Professional Documents
Culture Documents
Network Access Control Reference Architecture: Rick Leclerc Solutions Architect January 29, 2020
Network Access Control Reference Architecture: Rick Leclerc Solutions Architect January 29, 2020
Reference Architecture
Rick Leclerc
Solutions Architect
January 29, 2020
Network Access Control Reference Architecture
Network Access Control solutions have been around for 20+ years
delivering endpoint host integrity checking, BYOD and guest onboarding,
pre-connect role-based network access, intent-based segmentation, IoT
device management, post-connect security automation, and more recently
Zero Trust.
Knowing which users and what endpoint devices are connecting to the
network, and accurately controlling these
x wired and wireless connections, is
a key factor in providing a safe, secure, and highly functioning network for a
successful business.
Balancing security with ease of use is a tricky task, requiring a platform that
has the flexibility to allow a customer to focus in one direction without
sacrificing the other too much. When this type of balance can be achieved
in a multi-vendor environment, this solution will be widely accepted by
customers.
On Premise
better than another. Branch offices should have the ability to VPN
SD-WAN
mirror security controls required at main campus and data
center locations.
x
Network Access Control Architectures:
HQ DR
Primary DC Backup DC
• Traffic-based (SPAN / TAP)
• 802.1X / Authentication Approach
• Integrated Fabric Approach
better than another. Branch offices should have the ability to VPN
SD-WAN
mirror security controls required at main campus and data
center locations.
x
Network Access Control Architectures:
HQ DR
Primary DC Backup DC
• Traffic-based (SPAN / TAP)
• 802.1X / Authentication Approach
• Integrated Fabric Approach
Infrastructure
Network
• Scalable Centralized Deployment
• - On Premise (3) / Public Cloud (4)
Switch Router Access Firewall • Network Infrastructure Visibility (5)
Point
HQ DR
Primary DC Backup DC
Infrastructure
Network
• Scalable Centralized Deployment
• - On Premise (3) / Public Cloud (4)
Switch Router Access Firewall • Network Infrastructure Visibility (5)
Point • Full Endpoint Visibility (6)
HQ DR
Primary DC Backup DC
Infrastructure
Network
• Scalable Centralized Deployment
• - On Premise (3) / Public Cloud (4)
Switch Router Access Firewall • Network Infrastructure Visibility (5)
Point • Full Endpoint Visibility (6)
Internal Services • Internal Services (7)
• DHCP SNMP, CLI, RADIUS, syslog, API
• Directory / LDAP
• Email
Segmentation
• Trusted √√
- Corporate / Guest
- IoT Network Access Control
Infrastructure
• Untrusted
Network
- Registration • Scalable Centralized Deployment
- Quarantine • - On Premise (3) / Public Cloud (4)
- Dead-End Switch Router Access Firewall • Network Infrastructure Visibility (5)
Point • Full Endpoint Visibility (6)
Internal Services • Internal Services (7)
• Network Segmentation (8)
• DHCP SNMP, CLI, RADIUS, syslog, API
• Directory / LDAP
• Email
HQ DR
Primary DC Backup DC
Segmentation
• Trusted √√
- Corporate / Guest
- IoT Network Access Control
Infrastructure
• Untrusted
Network
- Registration • Scalable Centralized Deployment
- Quarantine • - On Premise (3) / Public Cloud (4)
- Dead-End Switch Router Access Firewall • Network Infrastructure Visibility (5)
Point • Full Endpoint Visibility (6)
Internal Services • Internal Services (7)
• Network Segmentation (8)
• DHCP FortiAuthenticator/Token
SNMP, CLI, RADIUS, syslog, API • “Who” – Identity & Authorization (9 & 10)
• Directory / LDAP
• Email Identity & Authorization
• X.509
• LDAP
• RADIUS
• SAML
• Multi-Factor Auth
Users & Endpoint
Devices
Trusted Endpoints
DR
Backup DC
Segmentation
• Trusted √√
- Corporate / Guest
- IoT Network Access Control
Infrastructure
• Untrusted
Network
- Registration • Scalable Centralized Deployment
- Quarantine • - On Premise (3) / Public Cloud (4)
- Dead-End Switch Router Access Firewall • Network Infrastructure Visibility (5)
Point • Full Endpoint Visibility (6)
Internal Services • Internal Services (7)
• Network Segmentation (8)
• DHCP FortiAuthenticator/Token
SNMP, CLI, RADIUS, syslog, API • “Who” – Identity & Authorization (9 & 10)
• Directory / LDAP
• Email Identity & Authorization
Endpoints
• X.509
Trusted
• LDAP
• RADIUS
• SAML
• Multi-Factor Auth
Users & Endpoint MDM, CMDB, Agent
Devices
IoT & OT Endpoint Devices
DR
Backup DC
Segmentation
• Trusted √√
- Corporate / Guest
- IoT Network Access Control
Infrastructure
• Untrusted
Network
