Safeguarding Mobile Device Access Across Enterprise Networks
 

Safeguarding Mobile Device Access Across Enterprise Networks

on

  • 439 views

Organizations adopting bring-your-own-device (BYOD) policies can secure sensitive data and protect their networks by following some key guidelines and best practices.

Organizations adopting bring-your-own-device (BYOD) policies can secure sensitive data and protect their networks by following some key guidelines and best practices.

Statistics

Views

Total Views
439
Views on SlideShare
439
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Safeguarding Mobile Device Access Across Enterprise Networks Safeguarding Mobile Device Access Across Enterprise Networks Document Transcript

  • 48 2013 Issue 02 | dell.com/powersolutionsEvolving workforceReprinted from Dell Power Solutions, 2013 Issue 2. Copyright © 2013 Dell Inc. All rights reserved.Many employees bring personallyowned mobile devices to workfor accessing enterprise data andapplications. Organizations arerapidly embracing this bring-your-own-device(BYOD) approach as a way to increase workerproductivity, and for good reason. However,before permitting access to the enterprisenetwork, IT must find a way to safeguard thecorporate environment by ensuring that themyriad of employee mobile devices do notintroduce malware and bots.Just as importantly, the organization mustcontrol who can have access to which data. Forexample, all employees do not need permissionto view confidential personnel files or sensitivebusiness information. Further, the introductionof unmanaged devices may diminish networkproductivity by consuming bandwidth needed bybusiness-critical applications.Before extending current remote-accesspolicies to include mobile devices, organizationsare well-advised to identify the similarities anddifferences between portable-computer remote-access security and smartphone remote-accesssecurity. With these distinctions in mind, ITorganizations can implement best practices tohelp ensure the confidentiality and security ofcommunications from both inside and outside thenetwork perimeter.Organizations adopting bring-your-own-device (BYOD) policies can secure sensitive dataand protect their networks by following some key guidelines and best practices.By Patrick SweeneySafeguarding mobile device accessacross enterprise networks
  • dell.com/powersolutions | 2013 Issue 02 49Reprinted from Dell Power Solutions, 2013 Issue 2. Copyright © 2013 Dell Inc. All rights reserved.Security distinctions betweenportable computers and smartphonesGiven their compute power, today’ssmartphones could be considered a class ofportable computer. Yet, portable computerssuch as laptops and notebooks differ fromsmartphones in several important ways,some of which affect security. To maintaina safe network, IT administrators first mustconsider key remote-access issues and thenidentify when to make similar provisions forboth portables and smartphones and whento make separate or specialized provisions.The fundamental security practicefor remote-access devices, includingportables and smartphones, is to startwith an enterprise-level Secure SocketsLayer (SSL) virtual private network (VPN).By acting as an intermediary between theenterprise network and the mobile device,a reverse proxy via SSL VPN allows a highdegree of control over end users and data.Moreover, it helps insulate the enterpriseenvironment from the effects of malware.In this scenario, portables and smartphonesbenefit from the same solution.For end users who require direct accessto the enterprise network, SSL VPN viatunnel access should also be considered.But in this situation, the enterprise becomessusceptible to an attack unless appropriateprecautions have been instituted; all trafficmust be scanned for malware and intrusions.Therefore, one basic strategy is to deploya next-generation firewall situated after orintegrated into the point of terminationof the SSL VPN tunnel. A next-generationfirewall is designed to decrypt and thenscan content from remote devices anddecontaminate threats before they enter thenetwork. It is equally effective on traffic fromportables and smartphones.Applications on portables andsmartphones are also important to considerwhen securing remote access. Withcompany-issued, IT-controlled laptops,IT has the option of locking down theoperating system to prevent the installationof potentially insecure applications.However, for employee-owned laptopsrunning standard Microsoft® Windows®,Macintosh® and Linux® operating systems,consumerization and BYOD have resultedin an open, uncontrolled applicationenvironment. In effect, end users can installpractically any application, even those thatare potentially insecure, compromised ormalicious in nature.If a laptop that is compromised byinsecure applications logs in to the networkthrough remote access, it presents a directthreat to an organization’s resources. Thehighly flexible nature of laptops allows endusers to download any desired application.Accordingly, enterprises should performdevice interrogation on remote laptopsto determine whether inappropriateapplications are active and the propersecurity applications are running.Endpoint-control and interrogationsoftware helps enforce security policies bycorrelating information about the