Add to that the complexity of the new age network infrastructure with multi-vendor solutions that include the use of both on-prem and cloud services. Though this flexibility is beneficial to users, it does pose serious security risks for a network. Traditional authentication and authorization processes are no longer enough to keep your network secure. Especially with data breaches and cyber thefts becoming more robust, the network security ecosystem is becoming increasingly complex.

There is a need for a more sophisticated system of authentication and monitoring that allows you to have a better understanding and visibility of all the devices and users connecting to your network. In this article, we will explain what device identity context is and how it can help improve your network security. To understand this, let’s first look at what identity context and context-based authentication are and how they help enforce zero-trust architecture.

Identity Context and Context-Based Authentication

The conditions and circumstances observed when a user or a device is trying to access a network are the identity context. Examples of identity context are various ranges of activities and behavior such as:

• User preferences
• Sites that you frequently browse
• The IP addresses and locations of your most-used devices
• Purchase behavior
• Typing speed
• The mobile phones and computers that you use
• The places that you regularly go to, like residences, offices, and restaurants
• The person or people that are your most frequent contacts
• Your music and other entertainment preferences

One of the best examples of using identity context is how your music app gives you a list of songs based on your previous usage history. These, of course, depend on some form of artificial intelligence to determine this.

Though, as a concept, identity context is fairly old, it is only recently that some organizations have been trying to deploy it to improve their network security. Understanding the behavior and usage patterns, or identity context, helps you get better visibility over your network. It allows you to ascertain that the user or the device at the other end is authorized and not someone maliciously trying to breach your network.

The question that you may have is how this information can help you to secure your network. When you have an identity context attached to every device or user, it becomes easier to detect and prevent any activity that is not in sync with the identity context. A managed RADIUS that uses device identity context lets you dynamically detect and stop any suspicious activity before it can move laterally or access your entire network.

Device Identity Context

Device identity context or machine identity context refers to the information regarding a device that is collected when a user accesses your network using a particular device. This information, like make and model, type of device (managed or BYOD), firewall, and antivirus that are active in the device, constitutes the device identity context.

This information is instrumental in improving your network security. Instead of using a blanket authentication method, you can now customize the type of authentication method that can provide the appropriate level of authentication assurance.

Device identity context also helps you determine the device trust used in making critical decisions about what level of access can be granted and which device can be trusted to what degree. For example, a BYOD device will have limited access compared to a managed device. A device used by the network administrator will use a multi-factor authentication method to provide an additional degree of security.

Modern businesses have witnessed an influx of a varied range of devices used by end-users. The use of BYOD further complicates the landscape as there are now devices that use different platforms.

The risk factor involved is no longer limited to just user risk, so role-based access control alone is not enough. To get better visibility and for easy management of devices in your network, device identity context becomes the foundation for developing better network security.

Okta Device Context

Okta, as a part of its development toward a contextual access management framework, has developed Okta Device Context. Okta Device Context helps with the implementation of app-level policies that ultimately help with facilitating a passwordless experience.

It provides all the possible information about the device type and state. This, in turn, helps in making policy decisions like what authentication method will best suit which devices to access the Okta-managed applications.

Under Okta Identity Engine (OIE), Device Context includes, in its purview, Okta Devices and Device Trust. The set of services and features that ingrains Okta on all devices for a company for better visibility of all the devices accessing Okta is what is referred to as Okta Devices.

Device Trust enables integration with Enterprise Mobility Management (EMM) solutions to facilitate the relevant context for managed devices. Device Trust and Okta Devices together help with making contextual access decisions.

Some of the key benefits of Okta Device Context are:

1. The Okta Universal Directory provides better visibility of the user and device binding
2. It provides better access control over sessions and devices
3. It provides better device analysis which helps in strengthening app-level policy implementation with:
   • Using Okta Verify for registration
   • Providing EMM status for both managed and unmanaged BYOD
   • Endpoint Detection and Response (EDR) Signals

Improve Device Identity Context for Better Network Access Control

As discussed in the previous section, device identity context consists of key attributes related to the device that helps in deploying the authentication method most secure for the machine. The better visibility afforded to the device attributes also helps with better decision-making in terms of the level of access granted to each machine. This is instrumental in policy implementation as instead of applying a standard set of policies for all, you can now customize the policies per the machine identity context for more robust network security.

Device Identity context can be instrumental in implementing Network Access Control (NAC) more efficiently simply because identity-based access management and zero-trust network architecture, the two core components of NAC, benefit greatly when machine identity context is applied. It provides a piece of detailed and relevant information that can help with policy-making as well as the implementation of these policies through NAC.

