Monday, February 15, 2010

Why you should consider building your entire network assuming guestnet access

I believe for many SMB and enterprise networks it makes sense to evaluate what you are providing to you staff, how you are providing it and why. With the recent shift to wireless and cloud services it is time to reevaluate that again.
With wireless becoming an expected service at all enterprise location and for some SMB's the only access it makes sense to be able to authenticate who the user is prior to granting them access to the network. With 802.1x it is possible to do this with an open standard that has cross vendor support. Having this basic functionality in place allows for the possibility of providing guestnet services automatically (self provisioned or pre-defined.)

The next logical question is, should you be authenticating on wired ports also to provide the exact same services with the same posture and guestnet ability. I would argue a case for this and from a posture and security standpoint say that if you are doing it for wireless but not wired your wireless is more secure than you wired implementation. Would love to hear thoughts on that one.

By mixing cloud services (host mail, wiki or portal access, file storage) with guestnet and authenticated access you can provide services to your end users regardless of network topology assuming the network is providing Internet access.

To add to the benefit, you can do remediation and fix machines that don't meet certain posture profiles if you wish to go that far. That means utilizing a more robust solution like Microsoft NAP or Cisco NAC or using a solution that can leverage both like Avenda.

With all this available today it makes sense to plan the whole network infrastructure such that guestnet and authenticated network access is done everywhere. There might be exceptions, your data center core, dmz, storage and edge networks may not require the same services but should likely have port security at a minimum as you are unlikely to be moving servers or network devices around once an initial deployment is done.

Some food for thought in the network design area, maybe some design changes are in order?
- Ed

No comments: