DISA’s STIGs (Layer 2 Switch, WLAN Authentication Server Security) and 802.1x Mandates
When it comes to meeting mandated authentication requirements such as the DISA’s Layer 2 Switch STIG, which mandates enabling 802.1x authentication, your agency may have faced the problem that most vendors want to sell a comprehensive – and expensive – solution that would entail replacing your existing systems and equipment: systems and equipment that involved a significant investment and which you do not want to retire at this time.
At Pulse Secure, we are vendor agnostic. Our AAA/RADIUS authentication server, which enables 802.1x authentication perfectly, integrates seamlessly with your existing infrastructure via open standards. This integration allows you to keep your current systems in place, accelerating your time to value by lowering your overall total cost of ownership (TCO) and maximizing your return on investment (ROI).
Additionally, with Pulse Secure’s RADIUS solution, you don’t have to enable 802.1x connectivity through complex, multi-tiered solutions requiring significant network redesign. Connectivity is enabled via existing capabilities on your endpoints, such as PCs, phones, and servers, in conjunction with settings enabled in your existing network switch or wireless access point. Everything then flows through the RADIUS server to ensure compliant authentication.
The Internet of Things (IoT) is here – and it is expanding at lightspeed. IoT devices require network access but have software updates and configuration settings established by the manufacturer that limit the ability to harden the device. The US Department of Homeland Security (DHS) has stated that IoT brings “multiple opportunities for malicious actors to manipulate the flow of information to and from network connected devices.” DHS further advocates that agencies define network access controls to limit IoT devices to specific ports and to structure network permissions related to the IoT device’s use.
Pulse Secure supports government IoT initiatives by combining device profiling with role-based access controls to define appropriate use polices. Pulse Profiler, founded on the RADIUS server, assesses each IoT device in terms of its role and rights: that is, what the device is, what it should be doing, and where it should be connecting. For example, a video camera should only connect to its video console. If it starts making connections elsewhere in the network, that raises a red flag. Profiling, therefore, provides network access control for the IoT.
Additionally, Pulse Policy Secure automatically detects and classifies IoT devices and puts them into the administratively-defined IoT network. The solution also offers sponsor-based IoT device access where the sponsor can approve or deny IoT devices based on corporate policies. If Pulse Policy Secure detects a changed IoT profile or a compromised IoT device, it will automatically take enforcement actions to put devices into quarantine or into an isolated network.
Comply to Connect demands that any endpoint be vetted against established security requirements prior to connecting to your agency’s network. Some vendors enable Comply to Connect in an agentless mode. At Pulse Secure, we recommend the implementation of a Pulse Secure agent for government agencies aligning with Comply to Connect directives. The following table shows the top three reasons for this recommendation.