ClearPass allows you to safely connect business and personal devices to your network in compliance with your security policies. It allows you to grant full or limited access to devices based on users’ roles, device type, and cybersecurity posture.

This solution leverages the next plan:

Identify

With this new demand for network access, the burden on your IT department has increased exponentially and it’s not just laptops and smartphones that should be on your radar. IoT devices, printers, and even surveillance cameras are connecting to companies’ wireless networks.

ClearPass helps you identify which devices are being used, how many are connected to your network, where they’re connecting from, and which operating systems are supported. It gives you continuous visibility into changes on your network, including which devices are connecting and disconnecting.

When you need device-specific information, you can easily identify a device’s:

• Type and model name
• MAC address
• IP address
• NIC vendor
• OS and version number
• VLAN

Enforce

Enforcing network policies can pose a huge challenge to IT departments. When an employee wants to add a new device to the network, they often have to go through extensive IT protocols. They may even need someone from IT to walk them through the process.

ClearPass allows you to enforce policies during the onboarding of new devices without any involvement from your IT department – whether it’s a laptop, smartphone, or security camera. A built-in certificate authority lets you support devices more quickly without any additional IT resources.

Your IT team will simply need to establish your foundation of security and write rules that define:

• Who can onboard a device
• The type of device users can onboard
• How many devices each user can onboard

You can then enforce access a number of ways. You can use a portal, or you can use the more secure and preferred method that uses encryption in the authentication process. After devices are granted access, ClearPass uses active and passive profiling methods to monitor your network and keep it safe.

Protect

The health of individual devices connected to your network is an essential component of network security. With ClearPass OnGuard, your IT team can define the “level of health” a device must have in order to gain network access.

This solution automatically conducts critical endpoint health checks and posture assessments to ensure that all devices are compliant with your requirements (and industry best practices). It works for both wired and wireless networks.

ClearPass also offers a variety of third-party integrations (which we’ll touch on shortly). These integrations empower you to implement dynamic policy controls and threat remediation. You’ll have real-time insight into the activity on your network, equipping you to identify and address any threats that may present themselves.
After all, you have to be prepared to take action if you discover unusual network behavior. That requires establishing a unified approach that can block traffic and disconnect devices when necessary – even in the middle of the night.

Integrate

The right network security solution must be comprehensive and that often requires you to create a seamless solution comprised of several different platforms.

Aruba ClearPass Exchange integrates with over 25 IT partners – the vast majority of your current technology and security stacks - to ensure that every element of your system is working without issue.

These third-party technology systems could include:

• Firewalls
• Enterprise mobility management (EMM)
• Mobile device management (MDM)
• Security information and event management (SIEM)

Whichever platforms you use (or are considering), they will work with ClearPass’ REST-based APIs, Syslog messaging, and extensions repository. Your collective solution will deliver end-to-end policy enforcement and the visibility you need to keep your network secure.

 

Source: inbound.kelsercorp.com/blog/what-is-aruba-clearpass-and-how-does-it-protect-your-network

Features and benefits Control all access from one place Simplify access across wired, wireless, and VPN connections. Policies are cascaded across all types of access points and enforced by Cisco TrustSec software-defined segmentation.  Users and devices are shown in a simple, flexible interface. ISE shares details through the Cisco Platform Exchange Grid (pxGrid) with partner platforms to make them user, device, and network aware. Stop and contain threats Reduce risks and contain threats by dynamically controlling network access. ISE can assess vulnerabilities and apply threat intelligence. It can also contain a suspicious device for remediation. We call this Cisco Rapid Threat Containment.

The Cisco Identity Services Engine (ISE) offers a network-based approach for adaptable, trusted access everywhere, based on context. It gives you intelligent, integrated protection through intent-based policy and compliance solutions. And it is all delivered with streamlined, centralized management that lets you scale securely in today's market.

Username is a key element in determining access to a network. Username can also help you alert you users to potentially suspicious activity with their devices. It answers the all-important question of who is connected to your network.

The Cisco Identity Services Engine (ISE) Passive Identity Connector centralizes, consolidates, and distributes identity information, including IP addresses, MAC addresses, and usernames. At the same time it offloads work from key infrastructure such as Microsoft Active Directory.

Many servers on the network are active participants in user authentication. They take user credentials and either verify them or look them up in a dedicated repository such as Active Directory. Rather than being actively involved in user authentication, the Passive Identity Connector listens to the various authentication servers on the network. It centralizes the authentication information, becoming the single source of truth for its subscribers.

