Zingbox – NAC Integration Use Cases

Introduction
Zingbox IoT Guardian helps orchestrate IoT lifecycle management, beginning with the
discovery of existing devices on the network and the enforcement of new device onboarding
policy. It assists with securing devices and optimizing and managing their usage. Finally,
Zingbox helps with safely retiring devices.

In orchestrating the IoT device lifecycle, Zingbox integrates with NAC (Network Access Control)
solutions such as Cisco ISE, Aruba ClearPass, and ForeScout CounterACT. IoT Guardian
discovers IoT devices on the network, identifies and profiles them with its patented three-tier
machine-learning algorithm, and then reports them to the NAC system for proper network
onboarding and access. IoT Guardian next checks for security risks and suspicious behavior,
and if it discovers any, it sends alerts to the NAC for automated policy enforcement. In sum, IoT
Guardian provides a NAC system with accurate IoT device identities and notifies it whenever a
security threat arises and device behavior veers from what is expected and safe.
Let’s look at a couple use cases that benefit from a Zingbox-NAC integration:
• Provisioning devices
• Enforcing policy

Use Case #1: Provisioning Devices

Onboarding specialized network-enabled equipment such as IoT devices can be a challenging
task. A complete inventory of non-traditional IT assets is often missing, which makes it rather
difficult to design a network with VLANs for all the device types and then onboard devices into

Copyright © 2020 Palo Alto Networks 1

Proprietary. All rights reserved.
 Zingbox – NAC Integration Use Cases

their appropriate VLAN segments. Zingbox IoT Guardian provides several key features that
enable automated VLAN segmentation:
• Discovery: IoT Guardian discovers all network-connected IT and IoT assets.
• Identification and classification: IoT Guardian identifies devices—including their OS, risks,
makes, and models—and it understands their context of use.
• Segmentation: By integrating with a NAC system, IoT Guardian provides it with device
identities and profiles used to create security groups for defining network segments and
access policies that ensure the right level of network access.

Use Case #2: Enforcing Policy

While manually defining policies and mitigating threats is feasible in the initial stages of a
network, employing automation eventually becomes not only expedient but essential as the
network expands in size and complexity. A Zingbox-NAC integration can reduce risk by
facilitating remediation and enforcing trusted behaviors:
• Device network isolation: When Zingbox IoT Guardian detects security anomalies or alerts,
it can trigger authorization profiles on a NAC system to isolate and quarantine affected
devices in real-time.
• Only allow trusted behaviors: Through machine learning, IoT Guardian develops a baseline
for the acceptable and trusted behaviors of each device, including its network
communication patterns. This behavioral data is available as ACL rules that can be
imported to a NAC system to restrict all other communications.

Conclusion
Zingbox IoT Guardian provides a NAC system with Zingbox-learned IoT device identities to
help with VLAN segmentation and device profiles and alerts for use in NAC policy rules. By
integrating Zingbox IoT Guardian with NAC, you can confidently expand your NAC coverage to
include use cases across IoT device lifecycle orchestrations.

Copyright © 2020 Palo Alto Networks 2

Proprietary. All rights reserved.