1
00:00:00,760 --> 00:00:01,980
Rogue devices.

2
00:00:01,980 --> 00:00:03,690
One of the things you have to be concerned about

3
00:00:03,690 --> 00:00:06,330
on your network are rogue devices.

4
00:00:06,330 --> 00:00:08,640
Now, anytime a device is connected to your network,

5
00:00:08,640 --> 00:00:10,530
these network devices are identified

6
00:00:10,530 --> 00:00:12,660
using the hardware interface MAC address,

7
00:00:12,660 --> 00:00:14,460
and their IP address.

8
00:00:14,460 --> 00:00:16,379
So if I connect my smartphone to the network,

9
00:00:16,379 --> 00:00:19,350
or I connect a laptop to the network or smart TV,

10
00:00:19,350 --> 00:00:20,250
all of these devices,

11
00:00:20,250 --> 00:00:21,600
if they have a network card,

12
00:00:21,600 --> 00:00:23,490
have a MAC address and will hopefully

13
00:00:23,490 --> 00:00:25,290
be assigned an IP address.

14
00:00:25,290 --> 00:00:26,910
When that happens, you can use that

15
00:00:26,910 --> 00:00:29,880
to identify these devices across your network.

16
00:00:29,880 --> 00:00:31,770
Now, if you want to prevent things from connecting

17
00:00:31,770 --> 00:00:33,480
to your network that aren't authorized,

18
00:00:33,480 --> 00:00:35,670
one of the best mitigations you can use is

19
00:00:35,670 --> 00:00:37,860
to use digital certificates on those endpoints

20
00:00:37,860 --> 00:00:40,320
and servers, forcing them to authenticate

21
00:00:40,320 --> 00:00:44,280
and encrypt traffic using IPSec or HTTPS.

22
00:00:44,280 --> 00:00:46,830
This will make sure that only devices you authorize

23
00:00:46,830 --> 00:00:48,360
will get onto your network.

24
00:00:48,360 --> 00:00:50,850
Now, if you get an unauthorized device on your network,

25
00:00:50,850 --> 00:00:52,920
this is known as a rogue device,

26
00:00:52,920 --> 00:00:56,250
and that's what we're going to focus on inside of this lesson.

27
00:00:56,250 --> 00:00:58,050
Now, when we talk about rogue devices,

28
00:00:58,050 --> 00:00:59,820
these are any unauthorized device

29
00:00:59,820 --> 00:01:03,630
or service such as a wireless access point, a DHCP server,

30
00:01:03,630 --> 00:01:05,850
or a DNS server that's on a corporate

31
00:01:05,850 --> 00:01:08,400
or private network that allows unauthorized individuals

32
00:01:08,400 --> 00:01:09,960
to connect to that network.

33
00:01:09,960 --> 00:01:12,300
Now, most often people think of rogue devices

34
00:01:12,300 --> 00:01:14,760
as things like a wireless access point or a switch

35
00:01:14,760 --> 00:01:16,350
or a hub that's being added,

36
00:01:16,350 --> 00:01:19,200
but they actually include much more than that.

37
00:01:19,200 --> 00:01:21,390
For example, if I have this thumb drive

38
00:01:21,390 --> 00:01:24,750
and I stick it into a server, is that a rogue device?

39
00:01:24,750 --> 00:01:26,010
Well, yes it is,

40
00:01:26,010 --> 00:01:28,410
because that thumb drive could be attached to the server

41
00:01:28,410 --> 00:01:30,210
to download sensitive data.

42
00:01:30,210 --> 00:01:31,950
It's something that is not authorized

43
00:01:31,950 --> 00:01:33,450
and it's being connected to my network

44
00:01:33,450 --> 00:01:36,533
through that workstation or through that server.

45
00:01:36,533 --> 00:01:37,410
And so this is an idea that you have to think about

46
00:01:37,410 --> 00:01:40,632
as well when you start talking about rogue devices.

47
00:01:40,632 --> 00:01:41,465
One of the most important things to do

48
00:01:41,465 --> 00:01:42,840
with rogue devices is detect them,

49
00:01:42,840 --> 00:01:44,610
because if you identify these things,

50
00:01:44,610 --> 00:01:46,020
you can then remove them.

51
00:01:46,020 --> 00:01:49,440
So rogue system detection is simply a process of identifying

52
00:01:49,440 --> 00:01:52,200
and removing machines on the network that are not supposed

53
00:01:52,200 --> 00:01:53,250
to be there.