The Passive Identity Connector distributes the session identity information to other devices on the network that are natural consumers of such information. These devices include firewalls, web security appliances, and traffic analyzers. Using the Cisco Platform Exchange Grid (pxGrid), the Cisco ISE Passive Identity Connector can support up to 20 subscribers.

Features:

• Centralized information
• Improved performance
• Syslog server support
• Active Directory support
• Kerberos SPAN support
• Endpoint probes
• Active Directory agent
• Support for custom APIs
• Citrix Terminal Server support
• High availability
• Migration support
• Virtual machine support
• Scalability

Benefits:

• Consolidates data from multiple authentication sources, eliminating the need for every system that requires authentication data to interact with every authentication source
• Eliminates the burden on an often-overtaxed infrastructure with a single system that caches data for other authentication data consumers
• Gathers authentication data from systems that support syslog
• Gathers authentication data from Active Directory through the Microsoft Windows Management Interface (WMI)
• Gathers Active Directory authentication data from switches supporting Kerberos SPAN
• Understands when endpoints log off
• Gathers authentication data from up to 10 Microsoft Active Directory domain controllers
• Gathers authentication data from systems that support a custom interface
• Gathers authentication data from Citrix Terminal Server
• Supports active/passive redundancy
• Customers may upgrade from the Cisco ISE Passive Identity Connector to Cisco ISE, adding the Passive Identity Connector node to an existing Cisco ISE cluster.
• Supports KVM, VMware, and Hyper-V
• Tailored to fit your organization with support for 3,000 and 300,000 sessions

CounterACT agentless technology discovers, classifies and assesses devices. CounterACT interrogates the network infrastructure to discover devices as they connect to the network. Our customers have reported seeing up to 60% more devices on their network than previously known. After discovering a device, CounterACT uses a combination of passive and active methods to classify the device according to its type and ownership. Based on its classification, CounterACT then assesses the device security posture and allows organizations to set policies that establish the specific behavior the device is allowed to have while connected to a network.

At ForeScout, we don’t believe in artificial barriers that limit your options and force vendor lock-in. CounterACT works with leading network infrastructure, third-party security and IT management solutions. It also offers flexible deployment and configuration options to match your company’s specific needs. Choose physical or virtual deployments or both, and centrally manage them with CounterACT Enterprise Manager.

Several features set CounterACT apart:

 

• Agentless: No endpoint agents are required for authentication and network access control, allowing CounterACT to see and control managed, unmanaged and IoT devices.
• Open interoperability: CounterACT works with popular switches, routers, VPNs, firewalls, endpoint operating systems (Windows®, Linux, iOS®, OS X and Android), patch management systems, antivirus systems, directories and ticketing systems—without infrastructure changes or upgrades.
• Security orchestration: Optional modules orchestrate information sharing and policy-based security enforcement between CounterACT and leading IT and security management products.
• 802.1X authentication, or not: Choose 802.1X or other authentication technologies such as LDAP, Active Directory, RADIUS, Oracle and Sun. Hybrid mode lets you use multiple technologies concurrently.

The proliferation of Internet of Things (IoT) devices, has made it necessary for organizations to improve their visibility into what is attached to their networks. They need to know every device and every user accessing their networks. IoT devices enable digital transformation initiatives and improve efficiency, flexibility, and optimization. However, they are inherently untrustworthy, with designs that prioritize low-cost over security. FortiNAC provides the network visibility to see everything connected to the network, as well as the ability to control those devices and users, including dynamic, automated responses. FortiNAC Product Details: The IoT revolution has raised a new challenge for network owners. How can you see and protect against a myriad of devices showing up on the network? Network Access Control has come back to the forefront of security solutions to address that challenge. This technology was deployed to assist with bring-your-own-device (BYOD) policies and is now getting renewed focus as a means to safely accommodate headless IoT devices in the network. FortiNAC enables three key capabilities to secure IoT devices:

• Network visibility to see every device and user as they join the network
• Network control to limit where devices can go on the network
• Automated response to speed the reaction time to events from days to seconds

Collectively, these three capabilities provide the tools that network owners need to secure a world that is embracing IoT. The FortNAC solution protects both wireless and wired networks with a centralized architecture that enables distributed deployments with automated responsiveness. FortiNAC Models and Specifications The FortiNAC product line includes hardware appliances, virtual machines and licenses.  The licenses can run on either the hardware appliance or the virtual machine.  Each FortiNAC deployment requires both a Control and Application server.  Note that if your deployment is larger than what a single server can support, you can stack servers for more capacity.  The FortiNAC solution has no upper limit on the number of concurrent ports it can support. You can find more details here.

