Implementing Host-Based Security Controls for Employee Devices
Question
After a large organization has completed the acquisition of a smaller company, the smaller company must implement new host-based security controls to connect its employees' devices to the network.
Given that the network requires 802.1X EAP-PEAP to identify and authenticate devices, which of the following should the security administrator do to integrate the new employees' devices into the network securely?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.C.
In this scenario, the security administrator must ensure that the new employees' devices are securely integrated into the network that requires 802.1X EAP-PEAP for device identification and authentication. Let's analyze each answer option to determine the best course of action.
A. Distribute a NAC client and use the client to push the company's private key to all the new devices. This option involves distributing a Network Access Control (NAC) client to new devices, which pushes the company's private key to each device. While NAC can provide a centralized approach to access control, it is not the best approach for securely integrating devices into the network. Pushing a private key to all devices poses a significant security risk as an attacker can gain access to the key and use it to impersonate authorized devices.
B. Distribute the device connection policy and a unique public/private key pair to each new employee's device. This option involves distributing a device connection policy and a unique public/private key pair to each device. This approach is a more secure solution because it ensures that each device has its unique key pair that can be used for device identification and authentication. However, the process of generating and distributing unique keys to each device can be time-consuming and challenging to manage, particularly in a large organization.
C. Install a self-signed SSL certificate on the company's RADIUS server and distribute the certificate's public key to all new client devices. This option involves installing a self-signed SSL certificate on the RADIUS server, and distributing the certificate's public key to all new client devices. This approach can provide secure device identification and authentication. However, using a self-signed SSL certificate means that there is no third-party validation of the certificate's authenticity, which can make it easier for attackers to impersonate authorized devices.
D. Install an 802.1X supplicant on all new devices and let each device generate a self-signed certificate to use for network access. This option involves installing an 802.1X supplicant on all new devices and letting each device generate a self-signed certificate for network access. This approach can provide secure device identification and authentication. However, as with option C, using self-signed certificates means that there is no third-party validation of the certificate's authenticity.
In conclusion, option B is the most secure solution for integrating new devices into the network. However, the security administrator should also consider the complexity of key generation and distribution. Therefore, it is essential to weigh the benefits and challenges of each option before making a final decision.
