By Will Aguilar, Director, Product Management for Wireless, Enterasys Networks
The growth of mobile devices in the enterprise has been explosive and drives end-users’ expectation they will be able to access business services anywhere, anytime in the office, campus, or remotely. This environment increases the burden on IT for securing information and managing the network infrastructure. Leading IT organizations now demand mobile, transparent, and always-on wired to wireless edge services. This new unified access layer requires two components. First, intelligent distributed access components that ensure that access control and resiliency of business services are distributed across the entire infrastructure. Secondly, these distributed access components must be manageable from a single management console to ensure consistency and lower management overhead.
Enterasys’ multifaceted unified access layer portfolio delivers both the distributed access components and centralized visibility and management needed to maximize network performance and reduce risks. Enterasys provides fixed stackable and modular switching for intelligent edge wired connectivity as well as intelligent high-performance 802.11n semi-autonomous access points. These solutions provide scalability and resiliency with minimal dependence on a central management plane.
The common thread that binds Enterasys’ unified access portfolio is Enterasys’ exclusive automated role-based architecture. Enterasys uniquely enables multi-user authentication, authorization, access control, and traffic flow optimization ensuring transparent access to business services and unparalleled mobility. Enterasys delivers these capabilities without requiring complex network changes. This automated role-based provisioning system lowers OPEX costs and ensures consistent access to business services whether users are plugged into the wall or are untethered and moving freely across the campus. At the same time the risk of data loss is reduced.
Protecting the unified access layer requires a holistic defense-in-depth approach incorporating multiple layers of protection: Layer 1-2 protection (Wireless Intrusion Prevention System - WIPS), Layer 3-7 protection (wired IPS), network-wide event correlation and response (SIEM), and Network Access Control (NAC). A WIPS-only approach provides GOOD protection against Denial-of-Service (DoS), rogues, honeypots, and protocol anomaly attacks through the wireless medium, but it doesn’t provide application-level protection.
The second level of protection, inband/outband IPS extends protection against Layer 3-7 attacks with deep packet inspection and signature-based pattern matching complementing WIPS for a BETTER security posture. The final level, SIEM, provides behavioral analysis and network-wide event correlation and response ensuring the BEST protection against distributed and coordinated attacks. Enterasys is uniquely position to offer GOOD, BETTER, and BEST security postures and automating the response to threats via NAC integration. NAC automatically quarantines users based on their security threat as classified by the IPS or SIEM engines thus ensuring consistent user/device isolation across the entire network infrastructure within second.
Enterasys NAC offers pre-connect and post-connect protection ensuring that users securely access business services from corporate assets and consumer devices, commonly refer to as Bring Your Own Device (BYOD) programs such as iPhone, iPads, Android, etc . The pre-connect functions ensure that endpoint devices meet security policy (antivirus, updated signatures, personal firewall, etc.) before they are allowed to connect to the unified wired and wireless edge. End-user devices that do not meet security guidelines are automatically quarantined and optionally allowed access to remediation tools and services. Checking for security compliance once is not good enough as threats are constantly emerging and end-point devices need to stay at the highest protection level. The post-connect services from Enterasys NAC ensure that end-point devices continuously meet granular user and device access controls maximum protection against security risks and data loss.
In summary, today’s unified access layer of wired and wireless services requires a multi-dimensional approach to deliver the service-level and security protection demanded by enterprises and educational organizations. Enterasys offers a full complement of integrated secured networking solutions ensuring the highest-level of resiliency and availability to business services without sacrificing security and performance!
By Ron Meyran, Director Security Products, Radware
The growing use of mobile devices and in-the-cloud services poses new challenges for IT managers: perimeter security is no longer effective – one need’s to look for new solutions that rely on behavioral analysis and the human factor.
Historically protecting corporate data assets was done at the perimeter and internal levels by installing a firewall, an intrusion detection system (IDS) and a host-based anti-virus software.
The growing use of mobile devices including laptops, smartphones and tablets, along with the move of corporate services into the cloud, impose new security challenges in protecting corporate sensitive data for the following reasons:
• User mobility bypasses perimeter security;
• Data is no longer necessarily stored solely on internal corporate systems;
• Users get a false sense of intimacy with their smartphones or others handheld devices;
• Attackers deploy multi-vulnerability attack campaigns.
IT and security managers face a new landscape of threats and need to deploy new solutions to secure corporate information assets.
Smartphones, Cloud Providers Becoming the Preferred Target for Attackers
The major security concerns regarding smartphones today are most likely information theft and fraud. Due to the false sense of intimacy created by the use of smartphones – these actions may occur more often than they would if other devices such as laptops or desktops were being used. Smartphones are small, personal, and users tend to trust them as they would trust their laptop or desktop security – although in reality they are not as safe. Smartphones are an easy target for physical theft and of course can be forgotten. Security tools for smartphones are not at their maturity since vendors focus more on rolling out new devices and applications then on embedded security. This makes smartphones open to all types of network attacks including malware spread, Trojans, Bots, Phishing & Social engineering and zero-day attacks.
Cloud providers are targeted for a similar motivation: they host corporate and user information. Attackers have an even higher motivation to penetrate cloud provider systems: once they have breached in, they can gather information about multiple users—all at once.
Protecting Organization’s Critical Data when the Perimeter is Easily Bypassed
To protect an organization’s corporate data one should invest in several types of counter and preventive measures:
1. Network Behavioral Analysis (NBA): traditional detection and protection tools rely on pre-configured rules (such as firewall access lists) and signature detection technology – which is effective against known attacks. However attackers deploy zero-day attack techniques along with application misuse attacks for which IT administrators either don’t have a signature or do not break any pre-defined rule. NBA tools can detect and alert on abnormal, suspicious activity in the network regarding user behavior or application misuse. Some of the tools have the capability to characterize the attack and use the attack pattern to block it in real-time.
2. Maintaining perimeter security with the introduction of mobile devices. The organization’s IT team should:
a. Approve smartphones for corporate use including operating systems that offer centralized policy configuration management.
b. Enforce password requirements and mobile host antivirus software.
c. Require users to connect to the corporate network via SSL VPN (including when accessing through the corporate Wi-Fi network – same policies should be applied across wireless and wired devices).
d. Use some sort of “remote wipe” software to erase sensitive data on lost or stolen devices.
3. With regards to cloud providers – prior to selecting a provider and uploading corporate information to the cloud servers, make sure the provider is aware of the sensitivity of the information and properly secures corporate assets. Do the homework in advance - asking for the protection measures taken and how they audit – these steps can provide the necessary information regarding how much the cloud provider cares about these critical information assets.
4. Education, education, education: no matter how strong and sophisticated the security tools deployed are, without the awareness of users, any tool can be bypassed. Make sure all employees understand the risks and importance of information security, common attack techniques and what to do when a suspected data breach has occurred.