device,the person using it, what is on the deviceand what is absent from the device. Thiscorrelation enables the software toautomatically modify security on the flyto open or narrow access to information.Powerful tools are available that allow forthis deep interrogation of laptops withoutrequiring additional infrastructure beyondan enterprise-level SSL VPN solution.In contrast, issues arising from thepresence of random apps on smartphonesare different from those on portablecomputers because of the devices’ disparatedistribution models. Most smartphone appsare downloaded through white-listed onlinestores. The store operators perform codeinspections that help make the apps trusted,though it must be noted that they cannotguarantee the apps are secure. Provisioningtools, enterprise distribution software andmobile device management (MDM) solutionsmay also help strengthen security.However, smartphones can be rootedor jailbroken so that any app can be loadedon the device. Once compromised, themobile phone becomes as dangerous asan unmanaged, uninspected laptop. So, aspart of a fundamental security approach foremployee-owned smartphones, remote-access systems should perform deviceinterrogation and check for jailbrokendevices before allowing network access.The systems should automatically blockconnectivity for compromised smartphones.Connections from inside the networkThe rise in popularity of remote computingputs significant security pressures on remoteaccess. Yet mobile devices are used not onlyremotely, but also from inside the networkperimeter. As a result, IT organizations alsomust consider what impact these devicesmay have from the inside.Mobile devices can introducemalware into networks, intentionally ornot. Problems may occur when portablecomputers compromised outside thecorporate network are later introducedback inside the perimeter. Many client-sidetechnologies help remediate issues beforethey generally spread. Still, for robustsecurity, the inside perimeter requires alayered strategy. Organizations should takeadvantage of the capability provided bya next-generation firewall to scan trafficinside the network — especially from WiFi —as well as traffic entering the network fromoutside the perimeter.Although uncompromised smartphonesmay appear to pose fewer securityconcerns than laptops because of theirwhite-listed app distribution system,smartphones do serve as a conduit formalware and intrusions. For example,uncompromised, non-jailbrokensmartphones can pull in malware frompersonal email accounts over the cellularconnection and then forward the contentsinside the network through the internalwireless connection.To help safeguard against thesemalware threats, IT must scan traffic from
  • 50 2013 Issue 02 | dell.com/powersolutionsEvolving workforceReprinted from Dell Power Solutions, 2013 Issue 2. Copyright © 2013 Dell Inc. All rights reserved.portable computers and smartphonesthat connect from within the perimeter.A next-generation firewall is designed toprovide stringent protection from inside theenvironment by scanning every packet oftraffic coming over the internal wireless LANthrough anti-virus, intrusion prevention andanti-spyware gateway services (see figure).A serious threat to enterprise productivitymay result from the introduction of hundredsof mobile device applications vying forbandwidth. Although many applicationsmay be used productively, others may beunsanctioned applications that consume vitalbandwidth. Organizations must rein in andcontrol these applications to avoid latencyand contention issues that affect business-critical applications.Next-generation firewalls alloworganizations to control malware and setpolicy on what constitutes acceptableand unacceptable applications. In thisway, a next-generation firewall helps ITmanage how mobile devices consumecritical resources. The application controlfunctionality in the firewall is designed toallocate bandwidth to critical applicationsand to constrain or eliminate bandwidth forwasteful applications. Bandwidth allocationcan be set at per-user and per-group levels,which dramatically helps improve theexperience and productivity of internal users.For example, IT can set a simple policythat prevents employees with Apple®iPhone® mobile devices from streamingmovies for personal entertainment withinthe perimeter, while at the same timeallowing an optimized training video torun on that same device. Accordingly, thepolicy enhances productivity and minimizeswasteful activities. Next-generation firewallsalso provide content filtering on the wiredand wireless network, allowing IT toconsolidate the functionality of a secureweb gateway with the firewall.Best practices for securingmobile devicesBased on years of experience, the DellSonicWALL team has developed thefollowing best practices to help IT groupsimplement a secure BYOD solution. Sinceeach organization has its own particularrequirements, these best practices shouldbe considered as guidelines, subject to anorganization’s internal assessment.Remote accessThe following best practices apply to portablecomputers and smartphones connecting tothe network from outside the perimeter:• Establish a reverse web proxy: Byproviding standard browser access,reverse proxies can authenticateand encrypt web-based access tonetwork resources for both laptopsand smartphones.