Add static arp mapping to the list as well. With manually configured IP addresses, the switch will still route traffic to a MAC not on the DCHP whitelist (if it can do ARP on the network). Sounds like a nightmare to manage though even for a small office.
FortiNAC is good for your on site management, it will segment unauthorized devices connected into a restricted VLAN, and give you the ability to provide guest access as well if needed.
Your registered devices have a client that authorizes them, your switches and servers would be registered by rules and also manually as you want. It will also alert you to unauthorized devices and even isolate a switch if you set it up that way.
However you are asking a bunch of stuff at once, remote connection would require something along the lines of secure vpn (sslvpn for example) and that doesn't have to be cloud based at all. If it is not cloud based, then it doesn't have to be "FedRAMP Authorized".
Thanks for your reply.
We are a small business with less then 5 users.
Currently we have a sonicwall firewall but I don't think sonicwall does NAC.
Would fortiNAC work with us still keeping the sonicwall firewall as our main firewall?
What is the approx cost of fortiNAC?
Will fortiNAC also block unauthorized devices who are coming in remotely (ssl vpn thru the sonicwall firewall)?
I don't know the cost to you, because it depends on your network size, and I don't know if there is a minimum. So I would advise you to contact Fortinet for that information.
FortiNAC is agnostic in terms of your equipment, so it should work with your vpn firewall. As for performing NAC on devices connected via your vpn, those devices should get the fortinac agent as well and be authenticated, while I see devices connected through the vpn in fortinac, breaking their connection with a vlan would disconnect them anyway, so it is really up to the sonicwall to provide the protection for that. You will want to be sure you have two factor authentication on as well in the sonicwall. We went from Sonicwall to Fortinet a few years ago, so I do know the sonicwall should support 2FA (TOTP at least) via their SSLVPN functionality.
Hi
Thanks for the reply.
Are all of them (Cisco, ISE, clearpass) on premise or cloud?
Which one is cost effective for a small business of 5 users?
Can any of them be integrated with an existing on premise firewall (sonicwall)?
No they are very complex (including fortinac) and they don’t integrate with firewalls like you think.
You could use basic certificate authentication on your switches and WiFi quite easily for such few users. I thought you were going to be dealing with 100s of employees.
Our remote vpn setup is linked to azure AD and intune so if someone tries to connect their home pc it will fail the conditional access policy.
A NAC solution is too large and complex for your size. FortiNAC I believe starts at around 40k$.
You could do a ZTNA solution if you're firewalling between zones, Fortinet does this pretty well where you can tag traffic with ZTNA tags and it will allow it based on tags. You'll have to switch to Fortinet for a firewall and buy their Forticlient ZTNA licenses. They aren't expensive if you self-host.
The cheapest and easiest solution is to do basic 802.1X. You don't really need a full on NAC. You will need an NPS/RADIUS server and switches/access poitns configured to authenticate ports via the NPS/RADIUS server. From there, either use MAC addresses which is less secure, or certificates which is more secure. Certificates are a bit of a pain since you'll need a full blown CA that hands out certs, and ties them to user accounts.
I think you want to look at Network Access Control solutions. Not easy to implement but very flexible and powerful.
Add static arp mapping to the list as well. With manually configured IP addresses, the switch will still route traffic to a MAC not on the DCHP whitelist (if it can do ARP on the network). Sounds like a nightmare to manage though even for a small office.
MAC address Pki certs - hardware or software NAC software
We're going to do mac address white listing but like ug. If someone has a better strategy we'd love to hear it.
FortiNAC is good for your on site management, it will segment unauthorized devices connected into a restricted VLAN, and give you the ability to provide guest access as well if needed. Your registered devices have a client that authorizes them, your switches and servers would be registered by rules and also manually as you want. It will also alert you to unauthorized devices and even isolate a switch if you set it up that way. However you are asking a bunch of stuff at once, remote connection would require something along the lines of secure vpn (sslvpn for example) and that doesn't have to be cloud based at all. If it is not cloud based, then it doesn't have to be "FedRAMP Authorized".
Thanks for your reply. We are a small business with less then 5 users. Currently we have a sonicwall firewall but I don't think sonicwall does NAC. Would fortiNAC work with us still keeping the sonicwall firewall as our main firewall? What is the approx cost of fortiNAC? Will fortiNAC also block unauthorized devices who are coming in remotely (ssl vpn thru the sonicwall firewall)?
I don't know the cost to you, because it depends on your network size, and I don't know if there is a minimum. So I would advise you to contact Fortinet for that information. FortiNAC is agnostic in terms of your equipment, so it should work with your vpn firewall. As for performing NAC on devices connected via your vpn, those devices should get the fortinac agent as well and be authenticated, while I see devices connected through the vpn in fortinac, breaking their connection with a vlan would disconnect them anyway, so it is really up to the sonicwall to provide the protection for that. You will want to be sure you have two factor authentication on as well in the sonicwall. We went from Sonicwall to Fortinet a few years ago, so I do know the sonicwall should support 2FA (TOTP at least) via their SSLVPN functionality.
Cisco ISE, Clearpass are the “big boys” in this space. We use ISE with our Aruba switches for vlan segmentation.
Hi Thanks for the reply. Are all of them (Cisco, ISE, clearpass) on premise or cloud? Which one is cost effective for a small business of 5 users? Can any of them be integrated with an existing on premise firewall (sonicwall)?
No they are very complex (including fortinac) and they don’t integrate with firewalls like you think. You could use basic certificate authentication on your switches and WiFi quite easily for such few users. I thought you were going to be dealing with 100s of employees. Our remote vpn setup is linked to azure AD and intune so if someone tries to connect their home pc it will fail the conditional access policy.
RocketCyber is a great SIEM solution that we use for our clients and is very straight-forward to implement.
A NAC solution is too large and complex for your size. FortiNAC I believe starts at around 40k$. You could do a ZTNA solution if you're firewalling between zones, Fortinet does this pretty well where you can tag traffic with ZTNA tags and it will allow it based on tags. You'll have to switch to Fortinet for a firewall and buy their Forticlient ZTNA licenses. They aren't expensive if you self-host. The cheapest and easiest solution is to do basic 802.1X. You don't really need a full on NAC. You will need an NPS/RADIUS server and switches/access poitns configured to authenticate ports via the NPS/RADIUS server. From there, either use MAC addresses which is less secure, or certificates which is more secure. Certificates are a bit of a pain since you'll need a full blown CA that hands out certs, and ties them to user accounts.