为什么仍然使用网络准入控制(NAC)?

发布时间:2019-03-11 09:40 作者/来源: 浏览量:316


Network-connected end devices remain a major cybersecurity point of vulnerability.

网络连接的终端设备仍然是主要的网络安全漏洞点。

Network Access Control (NAC) technology provides the ability to lock down network access in a way and to an extent that no other cyber defense product category does.

网络访问控制(NAC)技术提供了封锁网络访问的能力,在某种程度上,这是其他网络防御产品无法做到的。

Cyber threats in today’s enterprises are focused on multiple attack surfaces across the entire range of network-connected devices.

当今企业中的网络威胁主要集中在整个网络连接设备范围内的多个攻击面上。

Over the past few years, the number of endpoint attack surfaces has expanded considerably.

在过去几年中,终端攻击面的数量已经大大增加。

This trend is expected to continue and increase exponentially in the years immediately ahead.

预计这一趋势将在未来几年继续呈指数级增长。

Endpoint attack surfaces are expanding in terms of client platform diversity, and include:

终端攻击面在客户端平台多样性方面正在扩展,包括:

  • “Traditional” stationary desktop devices
  • “传统”固定桌面设备
    • once the majority
    • 曾经占多数
    • now increasingly in the minority of device types
    • 现在越来越多的设备类型
  • The explosion of mobile device types and numbers, from laptops to tablets to smartphones
  • 从笔记本电脑到平板电脑再到智能手机,移动设备类型和数量激增
  • Employee, contractor, and vendor-owned “BYOD” (Bring Your Own Device) equipment requiring network access
  • 员工、承包商和供应商拥有的“BYOD”(自带设备)设备需要网络访问
  • Exponentially increasing numbers of “IoT” (Internet of Things) devices that require network connectivity (wired and wireless)
  • 需要网络连接(有线和无线)的“IoT”(物联网)设备数量呈指数增长

And also in terms of platform depth:

而且在平台深度方面:

  • Multiple operating system platforms (Windows, OSX, iOS, Android, Linux) and versions
  • 多个操作系统平台(Windows,OSX,iOS,Android,Linux)和版本
  • Multiple application and database platforms (OpenStack and proprietary)
  • 多个应用程序和数据库平台(OpenStack和专利)
  • Multiple storage technologies (SAN, NAS, DAS, Cloud)
  • 多种存储技术(SAN,NAS,DAS,云)
  • Both wired and wireless connections
  • 有线和无线连接
  • Multiple device configurations
  • 多个设备配置

Each specific device and platform provides its own unique set of attack surface vulnerabilities.

每个特定的设备和平台都提供了自己独特的攻击面漏洞集。

All need to be actively managed from a network connection perspective to ensure they aren’t a threat to the enterprise environment.

所有这些都需要从网络连接的角度进行积极的管理,以确保它们不会对企业环境构成威胁。

This requires ensuring all devices can be accurately identified, that all have been appropriately patched and updated to ensure O/S and application-level vulnerabilities have been remediated, and that devices are operating with the latest anti-malware/anti-virus software definitions prior to gaining network access.

这需要确保所有设备都能够被准确识别,所有设备都经过适当的修补和更新,以确保O / S和应用程序级漏洞得到修复,并且设备使用最新的反恶意软件/防病毒软件定义获得网络访问权限。

