SASE can change this paradigm because as mentioned, it is identity-driven, cloud-native, globally distributed, and securely connects all edges (WAN, cloud, mobile, and IoT). With SASE, enterprises can reduce the time it takes to develop new products, deliver them to the market, and respond efficiently and appropriately to the increasing changes in business conditions.

Shift happens.

In the last few years, as more organizations around the world became more decentralized, each office location is considered to be a remote site/ a branch office location, by organizational security controls. Companies either consume access security services in a costly method through data centers, implementing redundant controls in each location, or worse, neglecting the security for that part of the enterprise network altogether.

In simple terms, we are talking about delivering an all-access security suite from the cloud and not from the data center. This is in line with the trend of identity brokers moving to the cloud (such as Azure, G Suite, Okta, and others) as well as the continued migration to the cloud of many other cyber-security architectures and IT services.

In a scenario where you are implementing an on-premises NAC solution that goes with your on-premises network equipment, you can easily identify and authenticate the end-users. However, if your organization is distributed and like many others, has transitioned to using a cloud-delivered ID broker, then continuing to consume authentication and access services from the cloud make much more sense.

In the diagram, on the left side, we can see the price of not leaving any remote site exposed – either you pay a very high price for each location, or you need to duplicate your security mechanisms in each location which is costly. The second option is to authenticate and obtain your access rights and compliance needs via the closest, geo-redundant cloud service available.

OK, so what happens now?

The sensible course of action is to plan a security strategy to be scalable and efficient in the present, while at the same time future-proofing the organization’s security. With the organizational data migrating to the network edge, it makes sense to authenticate and authorize users and devices in a cloud format, thereby assuring that regardless of the equipment and geolocation, employees can securely connect in a cost-efficient and secure method to the needed resources.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。

Portnox Partners with Distology for Sole Distribution of Cloud-Delivered Network Access Control (NAC) Solution in United Kingdom & Ireland

Partnership Will Drive Increased Adoption of Portnox’s Cutting-Edge NAC Solution Purpose-Built for Large Distributed Organizations in the Region

LONDON — Portnox, which supplies network access control (NAC), visibility and device risk management to organizations of all sizes, today announced that it has partnered with Distology for the sole distribution and resell of its cloud-delivered NAC-as-a-Service solution in the United Kingdom and Ireland.

We chose to partner with Distology because of their successful history of IT security solution distribution in the UK and Irish markets, said Portnox CEO, Ofer Amitai. Were confident this collaboration will yield tremendous growth for both parties, as Portnox has a unique value proposition and Distology has the market enablement expertise to effectively evangelize our network security offering.

We have a long-established relationship with Portnox and it speaks volumes that the team have decided to choose Distology as their sole UK&I distributor. The technology Portnox brings to the market is incredibly exciting and complements our existing vendor stack effortlessly, said Stephen Rowlands, Head of Sales for Distology. Were especially looking forward to representing and promoting Portnox Clear to our growing partner base, as this brand-new cloud-based technology has potential to completely disrupt the market and we foresee masses of growth potential in this innovative product.

Portnox introduced its cloud-delivered NAC-as-a-Service solution to the UK & Irish markets less than two years go. As the first to bring NAC to the cloud, Portnox has quickly gained a foothold in the region, particularly among large distributed enterprises in the retail, construction and utilities industries.

The adoption of our NAC-as-a-Service product in the UK has been very strong to date, said VP of Products, Tomer Shemer. This is a testament to the fact that the UK is one of the markets leading the trend of cloud security adoption. We expect to see continued growth in the coming years in this area of Europe.

Portnox is set to exhibit at this week’s RSA 2020 Conference (booth #4234) in San Francisco, February 24-28. Additionally, Portnox (booth #G108) and Distology (booth #C40) will both be exhibiting at InfoSec Europe 2020, Europes largest event for information and cyber security, in London, June 2-4.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。

About Distology
Distology is a Market Enabler and offers true value for the distribution of disruptive IT Security solutions. The vendors we work with represent innovative and exciting technology that continues to excite and inspire their reseller network. Our ethos is based on trust, relationships, energy and drive and offers end to end support in the full sales cycle providing vendor quality technical and commercial resource.