Сеть организации является ее жизненной силой. В случае нападения без надлежащей защиты жизненно важные активы в сердце организации подвергаются риску. Сложность и серьезность киберугроз возрастает и будет только ухудшаться. Крайне важно, чтобы организации внедрили правильную сетевую защиту, чтобы обеспечить безопасную платформу для пользователей и приложений для выполнения их разрешенных критических функций. По мере того, как организации продолжают стремиться к постоянному сближению, везде возникают информационные среды, такие как BYOD, социальные сети, мобильные устройства и Интернет вещей (IoT), и возникают новые проблемы безопасности сети. Прогресс в методах атаки переводит угрозы от социальной инженерии, DDoS и украденных учетных данных на новый уровень серьезности. Злоумышленники будут продолжать разрабатывать новые методы для эксплуатации сетей, распространения вредоносных программ и кражи данных клиентов. Построение наилучшей защиты и постоянная бдительность необходимы для уменьшения уязвимости. Организациям необходимо рассмотреть все возможные сценарии, чтобы предотвратить проникновение вредоносного кода в сеть. Продукты Patriot Network Security Расширенные угрозы, с которыми сталкивается ваша сеть, сложны и многочисленны. Патриот сотрудничает с лучшими в своем классе технологиями от брандмауэров следующего поколения и унифицированного управления угрозами благодаря расширенной защите от вредоносных программ и безопасности электронной почты. Мы внедряем эти решения в сочетании друг с другом для создания цельной, комплексной платформы сетевой безопасности с стратегией углубленной защиты. Intrusion Prevention Systems (IPS) Продукты IPS могут помочь защитить вашу физическую и виртуальную сетевую среду от угроз нулевого дня и других вредоносных атак. Firewall/Unified Threat Management Patriot предлагает продукты брандмауэров следующего поколения, которые позволяют нам предоставлять вам новейшие возможности защиты, включая проверку приложений и веб-фильтрацию. Эти продукты также предоставляют традиционные возможности, которые вы ожидаете найти в любом брандмауэре, включая фильтрацию пакетов и виртуальные частные сети (VPN). Предлагаемые нами решения брандмауэров также могут стать основой решения UTM, позволяющего отслеживать угрозы во всей организации и выполнять множество различных функций безопасности с единой простой в управлении платформой. Network Access Control (NAC) Продукты NAC позволяют создавать и применять политики конечных точек в масштабах предприятия, чтобы вы могли быть уверены, что нужные люди - и только подходящие - смогут легко подключаться к вашей сети и получать доступ только к той информации, которую им разрешено просматривать. Использование продукта NAC также позволяет устанавливать политики управления мобильными устройствами (MDM). В результате ваши сотрудники могут оставаться на связи и работать, используя свои мобильные устройства. Advanced Malware Protection Усовершенствованная защита от вредоносных программ позволяет обнаруживать и устранять вредоносные программы в вашей сети, прежде чем они могут привести к сбою или удалению данных. Эти продукты также имеют возможность отслеживать подозрительную активность в виртуальных сетях и защищать устройства, даже если они не подключены к сети. Email, Web and Domain Name Security С помощью продуктов для защиты электронной почты, Интернета и доменных имен вы можете отслеживать и фильтровать всю электронную почту и веб-трафик на предмет подозрительной активности, включая спам и распределенные атаки типа «отказ в обслуживании». В результате вы сможете обеспечить беспрепятственный поток всей электронной почты и веб-трафика в обоих направлениях, сохраняя связь между вашей организацией и ее заинтересованными сторонами. Комплексное решение для обеспечения безопасности сети может помочь вам:

• Оставаться на связи с сотрудниками, партнерами и клиентами
• Придерживаться применимых правил соответствия ИТ
• Держать все данные и инфраструктуру защищенными от злонамеренных атак
• Включить мобильность и виртуализацию в вашей организации
• Избегать бесполезного устранения вредоносного ПО и системных сбоев