Current cybersecurity trends

当前的网络安全趋势

  • Cybersecurity best practices have long dictated an active device management approach. Many tools exist to accomplish this, but the ongoing network breaches, data exfiltration, and business outages experienced in recent years indicate that endpoint device management continues to be a point of significant vulnerability in enterprise and organizational environments small and large
  • 网络安全最佳实践长期以来一直采用主动的设备管理方法。有许多工具可以实现这一目标,但近年来经历的持续网络入侵、数据泄露和业务中断表明,终端设备管理仍然是企业和组织环境中的一个重大弱点,无论大小
  • Ransomware, focused on exploiting vulnerabilities at the network client endpoint, rose quickly between 2013 and 2016 and now sits at ~$1B in ransom payments annually
  • 勒索软件专注于利用网络客户端终端的漏洞,在2013年至2016年间迅速增长,目前每年的勒索支付额约为10亿美元。
  • Email phishing exploits remain even more profitable at $1.7B annually over the past 3 years
  • 在过去的3年中,电子邮件钓鱼攻击的利润率仍然更高,每年为17亿美元。
  • Both ransomware and email exploits focus on the endpoint
  • 勒索软件和电子邮件攻击都集中在终端上
  • Further, the number of IoT devices is expected to increase exponentially in coming years (a process already well underway), with the number of enterprise network connections soaring accordingly
  • 此外,预计未来几年物联网设备的数量将呈指数级增长(这一过程已在进行中),企业网络连接的数量也将相应增加
  • The network traffic generated by IoT devices will be unlike anything yet experienced (25 billion devices expected by 2021 from 10 billion today), and will not be possible to manage via manual means (ie responding as needed to all alerts, scanning traffic in real-time or in logs). Automated and “prescribed-in-advance” policy-based security management will be required. NAC solutions provide that capability.
  • 物联网设备产生的网络流量将不同于任何现有经验(预计到2021年将有250亿台设备从现在的100亿台设备增加到现在的250亿台),并且无法通过手动方式进行管理(即根据需要对所有警报作出响应,实时或以日志形式扫描流量)。需要基于策略的自动和“预先规定”安全管理。NAC解决方案提供这种能力。
  • The cost of cyber-defense continues to climb higher, and is expected to continue to do so. We don’t even really know how much current cybercrime activity costs us, but a recent, conservative Wall St. Journal estimate puts it at $2T annually in 2017 (other estimates range from $3-$6T, with the higher end of that range expected to be reached by 2021)
  • 网络防御的成本继续攀升,预计将继续攀升。我们甚至不知道目前的网络犯罪活动给我们造成了多大的损失,但最近华尔街日报保守估计,2017年每年的损失为2亿美元(其他估计从3美元到6亿美元不等,预计到2021年会达到更高的水平)。
  • In terms of how much enterprise IT spends on cybersecurity defense products annually, it is estimated that the global cybersecurity spend was $75B in 2015; that is expected to increase to $100B by 2017 YE; and further to $200B by 2020
  • 就企业每年在网络安全防御产品上的支出而言,据估计, 2015年全球网络安全支出为75亿美元; 预计2017年将增加至100亿美元; 到2020年进一步达到200亿美元

In short, attack surfaces are expanding quickly, breaches continue to be a major problem, cybersecurity costs are clearly out of control, and the ability of enterprises to successfully manage these challenges continues to fall short – often in the simplest of ways. Indeed, most major breaches turn out to be the result of operational shortfalls in the area of updating and patching operating systems and various application components. Beyond that: Cisco estimates that even when IT departments are alerted to a potential problem via monitoring and alerting, only 56% of active alerts are actually responded to.

简而言之,攻击面迅速扩大,漏洞仍然是一个主要问题,网络安全成本明显失控,企业成功应对这些挑战的能力仍然不足 - 通常以最简单的方式。实际上,大多数重大漏洞都是由于操作系统和各种应用程序组件的更新和修补方面的操作不足造成的。除此之外:思科估计即使IT部门通过监控和警报提醒潜在问题,实际上只有56%的活动警报得到响应。

Clearly, effective operational management of network-connected devices from a cybersecurity perspective in any organization requires a rigorous and disciplined alignment of the correct tools, technologies, people, and processes. NAC technology provides the key, foundational component necessary for enterprises building a modern, effective cyber-defense framework.

