Sunday, November 17, 2024

Layered Protection for RADIUS With Cisco

Dream world for the CISO

Organizations have a wide variety of resources to protect. And some resources are easier to protect than others. However, it’s not the easy stuff that keeps a CISO up at night. Before we dive into the more challenging examples, let’s consider a scenario that allows a CISO to sleep peacefully.

In this scenario, when a worker “goes to work” (either in the office or remotely), they open their corporate laptop and login to a SaaS application. This worker types the URL into their browser, logs in with their SSO provider and authenticates using their fingerprint (biometric) on the device. Behind the scenes, this user is connecting to the application through a Zero Trust Network Access (ZTNA) solution and authenticating with SAML protocol (or OIDC or OAuth2.0), the modern authentication method for cloud applications.

This scenario is the dream scenario (and easier) to protect:

  • Modern, cloud application
  • Policy-driven application access
  • Phishing-resistant authentication
  • Trusted, managed device

The reality check

However, the dream scenario is also the least likely to be the cause of a breach. Instead, attackers are exploiting legacy technology or networks where it’s difficult to deploy extra security and enforce policy, like phishing-resisting multi-factor authentication (MFA) or ZTNA. While organizations are on their infrastructure modernization journey, we need to have a realistic plan to protect the long tails of legacy assets that are still in place and may be difficult to secure.

What can be done?

Layered protection with RADIUS

One of these under-rated, but common, authentication protocols is RADIUS (Remote Authentication Dial-In User Service). RADIUS is a traditional network-based authentication protocol for users and devices that need to connect to the network.

If your organization is in a position where routers, switches, wireless access points and VPNs all use RADIUS, Cisco can help. First, Cisco Identity Services Engine (ISE) provides a layer of Network Access Control by offering AAA protection (Authentication, Authorization, and Access). This protection exists for users connecting to the network in the office and workers connecting to the network through the VPN.

The challenges and security implications around legacy VPN access are well documented, which is why organizations are moving toward modern architecture with ZTNA. The problem is that many legacy applications are not compatible with ZTNA and organizations have to hang on to their VPN infrastructure. It is not a surprise that while 86% of organizations have started to adopt zero trust, 98% have not reached maturity. Essentially, they are stuck in this journey.

That’s where Cisco Secure Access comes in. Secure Access has integrated both VPNaaS and ZTNA capabilities. This allows organizations to modernize VPN infrastructure and connect using Cisco’s cloud solution, falling back to VPNaaS if ZTNA is not possible. In practice, all users have the same experience when connecting to applications (legacy or modern, VPN-required or ZTNA-compatible) and the technology takes care of the work behind the scenes.

When it comes to VPNaaS use cases, organizations with ISE deployment can leverage the unique integration between Secure Access and Cisco ISE to provide an extra layer of protection. This means that when users connect to VPNaaS, they are protected by ISE’s authentication, posture assessment, and network segmentation, all through a single agent — Secure Client.

We start with VPNaaS and Cisco ISE working together and next we add an extra layer of defense with another form of authentication (that’s where the “multi” in MFA comes in). Cisco Duo can offer RADIUS support for legacy VPNs through the Duo Authentication proxy by adding servers to an organization’s environment. But when you use Duo with ISE and VPNaaS, there is a unique API integration that enables RADIUS authentication without the need for the additional server in your environment. And all the end user sees is the typical Duo push that they are used to when accessing cloud applications.

Now, even when authenticating with RADIUS, users have a seamless experience, and organizations have layered protection to close potential gaps in the attack surface.

Secure organizations with User Protection Suite

In the ideal world, an organization could protect all its resources using the most advanced and modern technology and protocols. However, organizations have a wide range of assets that all need protection, regardless of how easy or hard it is to protect. When combining the network protection through Cisco ISE with User Protection Suite tools, Cisco can provide the solutions you need today while you continue to modernize for the future. And allow CISOs to get a good night’s rest.

To learn more about how Cisco’s User Protection Suite can protect your workforce, connect with an expert today.

Share:

Related Articles

Latest Articles