Now might be a good time to consider a Zero Trust Network Architecture. As mentioned on the page to download the NIST Zero Trust Network Architecture document
"Zero trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource." https://csrc.nist.gov/publications/detail/sp/800-207/final The document itself says "Zero trust provides a set of principles and concepts around moving the PDP/PEPs closer to the resource. The idea is to explicitly authenticate and authorize all subjects, assets and workflows that make up the enterprise.” That is NIST-speak saying one of the principles of Zero Trust is to protect a resource as close as possible to the resource. An example of a resource is information on a server etc. NAC is the opposite, NAC is trying to protect a resource as far away from the resource as possible. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf We don’t put students and faculty on different Vlans/subnets and our security problems are not worse than Universities that adopt NAC and micro segmentation based on Vlans/subnets. In a Zero Trust Architecture separation or segmentation is not based on Vlans/subnet (which is just a way of saying based on IP number). In a Zero Trust Architecture access to a resource is dependent on identity and is independent of the IP number of the device requesting access. Something to consider: a device can have only one IP address at a time but most devices use more than one identity to access resources. For example a work-study student may be both a student and staff. A graduate assistant may be a student but also teach labs or classes like faculty. Google has been very successful with BeyondCorp. They have measured the results and adopting Zero Trust has resulted in much better security than when they used the previous architecture based on Vlans/subnets and firewalls. https://www.rsaconference.com/industry-topics/presentation/how-google-protects-its-corporate-security-perimeter-without-firewalls Akamai gave a similar report at the following RSA Conference. https://www.youtube.com/watch?v=qzI-N0p9hFk If Zero Trust Architecture is recommended by NIST, Google, Akamai and many others perhaps it is worth considering for your university? This presentation lists several reasons why Zero Trust Architecture is a better match for Universities than the old perimeter, Vlan/Subnet (IP number) based architectures. https://events.educause.edu/special-topic-events/webinar/2018/encore-selections-from-the-educause-security-professionals-conference-2018/agenda/zerotrust-networks-the-future-of-higher-ed-security-network-design > On Jan 22, 2021, at 8:35 AM, Joseph Runkles <jrunk...@moody.edu> wrote: > > Hi, > > We are in the middle of conversations with vendors for a wireless overhaul as > a relatively small school (we will end up with 1000-1200 AP’s). We are > moving away from Cisco Aironet and currently talking with Ruckus, > Extreme(aerohive), Juniper(Mist) and Aruba. To further complicate things we > are also going to replace our NAC at the same time (currently using > FortiNAC/Bradford) and have been looking at XMC, A3, ClearPass, Cloudpath. > > As we consider a re-design of the network I would love to ask some questions > and maybe even pick some peoples brains offline. > > • What are you currently doing for network segmentation for wireless? > o Separate vlans for staff/faculty/students/iot/gaming/guest? Flat > networks for each or divided up by buildings? > o Do you terminate these vlans on the your core or distribution routers > with ACLs in between or back on your firewalls with more granular rulesets? > o Do you allow Byod devices by either staff or students on your > admin/production network? > o Do you do any posture checks (Antivirus, OS, Patches) on devices (byod > or domain joined) before dropping them on the network. > > • AAA (pardon my ignorance) > o What are you doing for IoT/gaming devices? PPSK? Mac auth? > o Are you using RADIUS? Your own server or the vendors controller/cloud? > Is your RADIUS providing more than Authentication? Do you pass vlan info or > other attributes from RADIUS? > o Are you using AD groups or attributes to delineate > Students/staff/faculty/Part time student employee/ect…? Passing that along > to your NAC or Controller to apply an access profile for that particular user? > > I realize that I am unloading a bunch of questions, and there are more. > However, I would love to see or hear what other people are doing in > production. If things are meeting your needs, what would you change if you > could do a re-design. Just trying to see things from a different perspective > and consider alternate possibilities as we work through this re-design. If > anyone has some time, I would love to connect and chat for a few minutes > about these questions and your wireless environment. > > Thanks for reading. > > Joey > > > > > > Joseph Runkles > Network Engineer | Moody Bible Institute > (312) 329-4142 > > 820 N. LaSalle Blvd., Chicago, IL 60610 > Moodybible.org > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community Bruce Curtis Network Engineer / Information Technology NORTH DAKOTA STATE UNIVERSITY phone: 701.231.8527 bruce.cur...@ndsu.edu ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