显然,从任何组织的网络安全角度对网络连接设备进行有效的运营管理都需要严格和严格地协调正确的工具,技术,人员和流程。NAC技术为企业构建现代有效的网络防御框架提供了必要的关键基础组件。

NAC As a Key Component of Your Cyber Defense Framework

NAC是您的网络防御框架的关键组成部分

At our current juncture, with cyber assaults already outstripping enterprises’ ability to respond effectively, there is obviously a pressing need to reevaluate cyber defense strategies. For NAC vendors, a very large opportunity exists for making the case for increased NAC adoption. As the total market value for the sector (~$685M in 2017) is expected to approach $1B in the next 3-4 years, it isn’t a question of whether this market will continue to grow but by how much and how quickly. That said, the lion’s share of press on cyber-defense and cyber thought leadership is currently focused on seemingly newer, higher-profile cyber-defense innovations such as SIEM and ML-AI based predictive analytics rather than on network access control. Yet it is increasingly recognized that there is no “one size fits all” answer to constructing an effective cybersecurity defense framework. The market trend is therefore in the direction of integrating tools from across the cybersecurity product spectrum in a way that provides the best solutions for a given enterprise. Given its foundational role in providing for secure network access, NAC needs to be at the forefront of any network cyber defense architecture.

在当前的形势下,网络攻击已经超出了企业有效应对的能力,显然需要重新评估网络防御战略。对于NAC供应商来说,有一个非常大的机会来提出增加NAC采用率的理由。由于该行业的总市值(2017年约为6.85亿美元)预计在未来3-4年内将接近10亿美元,因此这一市场是否会继续增长并不重要,而是取决于增长的幅度和速度。这就是说,媒体对网络防御和网络思想领导的最大份额目前集中在看似更新、引人注目的网络防御创新上,如基于SIEM和ML-AI的预测分析,而不是网络访问控制。然而,人们越来越认识到,没有“一刀切”的办法来构建有效的网络安全防御框架。因此,市场趋势是以一种为特定企业提供最佳解决方案的方式整合网络安全产品系列中的工具。鉴于其在提供安全网络访问方面的基础作用,NAC需要处于任何网络网络防御体系结构的最前沿。

Legacy strategies and tools must be integrated into this new multi-layered cyber defense approach as well. Traditional firewalls, once the primary, if not the only, tool in the security toolkit, are now recognized as inadequate in and of themselves to provide the necessary defensive bulwark. This is because, as with many security approaches, they address just one aspect of the challenge – in this case protecting the network perimeter. However, if ever breached, whether through brute force attack or simple misconfiguration by a network administrator, perimeter security alone cannot prevent an attack from spreading laterally once inside the network itself. Likewise, with simple endpoint security: the moment the endpoint is compromised, all devices connected to the same network become potentially highly vulnerable as well.

传统的战略和工具也必须集成到这种新的多层网络防御方法中。传统防火墙曾经是安全工具包中的主要工具(如果不是唯一的话),现在被认为不足以提供必要的防御屏障。这是因为,与许多安全方法一样,它们只解决了挑战的一个方面——在本例中是保护网络外围。然而,如果有人通过暴力攻击或网络管理员的简单错误配置而破坏,那么仅外围安全就不能阻止攻击在网络内部横向传播。同样,使用简单的终端安全性:当终端受到威胁时,连接到同一网络的所有设备也可能变得非常脆弱。

So while it is widely recognized that a multi-layered, integrated approach needs to be taken to ensure effective cyber-defense, the cybersecurity products marketplace has become glutted with a plethora of competing products, platforms, and contradictory claims. Genians has an opportunity to assist prospective customers by clarifying the key security ingredients that matter most in what has become a very confusing marketplace. For example:

因此,尽管人们普遍认为需要采取多层次、综合的方法来确保有效的网络防御,但网络安全产品市场已经充斥着大量竞争产品、平台和相互矛盾的主张。Genians有机会帮助潜在客户,澄清在这个已经变得非常混乱的市场中最重要的关键安全成分。例如:

