This tag is associated with 8 posts

V (5) Fundamentals of a Secure WLAN

Would you rather have something for free or pay for it?

Dumb question right? A free ticket to watch the Seahawks pummel I mean battle the Broncos in Super Bowl XLVIII beats paying $2,100 per ticket any day – unfortunately, not a choice you or I will likely have to grapple with anytime soon.

However, when it comes to wireless networking, this is a question we face all the time.  Do I jump on the coffee shop’s complementary network after ordering my quadriginoctuple-frap, or do I use my provider’s network and eat into my data plan?

I would hazard to guess that most of us choose the free option – especially if we are going sit there and nurse that beverage all day – a choice that is repeated every day at coffee shops all around the world. In fact, we have gotten so used to making this choice as customers that we expect Wi-Fi access everywhere, including at work.

And, while an increasing demand for wireless networking may not be breaking news, many organizations still struggle when it comes to successfully deploying wireless networks in a secure manner.

So, in the spirit of the Super Bowl example above (nice work Hawks), I would like to present what coaches often call the fundamentals – only here I’ll talk about five fundamentals of securing your wireless network.

And, I’ll use roman numerals.

But no X’s or O’s.

I. Have a Plan

If you rush out, buy a couple of wireless access points and chuck them on your network, you’ll likely just make things worse. Instead, take time to understand your goals and consider some important pre-deployment questions such as:

  • How many wireless users do I expect to have on my network?
  • How much wireless coverage and what kind of bandwidth do I need?
  • What kind of traffic do I want to allow/restrict? (Pay particular attention to social media and mobile applications.)
  • How will I restrict access to the WLAN (by device, by user, by SSID, etc.)?
  • Will both corporate and personal devices be allowed access to the WLAN?

It’s also a good idea to draft a network usage policy and have users sign it as this can help to encourage self-enforcement.

II. Implement Access Controls

Segmenting the WLAN (e.g. by VLAN), creating security policies for different SSIDs, enabling station separation, enforcing MAC control lists and user authentication can all help to ensure WLAN users, devices and traffic are only allowed to access intended resources.

III.  Synchronize Wired and Wireless Networks

Make sure your wired and wireless security policies don’t conflict.  If an access policy is being enforced on your wired network, ensure you are not circumventing it with your WLAN policy.

IV.  Use Strong Passwords

Create strong WLAN access passwords and change them regularly.  Some strong password creation tips can be found here.

V. Monitor, Adjust, Repeat

Regularly use monitoring tools and review traffic logs to see what’s happening on your network. This will help to ensure policies are being enforced as expected, identify new traffic types and applications to allow/restrict and recognize emerging threats.

To learn more about how WatchGuard can help you to deploy a robust and secure WLAN, check out our wireless page here.

5 Network Security Challenges Facing Schools and Campuses

Every industry has its unique set of network security challenges. In retail there’s dealing with credit card data and PCI compliance. In healthcare you need to deal with patient data and privacy requirements. Suffice it to say, the education sector has challenges that one might not initially consider and yet are very challenging in their own right.

Public school budgets are often strained today, forcing many IT managers to ‘do more with less’ and with growing security threats and booming IT innovation this is especially challenging. And while larger universities and campus-based schools may have larger budgets, they have larger challenges. Here are five network security challenges facing schools and campuses today:

1. Bring Your Own Device (BYOD) – The growing use of tablets and mobile devices by educators and students as they move to new ways of teaching and learning creates numerous network security challenges. BYOD device management is now a major need in districts and at campuses across the country. Just like any corporate organization, schools now need to think about network access policies, managing passwords more carefully, and understand how mobile devices are connecting to their networks.

2. Web 2.0 – Today’s students are more connected through social media than ever before and the Internet is playing an increasing role in education as teachers use it as part of their teaching arsenal. IT managers need to be able to allow access to certain sites and applications while restricting others. Finding this balance is not an easy challenge and requires new network security tools like Application Access Control.

3. Secure Remote Access – Student and teacher collaboration are playing an increasing role in education in today’s connected world. Today, students collaborate on projects and teachers provide feedback through cloud-based tools and by accessing school networks. IT managers need to be able to provide secure remote access to the tools that teachers and students are connecting to.

4. Multi-Point Access Solutions – Today, especially in campus environments, it’s not uncommon to have tens of buildings all connected to a single network. Being able to manage a distributed environment and its inherent security challenges needs to be simple and intuitive.

