9/15/23

Royal Commission
for Jubail and
Yanbu
Network Access Control (NAC)
Target and recommended Solutions

RCJY Proprietary and Confidential RCJY Proprietary and Confidential 9/15/23 1

Demand Lifecyle – High-Level Process Flow

1.1 1.2 1.3 1.4

Start End
Evaluation Selection Execution Deployment

EA Team
Business Relationship EA Team
IT PMO IT PMO
EA Team Procurement Team
EA Team IT Service Management
Concerned IT Administration Solution Selection Team
Stakeholders Procurement Team

City Sector Central Central

Sector Central

Central

RCJY Proprietary and Confidential 9/15/23 2

Table of Content
1 Network Access Control (NAC) Target Solution

2 Network Access Control (NAC) Solution Recommendation

3 Solution Specification

RCJY Proprietary and Confidential 9/15/23 3

1
Network Access Control (NAC)
Target Solution

RCJY Proprietary and Confidential 9/15/23 4

1.1- Applicable Architecture (1/1)
1.1 Applicable Architecture

Network Access Control (NAC) to contain all in all-in-one features that streamlines security policy management and
reduces operating costs. NAC to delivers visibility and access control over users and devices across wired, wireless, and
VPN connections.
Identity Services Engine enables enterprises to deliver secure network access to users and devices. It shares contextual
data, such as threats and vulnerabilities, with integrated technology partners. Identify network, which applications are
running, and more.

RCJY Proprietary and Confidential 9/15/23 5

1.2- Applicable Principles & Standards (1/2)
1.2 Solution EA Principles
Principle Code Principle Name Principle Domain Statement
To adhere on organization policies. creates a complete contextual
identity, including attributes such as user, time, location, threat,
NAC01 Context-based
Access Base access type, and vulnerability. This contextual identity shall use to
access enforce a secure access policy. Administrators can apply strict
control over how and when endpoints are allowed in the network

Easy-to-use Advanced network visibility, simple console. In

Advanced network
NAC02 Network Visibility
visibility
addition, visibility is improved by storing a detailed attribute history
of all endpoints connected to the network

The NAC is to sets easy and flexible access rules. These rules to
be controlled from a central console that enforces them across the
Comprehensive network and security infrastructure. define policies that differentiate
NAC03 Policy Enforcement
policy enforcement between registered users and guests.
The system uses group tags that enable access control on
business rules instead of IP addresses

enables the enterprise to implement a Bring-Your-Own-Device

(BYOD) policy securely. Users can manage their devices
Self-service device
NAC04 Onboarding
onboarding
according to the policies defined by IT administrators. (IT remains
in charge of provisioning and posturing to comply with security
policies.)

RCJY Proprietary and Confidential 9/15/23 6

1.2- Applicable Principles & Standards (2/2)
1.2 Solution EA Principles
Principle Code Principle Name Principle Domain Statement
To provide guests with different levels of access from different
NAC05 Consistent guest
Guest Experiences experiences
connections. You can customize guest portals via a cloud-
delivered portal editor with dynamic visual tools.

RCJY Proprietary and Confidential 9/15/23 7

1.3- Solution Target Capabilities (1/1)
Solution Features Capabilities

Features Capabilities Cisco ISE Aruba Clear Pass

Reduces the risk of intrusions

Improves network performance

Gains network visibility

Visibility and profiling

Controls access for guests

Manages policy lifecycle

Incident response

Integration

Checks security posture

RCJY Proprietary and Confidential 9/15/23 8

Legend Unavailable Available
1.4- Solution Compliance Requirement (1/1)
Standards Compliance

Compliance Requirement Cisco ISE Aruba Clear Pass

Centralized management to help administrators configure and Compliant Compliant
manage user profile characteristics - a single pane of glass for
integrated management services.
Contextual identity and business policy: The rule-based Compliant Partially Comply
attribute is a driven policy model. The goal is to provide flexible
access control policies.
Wide range of access control options, including Virtual LAN Compliant Compliant
(VLAN) URL redirections, and access control lists.
Supplicant-less network access: to roll out secure network Compliant Compliant
access by deriving authentication from login information across
application layers.
Guest lifecycle management streamlines the experience for Compliant Compliant
implementing and customizing network access for guests.
Built-in AAA services: The platform uses standard RADIUS Compliant Compliant
protocol for authentication, authorization, and accounting.
Device auditing, administration, and access control Compliant Partially Comply
provide users with access on a need-to-know and need-to-
act basis. It keeps audit trails for every change in the
network.

