Maxime Mourand is the first cybersecurity specialist in Quebec and one of a handful in Canada to become a member of the world’s elite club of Aruba CertifiedClearPass Experts (ACCX). (ClearPass Policy Manager is a network access control solution for IoT devices, mobile devices, BYODs of employees, subcontractors, corporate guests, etc.)
The ACCX training which is restricted to seasoned experts who are already Aruba Certified ClearPass Professionals, culminates with a 100% practical eight-hour exam full of traps and grey areas. The objective is to confirm a real mastery not only of Aruba technology but also of other OEMs, e. g. CISCO, in order to demonstrate an ability to operate in highly complex and heterogeneous environments.
An interview with Maxime Mourand, NETsatori ACCX champion.
Interview by Renato Cudicio
R.C.: Maxime, you’ve implemented numerous network access control systems. What is the main issue you encounter?
Maxime Mourand: As soon as the company reaches a certain size, the main challenge when implementing a network access control system stems from the fact that you touch all aspects of the technological environment, from security to LAN, key management infrastructure (PKI), Active Directory, etc.
This complexity is compounded if the company uses equipment from various manufacturers, especially for its wire network. This means that you need to have a solid understanding grasp not only of the organization’s IT architecture, but also of the client requirements and the types of data circulating on the network. The secret is in careful preparation and planning.
R.C.: BYOD has taken the world by storm: doesn’t that add a layer of difficulty, in terms of network security?
Maxime Mourand: Actually, no. With Aruba’s ClearPass OnBoard, the procedure is very simple: you can provide BYODs of all types with secure network access in just a few clicks. With iOS and OS X, you receive the device’s security certificate and wireless profile – no need to install any applications. In Android, you download an application that automatically imports the profile and certificate. Same for Windows laptops. A profile/role is then defined that gives full or partial access to the network. It’s really very simple!
R.C.: Is the logic the same for connected objects (IoT)?
Maxime Mourand: Basically yes, but I have developed a strategy of my own, because ClearPass – and this is one of its main assets – supports automated profiling.
Each device has a unique signature, with its own DHCP footprint (Note: Dynamic Host Configuration Protocol). When the object first attempts to connect to a network, ClearPass identifies it and catalogs it before placing it in temporary confinement.
When the customer formally connects the device to the network, ClearPass matches the device with the person and grants access based on his or her roles and rights. These will apply to all other objects in the same category. Suppose we want to add a new type of sensor on robotic arms in a factory. We will begin by connecting a first object in this category and after that, we can add hundreds of new ones, if we want, and ClearPass will give them the same network credentials.
R.C.: Isn’t that a security risk?
Maxime Mourand: Quite the contrary! What makes this approach very safe is that we can isolate devices into subgroups using roles or access control lists (ACLs). Normally, the most stringent security measure is an 802.1x authentication with a certificate, but IoT devices very rarely support this procedure; moreover, very few companies have a centralized management console where you can manage or renew these certificates. So we use a PSK (Protected Access Pre-Shared Key) key, combined with MAC authentication that we transmit to ClearPass, and ClearPass sends us different rights or roles on a different VLAN. If someone ever manages to clone the MAC address of a connected object, they will only gain access to the server of the object in question, and nothing else. So the end result is much more secure than a simple PSK key.
R.C.: In any case, couldn’t the ClearPass tracking tool also forward the information to a system like Palo Alto’s?
Maxime Mourand: Abolutely. Aruba’s integration with Palo Alto is longstanding, and these two systems are often connected because Palo Alto provides true added value.
The beauty of Palo Alto’s system is that it offers a comprehensive network view. However, it does not go all the way down to the user names. ClearPass, on the other hand, uses a conversion table to feed nominative information back into the Palo Alto system and further enrich its image of the situation. We can then enhance the rule granularity of Palo Alto and differentiate individual users. We can even go one step further and – these are very advanced functions – automate certain actions such as putting a user on a blacklist based on rules shared by Aruba and Palo Alto equipment. The combination of the two systems provides a very powerful solution!
R.C.: One last question: After working with a large number of network access control systems, what do you see as ClearPass’s main asset?
Maxime Mourand: Maxime Mourand: I would say that ClearPass is probably the most comprehensive system on the market and that it is ultimately the most user-friendly. Admittedly, you cannot say it has a minimalist user interface, and that’s because of its rich functionality. But once you master it, everything becomes easier because the possibilities are endless. Aruba ClearPass is an extremely powerful tool!
R.C. : Thank you!