54
00:01:53,250 --> 00:01:54,780
So for the rest of this lesson,

55
00:01:54,780 --> 00:01:57,120
we are going to talk about rogue systems.

56
00:01:57,120 --> 00:01:58,200
We need to figure out first

57
00:01:58,200 --> 00:02:00,540
what is considered a rogue system.

58
00:02:00,540 --> 00:02:02,160
Well, there's lots of them out there.

59
00:02:02,160 --> 00:02:05,523
We have network taps and wireless access points, or WAPs.

60
00:02:06,536 --> 00:02:08,460
We have servers, we have wired and wireless clients.

61
00:02:08,460 --> 00:02:10,860
We have software that's installed without our permission.

62
00:02:10,860 --> 00:02:14,010
We have virtual machines and we have smart appliances.

63
00:02:14,010 --> 00:02:18,240
All of these things can be rogue devices or rogue systems.

64
00:02:18,240 --> 00:02:20,640
Now, one of our jobs is to identify everything

65
00:02:20,640 --> 00:02:24,150
that's on our network and identify what shouldn't be there.

66
00:02:24,150 --> 00:02:25,320
Based on that,

67
00:02:25,320 --> 00:02:28,350
we can then go through this rogue device system detection,

68
00:02:28,350 --> 00:02:29,610
find out what's not supposed to be there

69
00:02:29,610 --> 00:02:31,560
and get it off our network.

70
00:02:31,560 --> 00:02:33,090
So let's talk about all

71
00:02:33,090 --> 00:02:35,550
of these different categories of rogue devices.

72
00:02:35,550 --> 00:02:37,560
First, we have network taps.

73
00:02:37,560 --> 00:02:39,690
Now a network tap is a physical device

74
00:02:39,690 --> 00:02:41,100
that is attached to cabling

75
00:02:41,100 --> 00:02:42,030
to record packets

76
00:02:42,030 --> 00:02:44,180
that are passing over that network segment.

77
00:02:45,190 --> 00:02:47,010
We talked about network taps earlier in this course

78
00:02:47,010 --> 00:02:49,320
because we use them as cybersecurity analysts.

79
00:02:49,320 --> 00:02:51,630
We want network taps that are in our control

80
00:02:51,630 --> 00:02:53,040
so we can collect information

81
00:02:53,040 --> 00:02:55,350
and detect things on our network by looking through

82
00:02:55,350 --> 00:02:57,720
all of our packet captures and network flows.

83
00:02:57,720 --> 00:03:00,000
But we don't want a rogue network tap

84
00:03:00,000 --> 00:03:02,340
that is under the control of some adversary,

85
00:03:02,340 --> 00:03:04,800
and that's what we're talking about here with network taps.

86
00:03:04,800 --> 00:03:07,980
The next area is wireless access points or WAPs.

87
00:03:07,980 --> 00:03:10,470
Now these are different devices that can be connected

88
00:03:10,470 --> 00:03:13,380
to your network and they extend your physical network

89
00:03:13,380 --> 00:03:15,150
into the wireless spectrum.

90
00:03:15,150 --> 00:03:16,800
Now, there's lots of problems when you start dealing

91
00:03:16,800 --> 00:03:17,940
with wireless access points,

92
00:03:17,940 --> 00:03:20,040
especially ones you don't control.

93
00:03:20,040 --> 00:03:22,590
One of them is that there can be rogue access points

94
00:03:22,590 --> 00:03:23,910
on your network.

95
00:03:23,910 --> 00:03:26,130
Now, there's two ways of looking at this.

96
00:03:26,130 --> 00:03:28,650
One is you have a rogue access point that's connected

97
00:03:28,650 --> 00:03:29,520
to your network,

98
00:03:29,520 --> 00:03:30,930
which can allow an adversary to connect

99
00:03:30,930 --> 00:03:32,430
to their wireless access point

100
00:03:32,430 --> 00:03:35,100
and then convert their radio signal from the parking lot

101
00:03:35,100 --> 00:03:37,650
going into your access point into the physical network

102
00:03:37,650 --> 00:03:39,720
over your ethernet network.

103
00:03:39,720 --> 00:03:42,240
Now, the other type of rogue access point we can have is

104
00:03:42,240 --> 00:03:43,950
where an attacker gets close to you

105
00:03:43,950 --> 00:03:46,020
and then sets up their own access point

106
00:03:46,020 --> 00:03:47,790
with its own connection to the internet.