RCJY Proprietary and Confidential 9/15/23 9

1.4- Solution Compliance Requirement (2/2)
Standards Compliance

Compliance Requirement Cisco ISE Aruba Clear Pass

Device profiling: ISE features predefined device templates Compliant Partially Comply
for different types of endpoints.
Internal certificate authority: An easy-to-deploy single Compliant Compliant
console to manage endpoints and certificates.

RCJY Proprietary and Confidential 9/15/23 10

2 Network Access Control (NAC)
Solution Recommendation

RCJY Proprietary and Confidential 9/15/23 11

2.1- Solution Recommendation (1/6)
Market Rating (courtesy of www.g2.com )
Feature Cisco ISE Aruba Clear Pass
Capability, Advanced ADC Functionality, Feature Extensibility, 4.6 4.5
Software Accessibility, Management
Evaluation & contracting, Pricing Flexibility, Ability to 4.5 4.5
Understand Needs
Integration & Deployment, Ease of Deployment, Quality of 4.4 4.5
End-User Training, Ease of Integration using Standard APIs
and Tools, Availability of 3rd-Party Resources
Service & Support, Timeliness of Vendor Response, Quality 4.5 4.4
of Technical Support, Quality of Peer User Community

Overall Rating 4.5 4.47

RCJY Proprietary and Confidential 9/15/23 12

3.2- Solution Recommendation (2/6)
Market Positioning (courtesy www.gartner.com)

Cisco ISE

Cisco ISE
Cisco is headquartered in San Jose, California. Its Identity Services Engine (ISE)
policy server is RADIUS-based, which enables Cisco to support authentication in
heterogeneous network infrastructure environments (although advanced NAC
features will require Cisco components). ISE is available in hardware appliances and
also as a virtual server. Cisco packages ISE software in several licensing options,
including a mobility-only license. Cisco customers should consider ISE, especially
when the Cisco AnyConnect endpoint client will be in use

RCJY Proprietary and Confidential 9/15/23 13

3.2- Solution Recommendation (3/6)
Market Positioning (courtesy www.gartner.com) Cisco ISE

Strengths
Cisco has a strong BYOD strategy. ISE integrates
with AirWatch, Mobilelron and solutions from
several other EMM vendors. Version 1.3 of ISE
supports an optional onboarding module that
includes a certificate authority. This feature
simplifies BYOD implementations, since enterprises
do not need to implement a third-party certificate
authority.
ISE includes a strong guest administration module
that is highly customizable.
Cautions
Cisco's status as a network security vendor is an
obstacle when it comes to partnering with other
network security vendors. For example,
mainstream firewall vendors and third-party
sandboxing vendors have not yet integrated with
pxGrid.

ISE leverages technology that is embedded in
Cisco network infrastructure components to provide
unique benefits. For example, it uses endpoint
profiling data collected from Cisco switches and
wireless controllers, eliminating the need to deploy
stand-alone profiling sensors. TrustSec enables
granular identity-based policies on many Cisco
LAN. WI-AN and firewall products.
Enterprises that are interested in implementing
TrustSec's role-based identity policies should
perform careful testing in a lab environment.
Adoption of TrustSec has been slow, as some key
Cisco products have only recently added TrustSec
support (for example, TrustSec

Cisco's pxGrid initiative enables network and Support for ASA Security Appliances was added in
security solutions to coordinate the sharing of July 2014). With TrustSec deployments, network
contextual information (such as identity and teams may encounter challenges typical of early
location) through ISE. pxGrid also enables adopters of new technology.
integrated technology partners to use ISE to
execute mitigation actions in response to events.
Early pxGrid partners include Splunk, Ping Identity,
NetlQ, Tenable Network Security, Emulex and
Bayshore Networks. Some Cisco Sourcefire
products also support pxGrid.

RCJY Proprietary and Confidential 9/15/23 14

3.2- Solution Recommendation (4/6)

Aruba Network

Aruba Networks is in the Leaders quadrant.

