Most organizations block access to Wi-Fi but rely on physical security and static segmentation as the main defense technique for the wired network. This blog is the first in a 3 part series that explores why this practice is common today, the risks of this approach and what alternatives exist.
Let me start by telling you a scenario that I often present when I talk to clients:
"I want to go inside your building." Towards the end of the lunch hour, I find a group of employees returning to the office and walking with them, I am wearing a badge that looks like your company's. in one hand and talking on the phone with my other hand, will employees keep the door open for me?
Most of the time, the answer is yes. Sometimes, I hear a history of turnstiles or other methods of access control of a single person along with guarantees that this scheme will never work. I'll leave it like this: sit down in the Social Engineering Village at DEFCON at some point, or attend a red team or a ballpoint conference, and listen to the various ways people have worked their way into some of the safest spaces . It is fascinating.
Why do I mention this? Because while more than 15 years have passed blocking access to Wi-Fi, most organizations still rely on physical security and static segmentation by port as the main defense techniques for the wired network. If you can find a port, you can connect. And if you can find an unused port, it will take a few seconds to install a remote access device connected to that port, which will allow you to enter and exit in a matter of minutes.
My brother works in physical security for a well-known technology company, and once I asked him: "If you were walking in a building and you found yourself with a small white box connected to a network port, what would you do about it?" His response did not surprise me: "I would probably assume that I was supposed to be there and move on."
With today's advanced threats spread by phishing and malware emails, this problem extends to having your own employees or contractors enter the environment and connect for valid reasons. Physical access is granted to these people, and they are allowed, in fact, to be connected to the wired network for their business purposes. Malware can be persistent, not detected on your device, waiting for access to the network to find ways to infiltrate.
Port-based security is no longer enough
In most environments, the current state is that once someone connects to the wired network, access control (if any) is based primarily on the port. The port to which it connects dictates its VLAN, which ultimately dictates the upstream firewall policy or ACL through which its traffic passes.
Many organizations employ different tools other than firewalls to help detect and prevent threats that may be in the network, from the detection and response of endpoints (EDR) to intrusion prevention systems (IPS) to the tools based on Next generation AI / ML. The problem is that all this detection / response is activated. after a device or user has already been connected and has been granted some level of access for a period of time. Most, if not all, security devices are several jumps from where users and devices are connected, creating blind spots in visibility and control that are quite important. Add to this the tremendous operational load of all movements, aggregations, and manual changes of ACLs and VLANs when a user or device moves to a different port. Is not there a better way?
With advanced threats and today's adversaries masking their activity as normal user / device behavior, and with the constant threats of social engineering, we have to ask ourselves how much that bad actor can do before the security apparatus detects and blocks the threat. Keep in mind that the average stay times of threats are in the range of more than 100 days (depending on the study you read), that is a LOT of rope to give to that adversary. Part of the blame lies in the visibility and control gaps that exist within the network. Security teams need a certain level of visibility and control to help combat these threats by detecting and eliminating them more quickly, and in some cases even by preventing them before they spread.
Why do wired networks remain open?
I am sure that many of you already understand this concern. So, why is it that wired networks remain open? Through conversations with many clients, it seems that the concern is the complexity and the operational and user-related costs with the implementation of an access control solution in the wired network. The concern focuses on adding complexity to users to navigate a security policy that then carries an additional operational burden to solve these problems. In addition, on the operational side, there are questions surrounding the unknown: if technologies such as RADIUS authentication have not been used or enabled in the wired network, and the wired network works well, what operational impact would it have when activating more functionality?
These are all valid concerns, but concerns that have solutions.
About the Author
Jon Green is vice president and chief safety technologist at Aruba, a company of Hewlett Packard Enterprise. He is responsible for providing technological guidance and leadership for all security solutions, including …