107
00:03:47,790 --> 00:03:49,770
Now, that point isn't going to actually connect

108
00:03:49,770 --> 00:03:50,603
to your network,

109
00:03:51,752 --> 00:03:52,710
but it can be used as an evil twin

110
00:03:52,710 --> 00:03:54,900
and make it look like it's part of your network.

111
00:03:54,900 --> 00:03:55,733
So for example,

112
00:03:55,733 --> 00:03:57,510
if I set up a rogue access point

113
00:03:57,510 --> 00:03:59,580
in the middle of Starbucks and you try to connect

114
00:03:59,580 --> 00:04:00,990
to the Starbucks wifi,

115
00:04:00,990 --> 00:04:02,880
you may be connecting to the Starbucks wifi

116
00:04:02,880 --> 00:04:05,220
or you may be connecting to mine.

117
00:04:05,220 --> 00:04:06,510
If you're connecting to mine,

118
00:04:06,510 --> 00:04:09,390
I now can capture all your traffic and put you at risk.

119
00:04:09,390 --> 00:04:12,152
We want to make sure this doesn't happen,

120
00:04:12,152 --> 00:04:12,985
and so we're going to scan our airwaves

121
00:04:12,985 --> 00:04:15,090
and find out what wireless networks are near us,

122
00:04:15,090 --> 00:04:18,269
identify those rogue devices and get them taken down.

123
00:04:18,269 --> 00:04:19,740
Now, often students ask me,

124
00:04:19,740 --> 00:04:22,380
how hard is it to create one of these rogue access points?

125
00:04:22,380 --> 00:04:24,270
Well, if you have something like a wifi pineapple,

126
00:04:24,270 --> 00:04:26,580
you can easily create a rogue access point

127
00:04:26,580 --> 00:04:28,980
for all those unsuspecting users.

128
00:04:28,980 --> 00:04:30,900
The next type of rogue device we're going to talk about

129
00:04:30,900 --> 00:04:32,340
is a server.

130
00:04:32,340 --> 00:04:35,460
Now, an adversary may try to set up a server as a honeypot

131
00:04:35,460 --> 00:04:38,520
to start harvesting network credentials or other data.

132
00:04:38,520 --> 00:04:40,920
By doing this, they can then be another server

133
00:04:40,920 --> 00:04:43,020
on your network and try to trick your users

134
00:04:43,020 --> 00:04:45,000
into giving them critical information.

135
00:04:45,000 --> 00:04:47,040
They could also use things like ARP poisoning

136
00:04:47,040 --> 00:04:49,800
or corrupting name resolution to be able

137
00:04:49,800 --> 00:04:51,810
to divert traffic into their server instead of yours.

138
00:04:51,810 --> 00:04:53,130
So you want to make sure you're identifying

139
00:04:53,130 --> 00:04:55,830
these rogue servers and get them off your network.

140
00:04:55,830 --> 00:04:57,450
Another type of rogue device you might have

141
00:04:57,450 --> 00:04:59,790
is a wired or wireless client.

142
00:04:59,790 --> 00:05:02,790
For example, if somebody brings in their personal laptop,

143
00:05:02,790 --> 00:05:05,130
takes out the connection from their work laptop

144
00:05:05,130 --> 00:05:07,140
and plugs it into their personal laptop,

145
00:05:07,140 --> 00:05:08,880
they have now added a rogue device,

146
00:05:08,880 --> 00:05:12,120
their personal laptop, to your organizational network.

147
00:05:12,120 --> 00:05:13,350
This can be a big problem

148
00:05:13,350 --> 00:05:15,870
because these are devices you don't control.

149
00:05:15,870 --> 00:05:18,630
They have webcams on them, which can see inside the room.

150
00:05:18,630 --> 00:05:21,150
They have microphones to record conversations.

151
00:05:21,150 --> 00:05:23,280
They might bring malware into your network.

152
00:05:23,280 --> 00:05:25,500
Lots of different things can happen when you don't control

153
00:05:25,500 --> 00:05:26,520
the device.

154
00:05:26,520 --> 00:05:27,420
In an organization,

155
00:05:27,420 --> 00:05:29,610
if you're using a bring your own device policy,

156
00:05:29,610 --> 00:05:31,320
this would not be considered a rogue device

157
00:05:31,320 --> 00:05:34,744
because you're allowed to bring them in under that policy.

158
00:05:34,744 --> 00:05:35,577
But in most organizations,

159
00:05:35,577 --> 00:05:37,620
if you don't have a bring your own device policy,

160
00:05:37,620 --> 00:05:39,090
bringing your own personal laptop

161
00:05:39,090 --> 00:05:40,320
is not going to be authorized,

162
00:05:40,320 --> 00:05:42,840
and it would be considered a rogue device.

