Viszen Security - Insights #NAC

NEW Training and Certification Mini-Event

Fri, 01 Nov 2024 07:30:00 -0400

The first Wireless Tech Summit

This month (November 2024), Peter Mackenzie and I are co-hosting the first Wireless Tech Summit, a Wi-Fi training and certification mini-event. The best part? It will be in-person here in North Carolina!

Okay, maybe that’s not actually the best part. The best part is probably the concept overall. We wanted to give people access to training and peer connections they may not otherwise have, and do it at a critical time in Wi-Fi history.

The FCC has opened new spectrum so we’re managing 2.4Ghz, 5GHz, and now 6GHz with Wi-Fi 6E and Wi-Fi 7, and that has huge implications for both the design and security of our networks. Plus, Wi-Fi 6E and Wi-Fi 7 require WPA3 security and unfortunately, there’s no easy button for migrating from WPA2 to WPA3.

So, we thought we could get together, co-host a mini-event, and give people four days of training and certification coupled with peer networking and social events. Plus, some special joint labs, testing, and guest speakers to round it out!

It’s bigger than a training, and smaller than a conference. A way to maximize time and precious training budget without having to give up a weekend.

The November 2024 event offers a choice from two training classes:

Wi-Fi Design and Hamina Certified Network Architect with Peter Mackenzie
Secure Wi-Fi Architecture Masterclass and Certification with me (Jennifer Minella) and Jonathan Davis

All three of us are practitioners. Meaning, we teach only part time and the rest of our time is focused on doing the work related to our class content. The content is not only fresh and timely but also real-world and hyper applicable to the daily roles of engineers and architects.

Peter is arguably one of the best and most popular Wi-Fi instructors in the the world. He’s not only teaching the course, he developed it (and many others). You can find his full offering at MQ Training Services, based out of the UK, including a suite of the CWNP courses such as CWNA, CWDP, and CWAP.

Jonathan Davis (JD) is also a CWNP-certified instructor and CWNE (Certified Wireless Network Expert) and brings deep Wi-Fi knowledge to our security architecture class, where I of course dive into the depths of security from technology to compliance.

As for me, well I’ve been doing network security for over 20 years and layer that with 15+ years deeply focused on more holistic security architecture addressing all aspects of security. The class is based on those 20 years of experience working with and in hundreds of client environments across all industries. It's also based in large part on my recent book, "Wireless Security Architecture" published with Wiley.

Check out more class details on the event site, including videos. We’d love to have you join us at this or another upcoming event!

Also- be sure to follow me on LinkedIn for more regular updates.

Interested in future dates and/or corporate training for your team? Contact us!

Wireless Tech Summit

Training and Certification Mini-Event

November 12-15, 2024

Raleigh, NC, USA

https://www.wirelesstechsummit.com/

Get Started Now

"Wireless Security Architecture" Now Shipping Worldwide

Tue, 12 Apr 2022 10:14:52 -0400

My new book published with Wiley, "Wireless Security Architecture: Designing and Maintaining Secure Wireless for Enterprise" is now shipping worldwide. Available as e-book and in print from Wiley, Amazon, and book retailers near you!

Find on Amazon

Showdown: Zero Trust vs. NAC

Wed, 30 Jun 2021 16:30:00 -0400

In the world of zero trust networking, organizations are asking how a zero trust approach fits in with their network access control (NAC) strategy. Here are some thoughts on what you should be considering as you navigate zero trust and NAC.

Concepts vs. products

The first major difference in zero trust and NAC is that zero trust is a concept or trust model for information security, versus NAC which is a specific product category. Although there are different types of NAC products today, the market has settled down considerably and all operate within a relatively narrow scope of enforcement and features compared to ten years ago.

The many flavors of zero trust architectures

Before we continue, let's untangle the co-mingling of zero trust as it relates to network and application access versus access between virtualized hosts. Although conceptually the same - the goal of zero trust being to move from an implicit to more granular explicit authorization - the execution, products, and vendors are very different for network-based technologies than for virtualized environments (whether they be on-prem, in cloud, or hybrid).

For today's discussion, we're focused on the former - the technology that would/could replace (or enhance) traditional network-based NAC products for identification and authorization of users and endpoint devices in your environment. We'll leave the other topic for another day.

Implicit vs explicit authorization

The model of a zero trust architecture is to "verify then trust" versus the more common approach of NAC with the "trust but verify" sequence. While - yes - some NAC implementations do offer a "verify then trust" model, the next step after trust is typically an implicit authorization to a network or networks, which is exactly what zero trust security tries to avoid.

Network-based vs. application-based enforcement

Strictly speaking in a perfect world, a zero trust approach will include a trust model that offers a user (or device) only the specific access to the resources needed per-task. That's a tall order with the current technologies we have, and traditional NAC vendors will all fall short here, even with the holy grail that is microsegmentation. At best with NAC, we're doing identification and authentication of a device and/or user, and then giving them some level of access at network layers 2 or 3. Contrast this with the approach of a zero trust solution performing the same (or more extensive) identification and authentication, but with the added ability to control resource access up through the application layer.

One of the reasons secure access service edge (SASE) solutions fit so well with zero trust strategies is because of the ability to make very granular authorizations to a user or device, based on myriad contextual elements (who, what, when, where, how).

Managing users on-prem vs. remote

The next bugaboo with NAC is the limitations in controlling resource access on remote users and devices. Our current network-based NAC products are designed to control access at the point of (managed) network connection - that could be at a wired port in the facility, a corporate wireless SSID, or a remote access VPN in to the organization. But then, that's it. Traditional NAC products weren't designed to manage and control connections from endpoints floating out and about on the internet as people travel or work from home.

The conversation could again turn towards SASE and the features that swirl around it - SD-WAN, CASB, and SWG specifically. However, certainly not all organizations have moved to a 100% remote workforce, meaning there's still a need to secure access to internal resources when a user is in the office. This reality makes traditional NAC a still-attractive offering, and is an area SASE will need to continue developing.

Can NAC products play a role in a zero trust strategy?

Yes, absolutely - but with some caveats. If your NAC-based zero trust strategy relies on microsegmentation, know that it's not really the holy grail it's touted to be, and among other limitations it's not the easiest architecture to implement. As we just mentioned, there's still a place in the world for traditional NAC for organizations with a primary focus on on-prem security. Plus, in recent years most NAC vendors have bolstered their endpoint agents and are heading towards the type of granular control organizations will want in a zero trust network.

Get more insights!