topic Most secure way to validate laptop, desktop and mobile devices? in General Topics

Most secure way to validate laptop, desktop and mobile devices?

davidgregg — Wed, 06 Dec 2017 15:39:32 GMT

I'm new to networking in general and looking for the most secure way to ensure those joining our network actually belong on the network. We have a moderate hierarchy of users with a fairly even mix of desktops, laptops and mobile devices.

What I'm looking to achieve:

- Only specific devices are able to connect to network (whitelist specific, deny rest)

- Group devices into groups for different filtering rules

Notes:

- We have a single wifi spread throughout the site which managament and operators share

- We have outside contractors onsite which need access temporarily

- We use GlobalProtect to connect to the network remotely; I need to ensure this isn't disrupted

- We have a tunnel in place to a sister site that also needs to stay connected

From what I've read so far it seams that a certificate based authentication would be the most secure, though I've no idea where to start or if it's even possible to implement on mobile or temporary devices.

Would very much appreciate any help.

Re: Most secure way to validate laptop, desktop and mobile devices?

Securitylady — Wed, 06 Dec 2017 21:47:17 GMT

I believe the only way to do so with a PA is with Global Protect and you could use certificates. Otherwise, you would have to look at a genuine NAC product. Clearpass (aruba - hp) makes a pretty extensive one with a lot of capabilities, there are others out there too.

Re: Most secure way to validate laptop, desktop and mobile devices?

BPry — Wed, 06 Dec 2017 22:32:22 GMT

@davidgregg,

1) Have you configured user-id already, because if so you can restrict all security policies to known-user and as long as the IP has a user-id mapping the policies would function, but if they didn't have a mapped user-id entry then they would hit the default deny rule.

2) Does your Palo Alto handle your DHCP, or is this another network device?

3) What are you using to provide your wireless, and do you know if you can pull user-id from that device?

4) Are your users okay with being presented a captive portal, or not?

Essentially, yes the Palo Alto can do what you are asking. The setup is somewhat complex and requires a few things be put in place to do so properly, but it isn't impossible.

Re: Most secure way to validate laptop, desktop and mobile devices?

DonohoeRobert — Thu, 07 Dec 2017 16:34:58 GMT

Hi Mate,

Apart from the user id, zones and security rules. Ye can go one step further with hip checks to look at the devices connecting.

Can use the hip profiles in conjunction with the user id, zones etc, to make sure the devices connecting are above board and not just the user's credentials 🙂

https://www.paloaltonetworks.com/documentation/71/globalprotect/globalprotect-admin-guide/use-host-information-in-policy-enforcement/configure-hip-based-policy-enforcement

https://live.paloaltonetworks.com/t5/Featured-Articles/DotW-HIP-checks-for-missing-patches-for-multiple-vendors-on-one/ta-p/73814

details of what can be checked with the hip checks are below.

hope this helps,

Rob