Securing IoT devices: Fortinet’s FortiNAC automates the process

Networks access control (NAC) has been a market in the making for almost 15 years, seeing many starts and stops along the way. Despite the promise of making it easier to automate the onboarding of devices, the technology has largely flopped, with vendor after vendor falling by the wayside, making it a classic example of a solution looking for a problem. One would have thought that bring your own device (BYOD) would have been a driver, but security professionals found other ways to safely onboard mobile phones and tablets.

IoT makes NAC a must-have security tool

It appears the long, quixotic journey for NAC has finally ended, though, as the problem of securing Internet of Things (IoT) devices is driving greater interest in NAC and is the exact problem that NAC was designed to solve.

IoT poses some particularly unique challenges for security teams, the biggest of which is the IoT devices are often under the control of the operational technology (OT) teams. This causes a huge issue because the security organization often has no idea what devices are connected to the network they are tasked with securing.

Point in fact: Earlier this year ZK Research conducted a survey that asked, “How confident are you that you are aware of all the IoT devices on the network?” A whopping 64 percent responded either “not at all” or “only a little,” with only 10 percent being “fully confident.” NAC can address this issue, which is why interest in it has skyrocketed. (Note: I am an employee of ZK Research.) 

However, most NAC solutions today offer limited visibility, such as Wi-Fi only, or rely on third-party databases to pull device information. IoT devices are often difficult to identify compared to a PC, iPhone, or printer. Also, most NAC solutions can help find an infected device and quarantine it, but they can’t solve the problem because they lack control of the network.

Fortinet announces availability of FortiNAC

This week, security vendor Fortinet announced its new FortiNAC solution aimed at addressing many of the limitations of current NAC products. FortiNAC came to Fortinet via the acquisition of Bradford Networks made earlier this year and fills a hole in the vendor’s “Security Fabric” story that delivers consistent, end-to-end threat protection.

The strength of FortiNAC is visibility and how it discovers all the endpoints. Instead of relying on a database or endpoint agents, FortiNAC is completely agentless and automates the discovery of endpoints by ingesting a wide range of data sources, such as RADIUS, SNMP, DHCP, LDAP and others, as well as behavioral information. This lets FortiNAC identify over 1,500 device types compared to other solutions that can identify 500 to 1,000.

Also, because it pulls information from a wide range of sources, it can identify devices connected on Wi-Fi or the wired network. The majority IoT devices use Wi-Fi, which is where much of the focus has been from the NAC vendors, but the wired IoT endpoints are used widely in many verticals.

Fortinet

Automated quarantining part of FortiNAC

Once a device is identified and on-boarded, FortiNAC constantly monitors the connected endpoints and can automate the process of quarantining a device when it sees behavior changes to contain the threat. Bradford Networks was designed from the ground up to be multi-vendor and is able to automate the configuration of micro-segmentation on third-party network devices. This prevents the threat from being spread laterally (East-West) once a device has been breached.

A wide range of NAC solutions are available today. What makes Fortinet’s different is the number of devices it can classify and that it’s a holistic solution that not only identifies endpoints, but can also control then and instantly respond to a threat. The pure-play vendors typically don’t have access into the broader set of other technologies, such as SD-WAN and next-generation firewalls. And the end-to-end network vendors typically don’t offer support for third-party vendors, whereas Fortinet is trying to give customers the best of both worlds.

FortiNAC can be deployed standalone or part of Security Fabric

All Fortinet products are designed to be sold as a standalone product or be part of its Security Fabric, and FortiNAC is no different. Over time, I expect to see greater integration into its Fabric, delivering some interesting advanced use cases. For example, the discovery of a breached endpoint could lead to the automated configuration change in a Fortinet’s next-generation firewall to block the threat at the source. Another use case could be using its SD-WAN to extend a network segment to branch offices. 

Fortinet has made the solution available at three levels, enabling customers to “crawl, walk, and then run” with NAC. The licensing tiers are listed below:

• Basic has a list price of $875 and includes visibility into endpoints, automated authentication, and network lockdown via tag segmentation with the firewall.
• Plus license has a list price of $3,500 and includes all Basic capabilities, plus advanced NAC controls and automated provisioning for users, devices, and guests.
• Pro license tier lists at $4,500 and adds real-time endpoint visibility and full network access controls, and it automates threat response and the delivery of contextual information via triage alerts.

The only gap with FortiNAC is that customers require the use of certificate authority. There are many options available, including Fortinet’s own FortiAuthentication service. This is a minor issue, but it’s something customers should keep in mind.

The IoT era has arrived, and the already-difficult-to-secure network is going to get more chaotic and complex. Manual methods no longer work, as devices are being deployed by non-IT staff. The security team must find a way to automate the discovery, control, and enforcement of IoT endpoints. FortiNAC offers an easy-to-deploy solution that has interesting potential as it gets more tightly integrated into its Security Fabric.

Note: Fortinet is a client of ZK Research.