The increasing number of security breaches and data-loss events, combined with the proliferation of unmanaged devices, has led many organizations to turn to network access control (NAC) as a means of monitoring non-corporate assets that regularly connect to their networks. NAC technology provides the ability to authenticate all users as they join a network, and to ensure their endpoint devices meet minimum network security and compliance requirements.
However, while NAC has always helped isolate rogue devices, it has often failed to identify and classify the majority of non-computing devices on the same network.
Sometimes referred to as "dumb devices," non-compute endpoints such as IP phones and printers are notoriously difficult to track and classify. Security professionals increasingly fail audits due to these devices, which may allow a user to spoof resources, bypass controls, and gain unauthorized network access. Moreover, the lack of an endpoint discovery strategy for these devices results in device records being managed by different software and showing up in a variety of databases.
Endpoint fingerprinting is a way around this problem. Endpoint fingerprinting enables NAC products to discover, classify and monitor non-traditional network endpoints by collecting their IP and MAC addresses and validating them against a company's authentication, authorization and accounting control servers to confirm their classification or device type and their location on the network.
When used as an add-on feature with NAC products, Forrester Research believes endpoint fingerprinting can help automate the security profiling and operational management of network attached endpoints like IP phones, HVAC systems, badge readers, IP surveillance cameras, and smart meters sprawling throughout a network. Many of today's NAC vendors either have endpoint fingerprinting built into their product sets or partner with another vendor to license the technology.
Step 1: Identify the right scenario
Before turning on any discovery or monitoring features, decide what you want to accomplish. In short, what is the key problem or problems you need to solve? If the network is static – meaning tons of existing endpoints that are not identified or that are logged in disparate places – start with discovery features. If you have a dynamic network – meaning new devices regularly appear on your network – plan for endpoint monitoring.
Step 2: Create a device inventory
IT security and operations staff can cut weeks of manual labor by turning on device discovery and inventory. Why? Essentially, this feature automatically crawls the network and finds all connected endpoints, including compute and non-compute, authenticated and non-authenticated. The result is a centralized device inventory. It's not uncommon for a large enterprise to have at least as many non-compute devices as traditional compute devices, if not two or three times as many.
Step 3: Determine location and verify identity
The next step is to augment this existing and new-device inventory with a topology that includes location and identity. Initially, you can collect static and dynamic IP and media access control (MAC) addresses. However, as you fine-tune the environment, you will be able to look at ARP table, print service, and Web server information to gather additional information.
Once the endpoint fingerprinting system has collected IP and MAC addresses, it then compares this information with authentication, authorization, and accounting servers via LDAP to determine location and verify device identity. This allows a network security team to monitor any changes in access. If a device is removed and another device is connected to that port, the change is flagged and an alert is sent to the management system.
Step 4: Monitor and send alerts
Ongoing monitoring can be extremely valuable for any organization with a dynamic environment, in which devices often change their NIC and OS. Not only does this feature detect MAC spoofing, insertion of hubs, port swapping, and changing profiles, but it can also be deployed in various modes. For example, you can create profiles to select modes of operation from Layer 2 to Layer 7, collect netflow data or integrate with SNMP for advanced monitoring.
Endpoint fingerprinting is also useful in virtual environments where workloads are shared on a single physical endpoint and are often being moved around dynamically. If this is the case, Forrester recommends that organizations choose services like VMware Inc.'s VMotion or Xen's Life Motion. Moreover, if those organizations have existing security information and event management (SIEM) or intrusion prevention system (IPS) appliances on the network, this sort of monitoring will be remarkably helpful because it can send alerts to these systems and correlate the information.
Endpoint fingerprinting is a must-have technology for the enterprise security professional's toolkit. Often NAC cannot perform a comprehensive scan of all an organization's IP-connected endpoints. And asset management tools are too broad to include specific policies for printers, IP phones, HVAC systems, and so on. Endpoint fingerprinting gets around these other technologies' shortcomings and especially helps NAC deployments by discovering, classifying and monitoring IP-enabled endpoints.
About the author:
Usman Sindhu is a researcher at Cambridge, Mass.-based Forrester Research, where he serves security and risk professionals. He will be speaking at the Forrester Research 2010 Security Forum in Boston, Sept. 16-17.
This was first published in June 2010