Application Visibility and Control
Do you know with certainty what applications your users are running on the network? Just because your firewall is only allowing, say, ports 80, 443, and 53 doesn’t guarantee that only web browsing, secure web browsing, and DNS query traffic is passing thru your firewall!
Did you know that:
- Instead of establishing new server port numbers, legitimate applications are now designed to run over standard, commonly allowed ports. For example, Dropbox uses ports 443 and/or 80 to allow users to upload and download files to their cloud-based storage service. Do you know with certainty that your employees aren’t uploading sensitive corporate data to Dropbox?
- Many applications are designed to dynamically probe your firewall to find an open port. For example, each time Skype starts running it probes your firewall to see what ports are open and then communicates over this port. If you then close the first port Skype picks, Skype will then move on to the next open port. It is impossible for a traditional firewall to block Skype unless you close every port on your firewall!
- Malware often communicates over ports 80, 443, and 53. For example, Conficker relies on port 80. (Source)
Traditional stateful-inspection firewalls will permit all the aforementioned traffic, both legitimate and malicious, because stateful-inspection firewalls only make decisions based upon port numbers and session state – they are not capable of looking at the application layer data which is needed to identify the true application.
The bottom line is this:
Do you really know what applications are running on your network?
And if not, how can you be sure that malicious, tunneled communication isn’t occuring on allowed ports?
Many firewall vendors claim to identify networked applications, however their solutions include a ‘bolt-on’ approach that is not only complex to manage and dramatically reduces throughput, but they simply are not effective in correctly identifying the applications. Digital Scepter can demonstrate true application visibility and control using a Palo Alto Networks next generation firewall which correctly identifies the applications which are passing traffic, regardless of protocol, port, or evasive tactic. In addition, a Palo Alto Network firewall can even identify applications running inside encrypted SSL tunnels. And once you can identify the application, you have the power to either permit or deny this traffic or you could rate-limit it.
Correctly knowing all the applications would be the first step in creating a positive security model, where you permit only known, desired applications and deny everything else. Using a positive security model implemented on a Palo Alto Networks next generation firewall dramatically reduces risk because malware and other risk-inherent applications would not be permitted, even if they communicate over permitted ports. In addition, zero day malware would be blocked as well since it would not be identified as an allowed application.
Contact Digital Scepter today and let us help you identify and secure your networked applications with a Palo Alto Networks firewall!
Securing BYOD
We are seeing a rapid proliferation of employee-owned mobile devices such as smartphones, tablets, and of course, laptops. Many of these employees are demanding that their devices be allowed onto the corporate network via wireless connectivity – whether it be simply for web browsing and checking email or to access work-related corporate applications and/or data. This is so common now that a term has been coined: ‘bring your own device’ or BYOD.
These issues need to be addressed when implementing a BYOD network:
Cost/Benefit Analysis Because your employees simply demand access to network resources using their personal devices isn’t a good enough reason to do allow it. What are the real benefits, and can you place a dollar figure on them? Will higher productivity result? Can the company save capital costs by not having to buy mobile devices for their employees? How much will it cost to support these mobile users, including product solutions you may buy?
Risk Awareness What happens when a smartphone with malware connects to your corporate network? Or an employee stores sensitive corporate data on their tablet and then the tablet gets lost or stolen? Or a competitor sits in your parking lot and tries to gain access via your wireless network? What if an employee maintains a home backup copy of their smartphone containing corporate data and then leaves the company? Does IT and upper management buy off on the additional risks posed by a BYOD network? Compliance, Rules, and Regulations. Is your organization under strict compliance and/or regulation regarding electronic data and transactions? Are mobile devices specifically addressed in these requirements? If not, how do you insure that your BYOD solution still satisfies a governance audit?
Network Achitecture If not properly implemented you could find that adding mobile devices will result in a ‘dissolving network perimeter’. How will you adapt your network architecture and defenses? Do you segment mobile users to a particular VLAN/subnet and apply additional security controls? Which devices are capable of encrypting data in transit thru a VPN? Device security controls. Addressing the network architecture is only one component of securing a BYOD network – you also need to secure the devices themselves. Do you require device encryption, endpoint health checking (e.g. Anti-virus), user and/or device authentication? Do you need to have remote control over the device such as removing/installing applications, monitoring running applications, or even terminating an application in real-time ?
Segmentation How will you handle scenarios where users have personal data and then they attempt to store corporate data on the same personal device? Do your IT policy (or compliance requirements) require these two types of data to be segmented? If so, do you have the ability to do a selective remote wipe of just the corporate data compartment?
Guest/Partner Access Does it make sense to allow business partners access to this BYOD network? If so, how are they authenticated? Do you need to provide guest access? What are the provisioning steps for business partners and/or guests?
Policy The allowed devices, device operating systems, users, applications, and access to corporate data need to be cleared spelled out and communicated to employees. What are the consequences for users who disobey the policy? Employees must agree to the policy in writing BEFORE being allowed on the BYOD network.
User education How will users be informed of the additional risks inherently present, as well as best practices to mitigate these risks?
Rollout How do you push out an agent or a certificate if the chosen security solution requires it? Are certain devices/user groups supported first?
Monitoring How do you best verify that legitimate users are accessing legitimate corporate resources using BYOD devices? Are you taking inventory of both authorized and unauthorized devices found on your BYOD network?
Incident Response No system is 100% secure, so there will be incidents no matter how effective the security prevention program is. What will be the response when a security incident happens on a BYOD device – will it differ from the response of a corporate-owned device on the wired network?
Digital Scepter has cost-effective solutions to address these issues, including network access control (NAC) and mobile device management (MDM) solutions. In addition, we recommend implementing a next-generation firewall such as Palo Alto Networks to provide complementary security to these BYOD solutions. Each organization’s situation is unique, so contact Digital Scepter today and let us help you secure BYOD!