- Registration • Scalable Centralized Deployment
- Quarantine • - On Premise (3) / Public Cloud (4)
- Dead-End Switch Router Access Firewall • Network Infrastructure Visibility (5)
Point • Full Endpoint Visibility (6)
Internal Services • Internal Services (7)
• Network Segmentation (8)
• DHCP FortiAuthenticator/Token
SNMP, CLI, RADIUS, syslog, API • “Who” – Identity & Authorization (9 & 10)
• Directory / LDAP • “What” – Endpoint Device Classification
• Email Identity & Authorization - IoT, OT, IoMT (11)
• Role Based Segmentation (11)
Endpoints
Endpoints
• X.509
IoT & OT
Trusted
• LDAP
• RADIUS
• SAML
• Multi-Factor Auth
Users & Endpoint MDM, CMDB, Agent IEEE, Fingerprint, FortiGuard, Sensor
Devices
Endpoint Compliance
Endpoint Compliance
• Agentless HQ DR
• Dissolvable Agent Primary DC Backup DC
• Permanent Agent
Segmentation
• Trusted √√
- Corporate / Guest
- IoT Network Access Control
Infrastructure
• Untrusted
Network
- Registration • Scalable Centralized Deployment
- Quarantine • - On Premise (3) / Public Cloud (4)
- Dead-End Switch Router Access Firewall • Network Infrastructure Visibility (5)
Point • Full Endpoint Visibility (6)
Internal Services • Internal Services (7)
• Network Segmentation (8)
• DHCP FortiAuthenticator/Token
SNMP, CLI, RADIUS, syslog, API • “Who” – Identity & Authorization (9 & 10)
• Directory / LDAP • “What” – Endpoint Device Classification
• Email Identity & Authorization - IoT, OT, IoMT (11)
• Role Based Segmentation (11)
Endpoints
Endpoints
• X.509
IoT & OT
• Endpoint Compliance (12)
Trusted
• LDAP
• RADIUS
• SAML
• Multi-Factor Auth
Users & Endpoint MDM, CMDB, Agent IEEE, Fingerprint, FortiGuard, Sensor
Devices
Network Access Control Reference Architecture
Remote
Workforce
BYOD, guest, and contractor onboarding services are Cloud Access
Branch
Office(s)
hosted
SaaS by FortiNAC
Services through
available to thea remote
network-based portal that
workforce,
VPN
work for
should bewired, wireless,
monitored andx VPN connections.
and controlled in a manner VPN
SD-WAN
Onboarding Portal consistent with cloud data and physical datacenters.
• BYOD
• Guest / Contractor
Endpoint Compliance
• Agentless HQ DR
• Dissolvable Agent Primary DC Backup DC
• Permanent Agent
Segmentation
• Trusted √√
- Corporate / Guest
- IoT Network Access Control
Infrastructure
• Untrusted
Network
- Registration • Scalable Centralized Deployment
- Quarantine • - On Premise (3) / Public Cloud (4)
- Dead-End Switch Router Access Firewall • Network Infrastructure Visibility (5)
Point • Full Endpoint Visibility (6)
Internal Services • Internal Services (7)
• Network Segmentation (8)
• DHCP FortiAuthenticator/Token
SNMP, CLI, RADIUS, syslog, API • “Who” – Identity & Authorization (9 & 10)
• Directory / LDAP • “What” – Endpoint Device Classification
• Email Identity & Authorization - IoT, OT, IoMT (11)
• Role Based Segmentation (11)
Endpoints
Endpoints
• X.509
IoT & OT
• Endpoint Compliance (12)
Trusted
Segmentation
• Trusted √√
- Corporate / Guest
- IoT Network Access Control
Infrastructure
• Untrusted
Network
- Registration • Scalable Centralized Deployment
- Quarantine • - On Premise (3) / Public Cloud (4)
- Dead-End Switch Router Access Firewall • Network Infrastructure Visibility (5)
Point • Full Endpoint Visibility (6)
Internal Services • Internal Services (7)
• Network Segmentation (8)
• DHCP FortiAuthenticator/Token
SNMP, CLI, RADIUS, syslog, API • “Who” – Identity & Authorization (9 & 10)
• Directory / LDAP • “What” – Endpoint Device Classification
• Email Identity & Authorization - IoT, OT, IoMT (11)
• Role Based Segmentation (11)
Endpoints
Endpoints
• X.509
IoT & OT
• Endpoint Compliance (12)
Trusted
Endpoint Compliance
• Agentless HQ DR
• Dissolvable Agent Primary DC Backup DC
• Permanent Agent
Reporting
Segmentation
√√
• Event Log Export
• Trusted • FortiAnalyzer
- Corporate / Guest
- IoT Network Access Control
Infrastructure
• Untrusted
Network
- Registration • Scalable Centralized Deployment
- Quarantine • - On Premise (3) / Public Cloud (4)
- Dead-End Switch Router Access Firewall • Network Infrastructure Visibility (5)
Point • Full Endpoint Visibility (6)
Internal Services • Internal Services (7)
• Network Segmentation (8)
• DHCP FortiAuthenticator/Token
SNMP, CLI, RADIUS, syslog, API • “Who” – Identity & Authorization (9 & 10)
• Directory / LDAP • “What” – Endpoint Device Classification
• Email Identity & Authorization - IoT, OT, IoMT (11)
• Role Based Segmentation (11)
Endpoints
Endpoints
• X.509
IoT & OT
• Endpoint Compliance (12)
Trusted