163
00:05:42,840 --> 00:05:44,430
Now, another thing to think about when you talk

164
00:05:44,430 --> 00:05:45,960
about authorized client devices is

165
00:05:45,960 --> 00:05:48,480
that they could be used in an unauthorized way.

166
00:05:48,480 --> 00:05:51,240
For example, I have a workstation in my office

167
00:05:51,240 --> 00:05:52,560
that the company gives me.

168
00:05:52,560 --> 00:05:54,780
I can log in there using my username and password.

169
00:05:54,780 --> 00:05:56,250
All of that is authorized,

170
00:05:56,250 --> 00:05:59,580
but I don't have permission to try to SSH into a server

171
00:05:59,580 --> 00:06:02,880
or perform network scans or tether my smartphone to it.

172
00:06:02,880 --> 00:06:05,304
All of these are things that are unauthorized.

173
00:06:05,304 --> 00:06:06,210
And so if I do those things,

174
00:06:06,210 --> 00:06:09,120
I now have turned that authorized client into a rogue device

175
00:06:09,120 --> 00:06:11,490
because it's not following the right procedures.

176
00:06:11,490 --> 00:06:14,504
The next type of thing we want to talk about is software.

177
00:06:14,504 --> 00:06:16,260
And software can actually be rogue as well.

178
00:06:16,260 --> 00:06:17,340
If I just go to the internet

179
00:06:17,340 --> 00:06:19,260
and download a piece of software on my workstation

180
00:06:19,260 --> 00:06:22,080
and install it, that can go against company policy

181
00:06:22,080 --> 00:06:24,750
and it would be considered a rogue device at that point.

182
00:06:24,750 --> 00:06:25,980
This can actually have things like

183
00:06:25,980 --> 00:06:28,140
malicious DHCP or DNS servers.

184
00:06:28,140 --> 00:06:31,560
It might be malware, it could be covert spying software.

185
00:06:31,560 --> 00:06:33,150
All of these things could be installed

186
00:06:33,150 --> 00:06:34,800
as part of this rogue software.

187
00:06:34,800 --> 00:06:37,140
So instead, you should always install software

188
00:06:37,140 --> 00:06:39,450
using the appropriate change management processes

189
00:06:39,450 --> 00:06:40,980
and make sure that software is clean

190
00:06:40,980 --> 00:06:42,840
and ready to go on the network.

191
00:06:42,840 --> 00:06:45,690
Another type of rogue device is virtual machines.

192
00:06:45,690 --> 00:06:48,780
If you're using a very highly virtualized environment,

193
00:06:48,780 --> 00:06:50,580
people can start creating virtual machines

194
00:06:50,580 --> 00:06:53,460
that could be used to create rogue servers and services

195
00:06:53,460 --> 00:06:55,680
inside that virtualized environment.

196
00:06:55,680 --> 00:06:57,180
Now, in the old days, if somebody wanted

197
00:06:57,180 --> 00:06:59,310
to bring a new server into your offices,

198
00:06:59,310 --> 00:07:00,570
you would probably see them carrying

199
00:07:00,570 --> 00:07:02,910
this big computer and hooking it up.

200
00:07:02,910 --> 00:07:05,760
But with virtual machines, it's just software code.

201
00:07:05,760 --> 00:07:07,560
So if they could spin up a virtual machine

202
00:07:07,560 --> 00:07:09,540
and run software to run a server on it,

203
00:07:09,540 --> 00:07:12,856
that would be a way to put a rogue server in your network.

204
00:07:12,856 --> 00:07:14,040
So keep that in mind as well.

205
00:07:14,040 --> 00:07:17,130
The final area we want to talk about is smart appliances.

206
00:07:17,130 --> 00:07:19,710
Now these are devices like printers and webcams

207
00:07:19,710 --> 00:07:23,370
and VoIP handsets and VTC systems and washing machines

208
00:07:23,370 --> 00:07:25,350
and refrigerators and smart TVs

209
00:07:25,350 --> 00:07:26,520
and all sorts of other things.

210
00:07:26,520 --> 00:07:29,760
These days, everything seems to be internet connected.

211
00:07:29,760 --> 00:07:31,350
And when they're internet connected,

212
00:07:31,350 --> 00:07:33,450
that means they're a potential vulnerability

213
00:07:33,450 --> 00:07:35,310
that adversary could exploit.