Aruba Networks, based in Sunnyvale, Califomia, sells its ClearPass

Access Management offering. It is a Remote Authentication Dial-ln User
Service (RADIUS)-based solution that is available in a family of
hardware and virtual appliances. Aruba's customers should consider
ClearPass

RCJY Proprietary and Confidential 9/15/23 15

3.2- Solution Recommendation (5/6)
Market Positioning (courtesy www.gartner.com)

Aruba Networks
Strengths Cautions
ClearPass provides integration capabilities In multivendor networks, ClearPass customers
through the ClearPass Exchange API that have not implemented Aruba's Mobility
promoting contextual sharing integration with Controllers lose advanced functionality,
third-party security solutions. Examples include irwluding Apple AirPlay visibility and support for
SIEM, EMM and next-generation firewalls. Aruba s auto-sign-on feature.

Aruba has a strong BYOD strategy. It Gartner rarely sees ClearPass in wired LAN
integrates with AirWatch, Mobilelron and environments. ClearPass sales are driven
several other EMM solutions. primarily by Aruba wireless custorners.
The ClearPass Onboard module, which
includes a certificate authority, supports more
operating systems (seven) than any other
onboarding module in the NAC market. In
supporting Chrome OS and Ubuntu, ClearPass
is a strong option for the education vertical.

ClearPass offers a strong guest network

application. Granular policies allow employees
to create Apple Airprint and Airplay and Google
Chromecast dynamic policies for their guests.
For example, printers and projectors can be
shared with guests based on the time and
location restrictions that are tied to that guest
policy.

RCJY Proprietary and Confidential 9/15/23 16

3.2- Solution Recommendation (6/6)
Solution Selection Recommendation

As per Gartner Magic Quadrant for Network Access Control, Cisco ISE and Aruba ClearPass was and still
in the highest level of the leader’s quadrant. Such recognition comes from the high capabilities of both
solutions and its market position after gaining the trust and adoption of professionals and positive reviews.

EA recommend Cisco ISE is an all-in-one solution that streamlines security policy management and
reduces operating costs.

Cisco ISE have wide ranges of visibility and access control over users and devices across wired, wireless,
and VPN connections.

Cisco ISE shares contextual data, such as threats and vulnerabilities.

RCJY Proprietary and Confidential 9/15/23 17

3 Network Access Control (NAC)
Solution Specification

RCJY Proprietary and Confidential 9/15/23 18

3.1- Solution Specifications (1/2)
Factors to consider when choose Network Access Control (NAC) solution:

Target Network access control (NAC) NAC solutions are rule-based Time and Entity

For device, or user who wants to access the

The NAC target directory system or multi-
To set different access rules according to the role of network, the NAC solution shall looks at the
authentication platform shall enforcing security
the entity that tries to connect, and the NAC will person’s role, the level of permissions, and how
policies on every device that attempts to connect to
enforce them the device aligns with the security policies andt
your network
blocks or allows the connection based on the rules

NAC systems blocking and Allowing

Reduces the risk of intrusions Improves network performance
access
NAC systems shall block or allow access to devices The role-based access control feature in NAC
Network access control to reduce any attacks by
that don’t comply with the security rules. centralizes policy enforcement, reducing the
implementing role-based access control. RBAC is a
also quarantine malicious packets and restrict number of SSIDs (service set identifiers). It can
feature that grants access according to the role of
access to computer resources. As such, NAC is a help you gain bandwidth since it is estimated that
the user. NAC uses advanced authentication and
solution that works to prevent unauthorized access every SSID you reduce can give you up to 10%
authorization techniques to verify user identities
to a network bandwidth back

Legend Critical High Medium Low

RCJY Proprietary and Confidential 9/15/23 19

3.1- Solution Specifications (2/2)

Gains network visibility Visibility and profiling Controls access for guests

To Inspects and allows or blocks guests’ access.

To control what you don’t see. Managing access to To protect Profiles users and devices to prevent
Manages guests via a self-service portal for
the network requires complete visibility. malicious code which may cause damage
registration and authentication

Manages policy lifecycle Incident response Integrations

To Enforce security policies, blocking, isolating, and To Integrates with existing security and network
To Enforce the policies for all scenarios
remediating of non-compliant devices. solutions.

Checking Security Posture

Monitors and evaluates compliance with security

policies

Legend Critical High Medium Low

RCJY Proprietary and Confidential 9/15/23 20