  • The emergence of “SDP,” or “Software-Defined Perimeter” as an alternative to NAC. This is misleading as it simply “moves the boundary” by redefining it. Whether software-based, or hardware-oriented, as in the case of traditional firewalls (which is really a combination of hardware and software), perimeter security alone is problematic. There is always the danger of perimeter penetration. SDP is also very new technology, untested in the market, and thus at this point very much an unknown quantity
  • 出现“SDP”或“软件定义周界”作为NAC的替代方案。这是一种误导,因为它只是通过重新定义边界来“移动边界”。无论是基于软件还是面向硬件,例如传统防火墙(实际上是硬件和软件的组合),仅外围安全就存在问题。总是存在着周界渗透的危险。SDP也是一种未经市场测试的全新技术,因此在这一点上,其数量非常未知。
  • CASB, or Cloud-Access Security Brokers, provide security between cloud customers and providers. Features and functionality will vary from one cloud provider to the next, so customers will have to take care to understand what their particular CASB/cloud provider security offering will amount to. Again, security needs to be approached as a complex, multi-faceted challenge, not something that can be addressed with a single solution. In no way should these cloud broker solutions be considered fully-comprehensive defensive frameworks
  • CASB或云访问安全代理在云客户和供应商之间提供安全性。特性和功能因云供应商而异,因此客户必须注意了解其特定的CASB/云供应商安全产品的价值。同样,安全性需要作为一个复杂的、多方面的挑战来处理,而不是一个单一的解决方案可以解决的问题。这些云代理解决方案决不应被视为全面的防御框架。

Summary

总结

Cloud computing brings with it both great flexibility and significantly increased infrastructure complexity. For most enterprises, it is important to keep in mind that “the cloud” will not be a single, monolithic entity, but rather a combined physical/virtual infrastructure platform that will include both on-premise and off-premise components. Indeed, it will very likely include more than one cloud provider. Hence the terms “hybrid” and “multi-cloud” environments.

云计算带来了极大的灵活性和显著增加的基础设施复杂性。对于大多数企业来说,重要的是要记住,“云”不是一个单一的整体,而是一个包含内部和外部组件的物理/虚拟基础设施组合平台。实际上,它很可能包括多个云供应商。因此,术语“混合”和“多云”环境。

Security solutions will need to effectively address this new complexity. NAC, SIEM, and ML/AI-based predictive analytics tools should therefore ideally be employed together in a joint, comprehensive cyber defense solution. NAC can play a primary, critical role in this integrated framework by being leveraged as a conductor to orchestrate all meaningful information emanating from SIEM, analytics, and other security tools to ensure action is taken at the right time and in the right way to mitigate cyber threats to your network.

安全解决方案将需要有效地解决这种新的复杂性。因此,基于nac、siem和ml/ai的预测分析工具最好一起用于联合、全面的网络防御解决方案。NAC可以在这个集成框架中发挥主要的、关键的作用,它可以作为指挥者协调来自SIEM、分析和其他安全工具的所有有意义的信息,以确保在正确的时间以正确的方式采取行动,减轻网络威胁。

In summary, enterprises need to:

总之,企业需要:

  • Reevaluate their Cyber Defense Strategy
  • 重新评估他们的网络防御策略
  • Understand there is No “One Size Fits All” Solution
  • 了解没有“一刀切”的解决方案
  • The Best Approach to “Defense-in-Depth” is Multi-Layered and Integrated
  • “纵深防御”的最佳方法是多层集成
  • Beware of Untried Approaches – “The Shiny New Objects”
  • 谨防未经尝试的方法-“闪亮的新事物”
  • Establish NAC as the Center and Foundation of your Security Framework – Your Cyber Defense Conductor
  • 建立NAC作为您的安全框架的中心和基础——您的网络防御指挥官
全国服务热线

400-6288-116

联系我们

Email: support@leagsoft.com

深圳市南山区高新区软件大厦10层1001-1003

服务热线

400-6288-116

在线咨询

售前咨询

售后咨询

渠道合作

申请试用

公众号

微信扫一扫
关注公众号:Leagsoft

返回顶部
本站由XwebCms技术服务