瞻博网络 Mist Access Assurance 最佳实践
下面列出了一些网络接入控制 (NAC) 最佳实践,您可以使用瞻博网络 Mist Access Assurance 实施这些实践:
- 使用 802.1X 框架:NAC 的标准,大多数客户端设备都受支持。作为最佳实践,我们建议您载入支持 802.1X 身份验证的公司设备。
注意:您还可以对通过物联网或 BYOD 连接的非 802.1X 设备执行无 MAC 载入。
- 对标识提供者使用基于凭据的身份验证:用户使用其用户名和密码连接到网络。身份提供商 (IdP) 必须验证凭据和用户帐户。
- 使用基于证书的身份验证:此方法使用安装在客户端设备上的数字证书进行身份验证。这些证书可以分配给设备或用户配置文件。
- 迁移到基于云的IdP:基于云的身份提供商(如Microsoft Azure Active Directory,Okta,Ping Identity或Google Workspace)变得越来越普遍,并具有各种优势。
- 公钥基础结构 (PKI) 的使用:使用公钥基础结构 (PKI):使用 PKI 创建、存储、分发和吊销数字证书。
- 配置设备:配置瞻博网络 Mist Access Assurance 以大规模配置设备。通常,在企业环境中使用移动设备管理 (MDM) 平台进行设备预配。
- 使用自动化 NAC 解决方案:自动化 NAC 解决方案可以为连接到 的每台设备提供可见性、控制和自动响应。该解决方案还通过对所有设备和用户实施策略来提供安全的网络访问。
- 使用多重身份验证:通过使用多种形式的身份验证进行网络访问,提供额外的安全层
- 执行网络分段:网络分段有助于防止恶意软件的传播并限制安全漏洞的影响。
- 实施来宾访问策略:根据要求为不同的用户提供不同类型的访问。访客访问策略有助于控制访客和承包商对网络的访问。
观看以下视频,了解访问控制最佳实践:
Some of the best practices when it comes to securing your access to the network-- when we talk about the most secure method to access the network, we are generally talking about 802.1X, which is a framework standard that's been out there for many, many years. Many client devices support this today. This is what we would consider the best and optimal way to do secure access to your network.
But there are many flavors of 802.1X and how devices would authenticate themselves to the network. But broadly speaking, we can separate them into categories. One is the credential-based authentication. So you would connect to a network, whether it's a switchboard, or you connect to your AP that supports .1X. You would put in your username and password, and, at that point, you're authenticated, and you're on the network.
In this scenario, when we are using credentials to authenticate, you are required to have an identity provider that will actually verify that the credentials, and the user account is valid. And nowadays, or actually, previously, the primary IdP for everybody was Active Directory. That was typically running on prem. Nowadays, the trend is to move to cloud-based identity providers such as Azure AD or Okta or Ping Identity or Google Workspace or whatever else that is out there. So IdPs are moving to the cloud.
Now, the challenge with credential-based authentication is that there is really no good way to handle multifactor authentication here. So you are literally only relying on your username and a static password that you may or may not rotate periodically. And that brings in certain issues when it comes to man-in-the-middle attacks.
Historically, customers were not configuring their client devices correctly. So that was exposing man-in-the-middle attacks vectors to happen. And the typical scenario is that clients would bypass server certificate validation. So there is no mutual authentication happening. And at that point, anybody could have spoofed your credentials, and you would have become a victim of an attack.
The other aspect of this is, starting from Windows 11, the latest update from Microsoft, Microsoft decided to enable a feature called Credential Guard by default, which, as a result, disables and blocks all password-based authentication methods for both Wi-Fi and VPN. That means you can no longer use your standard PEAP-MSCHAPv2 or TTLS/PAP methods to connect using .1X. Microsoft is saying everybody should move to certificates, which brings me to the next section.
The next option to validate or to authenticate devices against network is to use certificates as user or device identity. So digital certificates are installed on client devices, whether it's laptops, mobile devices, et cetera, et cetera. They can be either device based, so they're issued for a specific machine name, like a laptop name or a specific device or mobile device, or they're issued for a specific user that's logged in to that device or both.
So in this case, you have an option to choose whether to use user-based authentication or device-based authentication. In this case, identity provider is optional. So you can solely rely on validating the certificate. And if the user or device certificate is valid and trusted, then you would allow the client to connect.
You can additionally rely on the IdP to get more information, more context about the user that's trying to connect you. For example, you could check account state of that user if that account is still enabled. Maybe the account got disabled, but certificate is still valid. There's certain cases like this.
And, most importantly, you want to get group membership information about the user. So you need to know, OK, this is a valid certificate, but what level of authorization I want to provide for this user, whether it's an employee contract or part of finance, marketing, et cetera, et cetera. This is where IdP becomes useful.
Today, this is the most secure authentication method. Certificates are stored in secure storage. They're generally not user accessible. It's virtually impossible to forge them, to hack them, or do anything of that nature. So this is the recommended authentication method if you want the most secure way of accessing the network.
With certificates, the challenge is client device provisioning. You need to have a certificate infrastructure, which is called PKI, or Public Key Infrastructure. And you will need to have a tool that will provision your devices at scale, so users don't have to do this manually. In enterprises, in production environments, it is typically done using MDMs, or Mobile Device Management platforms, right?
So an example of an MDM is Microsoft Intune. So at the moment, you will get the company-managed device. It will register itself with an MDM. MDM will push all the required information, including a certificate.
OK, what about cases where we are not dealing with a device that supports 802.1X, or you're dealing with cases where you don't want to manage the device and deal with certificate provisioning, et cetera, et cetera? So with non .1X cases, we need to look at two categories. First is Wi-Fi. What can you do with Wi-Fi-connected devices that are not leveraging .1X?
And when we're talking about Wi-Fi, you really have two types of devices there. One is IoT devices, or your headless devices that don't have any interface on them. They generally don't support .1X, or their .1X is very, very limited and cumbersome to configure. And we can call them unattended devices, right?
And we can also talk about the BYOD devices, or Bring Your Own Device, where we are talking about personal devices, but, say, in the enterprise of personal devices of employees, that you are not managing as IT, but you want them to be able to connect to the network using some form of an identity that they have.
In this case, our recommendation is to use multi-preshared key solution that we have today, where each and every user, if we are talking about BYOD, will have their own personalized PSK, which becomes the identity of that user. And that personalized PSK is self-provisioned using single sign-on through a PSK portal that we host. From an IoT device perspective, you would have a unique PSK for each device type, for example, a PSK for Wi-Fi cameras, a PSK for Wi-Fi door locks, HVAC systems, et cetera, et cetera.
For each keys, you could set up your policy segmentation logic, assign a VLAN, assign role, et cetera, et cetera. And you get the same level of visibility and auditing as with traditional .1X systems, right? But from an end-user perspective or end-client device perspective, it's as simple as connecting to a Wi-Fi using a passphrase, so the same as you would do at home, right?
This second aspect is wired IoT devices, right? This is where we are talking about, say, wired cameras, wired printers, wired anything that does not support .1X or is not provisioned to do .1X. In this case, the identity of the device is really just the MAC address. And, in this case, you could use Mist access assurance client list labels to apply policies on a switch side. You could look at the MAC or UIO MAC vendor of the device and apply different VLANs for printers, for cameras, etc, etc.
基于凭据的身份验证和基于证书的身份验证之间的选择取决于您的特定要求和所需的安全级别。请注意,基于证书的身份验证目前被认为是最安全的方法。