Zero-trust network architecture as a security philosophy simply means never trust, always verify. It requires that users and devices are constantly monitored, and access by each machine or user is limited to the necessary resources and applications only.

Machine identity context provides all the relevant data to monitor and compare the user/machine behavior. This helps identify any behavior that is not in sync, and with the help of dynamic RADIUS, you can immediately terminate any access that is suspicious. It also helps define the level of access to applications and other resources.

Passwords are bad for network security, and a network is as secure as the method of authentication used to verify the identity before granting access. Using an X.509 certificate can help mitigate the risks of password-based authentication in your enterprise network. However, the strength of a certificate is determined by the attributes defined in the certificate.

Machine identity context also helps better define the attributes of a certificate template. A certificate template contains in it the attributes like network policies and level of access that ultimately help in directing a machine or a user to the most appropriate network VLAN it is authorized to access. Device Identity context provides all the relevant information needed to make these decisions.

SecureW2 Solutions for an Enhanced Network Security Experience

Network Security as a concept is complex owing to the fact that its strength is determined by the way each complement is designed within the network. With all kinds of devices coming under your company network infrastructure purview, especially with BYOD and users logging in using multiple devices, designing a network infrastructure that meets all the security requirements becomes a complex task.

However, for the health of your network and to protect your organization from any malicious intrusion, you need an infallible network that gives you maximum visibility over each and every device connecting to the network.

Device identity context or machine identity context can help you get better visibility and control over all your devices by giving you a better understanding of their behavior. SecureW2 is an industry-leading company for network security that believes in continual innovation to give you an added edge and protection from potential network attacks. Click here to learn about our pricing.

The post How to Improve Device Identity Context for Network Security appeared first on SecureW2.

Common IoT Use Cases

1. Smart Appliances for Smart Homes to monitor temperature, lights, and other smart appliances
2. HealthCare Sector Medical IoT devices include devices that help monitor the blood sugar and heart rate of a patient, bedside monitors
3. Hospitality Industry IoT devices include smart home IoT devices as well as kitchen appliances
4. Smart Cities use IoT devices to monitor and collect information like usage of electricity, temperature, and air quality
5. Fitness Trackers used mostly for healthcare and fitness are used to track fitness level and physical activity
6. Smart Vehicles use IoT devices to monitor car maintenance and pay tolls electronically
7. IoT devices in Manufacturing Industry are used to monitor equipment for compliance, safety, and productivity

Common IoT Attacks

Many IoT devices do not support 802.1X configuration because they are equipped with computers that have a very narrow function. But since they need to access the organization’s network to function, they leave the network vulnerable. These devices are usually not accounted for as a fundamental part of the infrastructure, and so their security is usually not given priority. This often leaves an organization’s network vulnerable to cyber-attacks because they become easy gateways for hackers since these devices are still not designed with great cryptography and most IoT devices have unsafe password management making them the weakest link in the network. Here are some of the common security threats IoT devices are faced with.

Privilege Escalation

IoT devices are the perfect target of privilege escalation attacks because of their vulnerability which we discussed above. Hackers can take advantage of the vulnerabilities to plant bugs and escalate their access level to penetrate the network of an entire organization leaving it crippled.

Man-in-the-Middle (MITM) Attack

By exploiting the gaps in the cyber security of IoT devices, a hacker can access sensitive information that would otherwise be encrypted. By modifying the packets in the communication of the IoT devices with their respective networks, an attacker can escalate the attack and gain access to the network to do major damage or even control the network.

Eavesdropping

An eavesdropping attack, also known as snooping or sniffing, is when a hacker gains access to an unsecured transmission between a device or its network, and IoT devices are potentially the perfect host for such attacks.

Brute-force password attacks

IoT devices have the most unsafe password management as their passwords are often easy to crack and never changed making brute-force password attacks or dictionary attacks (that exploit bad password management or easy-to-crack passwords) fairly easy.

HIPPA journal in one of its articles states that 82% of Healthcare Organizations Have Experienced a Cyberattack on Their IoT Devices. An article in Forbes lists IoT attacks as a hot category for cyber attacks. Cyber attacks on IoT devices are becoming fairly common and it is time we start looking at minimizing the threat they pose to network security.

RADIUS Authentication or MAC Auth Bypass for IoT

Remote Authentication Dial-In User Service (RADIUS), also referred to as an AAA (Authentication, Authorization, and Accounting) server is an authentication server that decides if a user/machine trying to connect to a network should be provided access. RADIUS decides this by verifying the credentials or certificates of the user or machine that support 802.1X and checking the level of access a user has by referring to the Identity Provider (IDP) like Azure AD, Google, or Okta.