• Implement SSL VPN tunnels: Agent-based tunnels add easy network-levelaccess to critical client-server resources.• Utilize endpoint control andinterrogation: Powerful tools areavailable to enforce security policies viathe VPN by correlating what device isbeing used, who is using it and what is oris not on the device.• Assume smartphones are runningmore than white-listed apps: IT shouldapply jailbreak or root detection andautomatically block connectivity forcompromised smartphones.• Scan all remote-access traffic: A next-generation firewall should be deployedto control malware, set policy onacceptable applications and manage howsmartphones and portable computersconsume critical resources.• Add authentication: The solution shouldintegrate with standard authenticationmethods such as two-factor authenticationand one-time passwords.Inside the perimeterOrganizations should consider the followingbest practices for portable computers andsmartphones connecting to the networkfrom inside the perimeter:• Integrate a next-generation firewall:The firewall should scan all traffic,even from employee-owned laptopsand smartphones, to protect thenetwork from intrusions, malwareand spyware.• Define which applications are critical:The application intelligence and controlfunctionality of next-generation firewallsshould be used to allocate prioritizedbandwidth to critical applications andto throttle or eliminate bandwidth forlow-priority applications.SSL VPN platform providesidentification and access controlSonicWALL AventailSecure Remote Access ApplianceNext-generation firewallprovides deep packet inspectionSonicWALL NetworkSecurity ApplianceCampus networkDirectoriesLightweight DirectoryAccess Protocol (LDAP)LDAPMicrosoft®Active Directory®directory serviceRemote AuthenticationDial-In User Service(RADIUS)ApplicationsWeb appsClient/server appsFile sharesDatabasesVoice over IPVirtual desktopsProtectedclean trafficScanning network traffic inside the enterprise perimeter through a next-generation firewall
  • dell.com/powersolutions | 2013 Issue 02 51Reprinted from Dell Power Solutions, 2013 Issue 2. Copyright © 2013 Dell Inc. All rights reserved.• Monitor network bandwidth: IT shouldbe aware that smartphones are basicallyportable computers with the ability togenerate vast amounts of video andgame traffic while on the enterpriseWiFi network.• Enable content filtering: Becausemobile devices can create a hostile workenvironment through inappropriatecontent, the content-filtering capabilitiesof next-generation firewalls shouldbe enabled to comply with companybrowsing policies, as well as regulatoryand legal mandates.Integrated platforms forimplementing BYOD securitySmartphones have joined laptops as defacto network endpoints in organizationsranging from businesses to academicinstitutions and government entities. Whenemployees use their own laptops andsmartphones for work, securing mobiledevice access is an imperative. (For moreinformation, see the sidebar, “Advancingworkplace flexibility while protectingcorporate resources.”)For heightened mobile device security,organizations can deploy solutions suchas Dell™ SonicWALL™ appliances, whichhave the capability to enforce suggestedbest practices. SonicWALL next-generationfirewalls are appliance-based devices thatprovide application intelligence, controland visualization. The SonicWALL SSL VPNsolution comes either as a stand-aloneappliance or as a virtual appliance thatruns in a VMware® environment on DellPowerEdge™ servers.SonicWALL appliances minimize thecomplexity of delivering anywhere, anytimeaccess to applications from a broad range ofdevices, helping to increase the productivityof both end users and IT staff.Advancing workplace flexibilitywhile protecting corporate resourcesAs a large enterprise with an increasingly mobile workforce, Dellfaced challenges similar to those of many other organizations.The company wanted to provide employees with the flexibilityand freedom to work when and where they need to, using theirown devices. At the same time, Dell sought to efficiently managenetwork access and safeguard its corporate resources.However, the Secure Sockets Layer (SSL) virtual privatenetwork (VPN) approach that Dell had been using becameunstable, preventing employees from using it reliably for remoteaccess. Fortunately, while looking for an SSL VPN replacement,Dell acquired network security company SonicWALL. With theSonicWALL Aventail E-Class Secure Remote Access Series nowin-house, the Dell IT team collaborated with the SonicWALLteam to enhance the product to meet Dell’s demanding large-enterprise requirements for scalability and manageability.After Dell successfully deployed the resulting SSL VPNsolution globally, the company was able to address itsemployees’ needs for the flexibility to enhance work-lifebalance. Now, the Dell workforce can be productive fromvirtually anywhere using a solution designed to provide reliable,secure remote access to internal resources. Moreover, thesolution enables Dell IT to support global organizational growthwith a scalable VPN deployment.Learn moreSecure mobility:qrs.ly/5j3bu5aAuthorPatrick Sweeney is executive director at Dell,where he oversees the Dell SonicWALL networksecurity, content security and policy managementproduct lines.