Access Rights and Access Controls in the LAN-to-WAN Domain
As remote access and the use of VPN has gained prominence during the pandemic of 2020, so too has the need to ensure remote authentication is working effectively. Do you truly know that individual is an employee or a hacker pretending to be an employee? When accessing the network within the office there is less of a concern. In most corporate offices you have guards, locked doors, badges, and visibility as to who is sitting at the workstation. But over the Internet how do you know who is on the other side of the wire? To address this concern many companies, require two-factor authentication, also referred to as multifactor authentication, for remote access.
Two-factor authentication requires end users to authenticate their identity using at least two different types of credentials. The most commonly accepted types of credentials are as follows:
Something you know—Refers to something only you are supposed to know such as your ID and password combination. Security awareness education should tell you to never share your password with anyone.
Something you have—Refers to a unique device that you must have in your physical possession to gain access. An example is a security token that might flash a unique number every 60 seconds. Alternatively, confirmation to log on may be sent to your cell phone.
Something you are—Refers to some sort of biometric such as a finger printer.
Two-factor authentication provides a high level of confidence that the remote user is an employee. This combination of enhanced remote authentication and network VPN connectivity can be powerful tools to ensure company networks are protected. In the context of the LAN Domain, your organization can exert substantial control over which computers and users can establish connections. The situation is slightly different in the LAN-to-WAN Domain. Although it is still possible to require strict access controls, the design of the LAN-to-WAN Domain includes active connections to a WAN. That means the components in this domain are exposed to the WAN, which in many cases is the Internet.
Internet-facing components are network components in your organization’s IT infrastructure that users can access via the Internet. These components experience a higher number of threats due to this increased visibility. To make matters worse, many enterprise applications that provide Internet connectivity encourage at least some anonymous connections. This exposure to anonymous users makes it more difficult and more important to secure the components in the LAN-to-WAN Domain.
The transitional nature of the LAN-to-WAN Domain calls for collections of controls to meet security needs. You need the ability to evaluate several attributes of a connection request’s source before granting access to your network. You should define different access profiles based on your policies to meet the needs of different types of network users. Network access control (NAC) is a solution that defines and implements a policy that describes the requirements to access your network. NAC defines the rules a connecting node must meet to establish a secure connection with your network. It also allows you to proactively interrogate nodes that request a connection to your network to ensure they don’t pose a risk. You can use NAC to classify connecting nodes based on the level of compliance with your access rules. NAC allows you to evaluate node attributes that include the following:
Anti-malware protection
Firewall status and configuration
Operating system version and patch level
Node role and identity
Custom attributes for enterprise configuration
You can choose from many products to implement NAC. NAC software alone won’t secure your networks, but it does give you the ability to define and enforce policies that can get you closer to your security goals.