214
00:07:35,310 --> 00:07:36,410
A lot of these devices

215
00:07:37,464 --> 00:07:39,080
are running Linux-based operating systems,

216
00:07:39,080 --> 00:07:40,584
but they don't receive the patching

217
00:07:40,584 --> 00:07:42,060
and updating like your Linux servers would.

218
00:07:42,060 --> 00:07:43,110
And so they are something

219
00:07:43,110 --> 00:07:45,660
that could bring vulnerabilities into your systems.

220
00:07:45,660 --> 00:07:47,730
If you install a new TV in the conference room,

221
00:07:47,730 --> 00:07:49,290
does that TV have wifi?

222
00:07:49,290 --> 00:07:50,940
And did you plug it into the network?

223
00:07:50,940 --> 00:07:53,580
Because if so, that device could be something

224
00:07:53,580 --> 00:07:55,860
that could be used by an attacker against you.

225
00:07:55,860 --> 00:07:58,140
So now that we've talked about all the different kinds

226
00:07:58,140 --> 00:07:59,672
of rogue devices,

227
00:07:59,672 --> 00:08:01,200
and I told you all the bad news out there,

228
00:08:01,200 --> 00:08:02,970
how can you figure out what rogue devices

229
00:08:02,970 --> 00:08:05,220
there are and how do you detect them?

230
00:08:05,220 --> 00:08:07,350
Well, we could perform rogue device detection

231
00:08:07,350 --> 00:08:09,060
in lots of different ways.

232
00:08:09,060 --> 00:08:11,010
One of them is by doing a visual inspection

233
00:08:11,010 --> 00:08:12,600
of ports and switches,

234
00:08:12,600 --> 00:08:14,940
especially if you're dealing with wired networks.

235
00:08:14,940 --> 00:08:17,760
This is one of the best ways to find rogue devices.

236
00:08:17,760 --> 00:08:19,890
Now, when you're conducting your physical inspection,

237
00:08:19,890 --> 00:08:21,330
you want to make sure that you're careful

238
00:08:21,330 --> 00:08:24,120
to ensure the attacker didn't install some additional piece

239
00:08:24,120 --> 00:08:27,573
of equipment or counterfeit equipment with fake asset tags.

240
00:08:28,520 --> 00:08:30,750
For instance, if you have a rack of a bunch of Cisco gear

241
00:08:30,750 --> 00:08:32,220
and somebody brings in another device

242
00:08:32,220 --> 00:08:33,659
that looks like a Cisco device

243
00:08:33,659 --> 00:08:35,039
and you had five there yesterday

244
00:08:35,039 --> 00:08:38,248
and now you have six, will you be aware of that?

245
00:08:38,248 --> 00:08:39,929
Will you see it as you walk in on a daily basis?

246
00:08:39,929 --> 00:08:41,970
Well, if you had five and six, you might,

247
00:08:41,970 --> 00:08:44,970
but if you had 50 and now you have 51, you might not.

248
00:08:44,970 --> 00:08:46,200
And so this is something to keep in mind

249
00:08:46,200 --> 00:08:47,490
as you're looking at things.

250
00:08:47,490 --> 00:08:48,360
As you go through,

251
00:08:48,360 --> 00:08:50,130
you should do inventories either monthly

252
00:08:50,130 --> 00:08:52,140
or quarterly to see all the devices

253
00:08:52,140 --> 00:08:55,530
that you expect are there and no additional devices.

254
00:08:55,530 --> 00:08:57,780
Another detection mechanism for rogue devices is

255
00:08:57,780 --> 00:09:00,630
to conduct network mapping and host discovery.

256
00:09:00,630 --> 00:09:02,400
You can use an enumeration scanner

257
00:09:02,400 --> 00:09:04,590
to help identify hosts via banner grabbing

258
00:09:04,590 --> 00:09:08,160
and fingerprinting of those devices across your network.

259
00:09:08,160 --> 00:09:10,230
As you start running scans across your network

260
00:09:10,230 --> 00:09:11,610
and performing this enumeration,

261
00:09:11,610 --> 00:09:13,830
you'll start figuring out exactly what's on your network.

262
00:09:13,830 --> 00:09:16,740
You've got 10 Linux servers and they're this version.

263
00:09:16,740 --> 00:09:19,440
You've got five Windows 2019 servers,

264
00:09:19,440 --> 00:09:20,760
whatever those things are.

265
00:09:20,760 --> 00:09:22,600
This will help you do that.