An organization’s network is its lifeblood. If attacked, without the right protection in place, vital assets at the heart of the organization are at risk. The complexity and severity of cyber threats are increasing and is only going to get worse. It is critical that organizations put the right network protections in place to ensure a secure platform exists for users and applications to perform their permitted critical functions. As organizations continue to trend towards always connected, information everywhere environments from the likes of BYOD, social, mobile and the Internet of Things (IoT) new concerns for network security arise. The advancement in attack techniques is taking threats from social engineering, DDoS and stolen credentials, to new levels of severity. Attackers will continue to develop new techniques to exploit networks, distribute malware, and steal customer data. Building the best defense possible and constant vigilance are required to reduce vulnerability. Organizations need to look at every possible scenario to keep malicious code from infiltrating the network. Patriot Network Security Products The advanced threats facing your network are complex and numerous. Patriot partners with best-in-class technologies from next-generation firewalls and unified threat management through advanced malware protection and email security. We deploy these solutions in combination with one another to build a seamless, end-to-end network security platform with a defense-in-depth strategy. Intrusion Prevention Systems (IPS) IPS products can help keep your physical and virtual network environment safe from zero-day threats and other malicious attacks. Firewall/Unified Threat Management Patriot offers next-generation firewall products, allowing us to provide you with the latest protection capabilities, including application inspection and web filtering. These products also provide the traditional capabilities you would expect to find in any firewall, including packet filtering and virtual private networks (VPNs). The firewall solutions we offer can also form the basis of unified threat management (UTM) solution, giving you the ability to track threats throughout the organization and perform many different security capabilities, all from a single easy-to-manage platform. Network Access Control (NAC) NAC products allow you create and enforce enterprise-wide endpoint policies so that you can be sure that the right people—and only the right people—are able to connect to your network easily and access only the information they are authorized to view. Using a NAC product also allows you to institute mobile device management (MDM) policies. As a result, your employees can stay connected and productive while using their mobile devices. Advanced Malware Protection Advanced malware protection allows you to detect and address malware in your network before it can cause disruption or exfiltrate data. These products also have the ability to monitor for suspicious activity within virtual networks and protect devices even when they are not connected to the network. Email, Web and Domain Name Security With email, web and domain name security products, you can monitor and filter all email and web traffic for suspicious activity, including spam and distributed denial of service attacks. As a result, you’ll be able to ensure that all your email and web traffic can continue to flow freely in both directions, keeping your organization connected with its stakeholders. An integrated network security solution can help you:

• Stay securely connected with employees, partners and customers
• Adhere to applicable IT compliance regulations
• Keep all data and infrastructure protected from malicious attacks
• Enable mobility and virtualization across your organization
• Avoid time-wasting malware remediation and system outages

With a flexible pay-as-you-go pricing model, CLEAR delivers continuous, off and on premises risk monitoring of all network endpoints across wired, wireless and virtual networks. CLEAR’s goal is to bring accessible and easy to implement Network Access Control and Management (NAC/NAM) capabilities to every enterprise and mid-market organization, no matter their budget or size. The solution provides complete visibility and control into the state of the network and grants access based on a device’s risk profile – generated from information about the device itself, the network connection and the user’s identity. FEATURES AND BENEFITS

• Single-pane-of-glass visibility for endpoints in use in all locations and at all times
• Protects the network from vulnerabilities arising from the mobile workforce, BYOD, IoT
• Easy to deploy, with a pre-set infrastructure that requires no prior training
• Cloud-based and fully scalable, requiring absolutely no hardware
• Flexible subscription-based pay-as-you-go model to fit the needs of the growing enterprise
• Secure of all access layers–wired, wireless, and virtual
• Multi-factor authentication over the VPN based on user identity and device risk score
• Continuous risk monitoring that identifies vulnerable end points and takes automated actions

Source: https://www.portnox.com/portnox-clear/

•  See relevant security risks on the network.
• Control access to ensure compliance with security protocols.
• Automate reactions based on device and user behavior to prevent breaches.

See Utilizing its agentless technology, Portnox CORE can detect and profile any device on the corporate network in real time and across all network layers. It is deployed from a central location and but can see activity across all network locations – from headquarters to remote offices. It integrates with most third party security applications to provide a complete and thorough picture of the network. Control Portnox CORE mitigates cybersecurity risks with automated features to limit access, quarantine and block rogue devices or install patch updates. It remediates immediate security issues by allowing for complete control and wield over all network variables – from a smartwatch to a network server. CORE gives network admins the control they need to prevent risks and effectively respond to the ones that get through. Automate Some say that the future of IT is automation. With Portnox CORE – you can have those cutting-edge features today. Deliver unique automated reactions based on network security protocols or risky device behavior, dramatically reducing the time and cost associated with manual response. Whether the reaction is enforcement or remediation, Portnox CORE can automate it and learn from the event context to maximize future protection.