MAC authentication bypass (MAB) uses the Media Access Control Address (MAC address), also known as a hardware ID number, to identify, authenticate, and determine the level of access of a device. RADIUS MAC authentication bypass can help minimize security risks faced with IoT devices to a considerable extent. Though not as safe as 802.1X, with MAB, you can now get better visibility over the IoT devices and control the level of access they have to a network.

How RADIUS MAC Auth Bypass Works

At a high level, this is how RADIUS MAC Auth Bypass works:

• Switch submits 3 EAPoL identity requests every 30 seconds after the third time out, the switch indicates that the device does not have a supplicant and so initiates MAC auth bypass to authenticate the device.
• MAC auth bypass will refer MAC address database to identify if a particular MAC address is authorized to access the network by sending accepting a single packet from an interface to identify a MAC address origin.
• Once the source is identified, the packet is discarded and the switch creates a RADIUS access-request-message.
• The RADIUS server then receives the access-request message and performs MAC authentication by validating the address to check if the MAC address matches with the list of MAC addresses that are authorized to access the network.

Enabling MAB for Minimizing IoT Attacks

The primary benefit of using MAC auth bypass in conjunction with a dynamic cloud RADIUS is that MAB can be implemented with both dynamic access list and VLAN assignments just like with 802.1X. Though not as secure as the latter, MAB helps get better visibility over the devices in the network, that otherwise go unmanaged and leave the entire network vulnerable to cyber attacks.

MAC Auth Bypass For Healthcare Sector

The Health Insurance Portability and Accountability Act (HIPAA) passed in 1996 has been instrumental in shaping how patients’ data is handled and who has access. With digitalization, HIPPA’s purview is not limited to just the physical documentation of these records but has extended to how the records are stored and accessed over the cloud. It becomes very important from a HIPPA standpoint to ensure there is clear visibility as to who has accessed a patient’s data and if they have the required access level. By securing your network with a managed cloud RADIUS server that operates in accordance with 802.1X, you can prevent unauthorized access to your network and be HIPPA compliant.

But what about the devices that do not support 802.1X? MAC auth bypass can help you with these devices as you can now have better visibility over these machines. Let’s see how MAC auth bypass helps you be HIPPA compliant with devices that do not support 802.1X:

Unique Credentials for Network Access

HIPAA requires that each user have unique credentials. MAC auth bypass allows each device its own set of credentials in the sense that it uses the unique MAC address of a device to identify and authorize it for network access. With MAB, there is better visibility as to when and what device is accessing patient information.

Device Authentication

MAC auth bypass authenticates a device by looking up at the MAC address and matching it to the list of authorized MAC address list. With a managed cloud RADIUS, a device will be provided access only after matching the MAC address with the list of approved MAC addresses so only a device that has been authenticated can access the network.

Identity-Based Dynamic Authorization

MAB is compatible with all dynamic authorization techniques that work with 802.1X authentication. With a dynamic Cloud RADIUS, you can dynamically segment devices at the moment of authentication. For example, a device can be dynamically approved for a particular VLAN based on not just its MAC address, but also its geographical location or the time of the request.

This helps in ensuring that the authorized device only has access to the necessary data and applications, a critical tenet of Zero Trust Network Architecture. For example, a printer at the billing office will be able to access the Insurance coverage information only whereas, a bedside monitor can be provided with access to medical reports of the patient.

Better Network Visibility of Devices that don’t support 802.1X

Mac Authentication Bypass enhances network visibility by linking authentication events to unmanaged devices, providing valuable context about the event and positively identifying the device in question. This is especially useful for security audits and compliance requirements (such as HIPPA for the healthcare sector), network usage statistics, and network forensics as the devices that otherwise go untracked are now monitored. MAB also acts as a Layer 2 controller that allows you to control network access.

Protect IoT Devices with RADIUS MAC Auth Bypass

IoT devices have become an integral part of our lives as well as most industries and their value in making our lives easier cannot be negated. Especially in the healthcare sector, IoT devices have taken a special place in adding value to patient care. But keeping in mind the security threats they pose to a company’s network, it’s time to consider alleviating the risks.

MAC Auth Bypass helps complete an organization’s security audit or data usage report with better accuracy as it gives visibility over devices like printers, IP phones (Internet Protocol phones), and medical equipment on your network, that otherwise would not get registered. Also, it helps you be HIPPA compliant with the devices that would otherwise have been very difficult to track. Here’s how our services have helped our customers from the healthcare industry to get their network secured.

SecureW2 has affordable options for organizations of all sizes. When you’re ready to protect ALL of your endpoints, IoT devices included, submit a pricing request here.

The post Enabling RADIUS MAC Auth Bypass for IoT appeared first on SecureW2.