266
00:09:22,600 --> 00:09:23,460
And if you know what your baseline is

267
00:09:23,460 --> 00:09:24,540
and you write another scan

268
00:09:24,540 --> 00:09:26,100
and now you have three new servers,

269
00:09:26,100 --> 00:09:27,622
you can then figure out

270
00:09:27,622 --> 00:09:28,500
why do you have those three new servers?

271
00:09:28,500 --> 00:09:30,279
'Cause if they didn't go through

272
00:09:30,279 --> 00:09:31,112
the proper change control process,

273
00:09:31,112 --> 00:09:32,250
they would be rogue devices.

274
00:09:32,250 --> 00:09:33,990
If you're worried about wireless devices,

275
00:09:33,990 --> 00:09:36,060
you can conduct wireless monitoring.

276
00:09:36,060 --> 00:09:38,610
This is also known as wireless sniffing and discovery.

277
00:09:38,610 --> 00:09:40,200
And this can be used to find unknown

278
00:09:40,200 --> 00:09:42,690
or unidentifiable service set indicators

279
00:09:42,690 --> 00:09:46,260
or SSIDs showing up within the range of your office.

280
00:09:46,260 --> 00:09:47,820
So again, if you have an office

281
00:09:47,820 --> 00:09:50,760
and the name was Dion Training as your wifi,

282
00:09:50,760 --> 00:09:52,260
and right next door is a coffee shop

283
00:09:52,260 --> 00:09:53,850
and somebody sets up a rogue access point

284
00:09:53,850 --> 00:09:55,140
called Dion Training,

285
00:09:55,140 --> 00:09:57,240
and you start seeing there is three different signals

286
00:09:57,240 --> 00:09:58,290
coming out from Dion Training,

287
00:09:58,290 --> 00:10:00,420
but you only have two in your office, well,

288
00:10:00,420 --> 00:10:01,740
that would be a rogue device.

289
00:10:01,740 --> 00:10:04,380
And wireless monitoring can help you figure that out.

290
00:10:04,380 --> 00:10:07,020
Another good detection mechanism is to use packet sniffing

291
00:10:07,020 --> 00:10:08,460
and traffic flows.

292
00:10:08,460 --> 00:10:11,070
This can be used to identify any unauthorized protocols

293
00:10:11,070 --> 00:10:12,870
that are on your network or any unusual

294
00:10:12,870 --> 00:10:14,910
peer-to-peer communication flows.

295
00:10:14,910 --> 00:10:15,750
For example,

296
00:10:15,750 --> 00:10:18,300
if you're not running any web servers on your network,

297
00:10:18,300 --> 00:10:20,460
but you start seeing port 80 is running

298
00:10:20,460 --> 00:10:21,750
and sending data out,

299
00:10:21,750 --> 00:10:23,520
often that could be an indication

300
00:10:23,520 --> 00:10:25,350
that somebody set up a malicious

301
00:10:25,350 --> 00:10:28,728
or rogue web server inside your network.

302
00:10:28,728 --> 00:10:29,730
And so you want to look into that.

303
00:10:29,730 --> 00:10:32,910
And finally, we have NAC and intrusion detection.

304
00:10:32,910 --> 00:10:34,920
A lot of security suites and appliances

305
00:10:34,920 --> 00:10:36,840
can combine automated network scanning

306
00:10:36,840 --> 00:10:39,480
with defense and remediation suites to try

307
00:10:39,480 --> 00:10:42,080
to prevent rogue devices from accessing the network.

308
00:10:43,000 --> 00:10:43,833
If you're using NAC,

309
00:10:43,833 --> 00:10:44,666
you might be using something like

310
00:10:44,666 --> 00:10:46,770
usernames and passwords to gain access to the network,

311
00:10:46,770 --> 00:10:49,290
or even better, digital certificates.

312
00:10:49,290 --> 00:10:51,000
If somebody doesn't have that digital certificate,

313
00:10:51,000 --> 00:10:52,950
that device can't get on the network.

314
00:10:52,950 --> 00:10:54,600
If you're dealing with intrusion detection,

315
00:10:54,600 --> 00:10:56,190
it can go and scan the network and say,

316
00:10:56,190 --> 00:10:57,660
I found this new thing.

317
00:10:57,660 --> 00:11:00,600
I don't know what it is, and therefore I'm going to flag it.

318
00:11:00,600 --> 00:11:02,250
And that way an analyst can look into it further

319
00:11:02,250 --> 00:11:04,150
and figure out if it's a rogue device.