5. Identity Management – IT managers today need to be able to ensure that only authorized students and teachers can access computer and network resources. It’s through identity management that schools are able to effectively manage their acceptable usage policies and provide adequate control over access to applications.

There are many other challenges that education sector IT managers face, but these five are prevalent today and yet weren’t that long ago. Fortunately there are network security companies offering highly sophisticated unified threat management (UTM) tools and solutions, like WatchGuard. They’re flexible, powerful, robust, affordable, and can go a long way in easing the network security challenges facing schools and campuses. And, because the threat landscape is always changing, UTM solutions need to be designed to be able to easily add new network defense capabilities through security subscriptions, so costly hardware upgrades are not necessary.

BYOD Device Management and Web 2.0 – Protecting Networks in Schools

Just like Principals and Superintendents, school district Network Administrators are facing the challenges of having to do more with less. Many school districts only have a small handful of IT personnel to begin with, their budgets are being reduced and they’re dealing with challenges to network security management. On top of all this, new challenges are putting a strain on networks, including:

  • BYOD (bring your own device) – Many schools are introducing tablets and other mobile devices as educators move to new ways of teaching and learning. BYOD device management is now a major need in districts across the country.
  • Web 2.0 – With students using computers to access social media sites like Facebook and YouTube, and downloading information for studies from sites across the Internet, tools like Application Access Control are now ‘must-haves.’
  • Secure Remote Access – Cloud computing solutions and of course the surge of BYOD means that teachers and students alike need secure remote access to the district network to access documents for collaborative work they may be doing.

These are challenges that, just like corporations, require smart network security solutions that do more than just stop spam or encrypt email. The Cascade School District just outside of Salem, Oregon has five campuses throughout rural Willamette Valley that serve 2300 students with a staff of 300. According to Michael King, their Network Administrator, things were getting a bit out-of-hand:

The IT department employed a mix of point solutions, each with its own management needs. “We were using ISA 2006, Windows Server, Websense for web filtering, and Barracuda for anti-spam and load-balancing, and there were big expenses for each. Yet, we still couldn’t even do things like HTTPS, which is incredibly important these days with Facebook, Google, et cetera. And, it kind of defeats the purpose to even have a web filter in place if the students can bypass it.”

Cascade School District today is leveraging most of the best-of-breed UTM security services on our XTM Next-Generation Security Platform, which includes URL Filtering, Application Control, AntiSpam, AntiVirus, DLP and IPS. This allows their IT team to meet emerging security challenges mentioned above and faced by their district (explosion of mobile device usage by students and staff, application access control to key educational and online resources, and streamlining remote access for staff). Application access control also gives them a new tool to proactively prevent cyber bullying by controlling access to popular bullying platforms such as Facebook, SnapChat or Kik Messenger. They also are able to monitor traffic on its wireless networks and throttle down users who start to bog down the network.

In addition to meeting all the challenges to network security management, the school district is projected to save approximately $24,000 in fees and maintenance and a boat load of time by consolidating these numerous point solutions into one UTM security appliance.

For more on how we met Cascade School Districts networks security management challenges, check out the case study. As always you can contact us with questions or drop a comment below.

FIVE Network Security Management Requirements for Controlling BYOD and Shadow IT

UTM ApplianceWith cloud computing and BYOD permeating almost every organization, shadow IT is beginning to make its way onto the radar screens of business leaders inside and outside of the IT department. The truth is, however, that shadow IT has been around for decades and is not necessarily a bad thing.

Shadow IT are systems and solutions built without the approval of the organization, and they are often innovative, potential prototypes for future IT-approved solutions. The problem is that while creating real value to an organization, they are often built without key network security management protocols in place; namely reliability, documentation, control, security, and budget.

So why the hype and why now? While shadow IT has been around for a long time, the volume and velocity of applications and cloud solutions, not to mention low cost (often free) is multiplying rapidly, creating an IT snowball effect. In fact, according to a PricewaterhouseCoopers’ Digital IQ survey, at 100 companies that PwC considers top performers, IT controls less than 50 percent of corporate technology expenditures – and we’re talking pretty large companies here with typically strict IT policies in place. This is in drastic contrast to ten years ago, when the Dachis Group estimates that only 10 percent of IT spending took place outside of IT. At smaller organizations where IT departments are even less influential, this shadow IT snowball effect is even more rampant.

So what can IT departments do? The answer is securing the network and protect the organization from outside threats. Containing the growth of shadow IT may not be an option, but reducing outside threats is. Select a strong, multi-function Unified Threat Management (UTM) system that goes beyond a simple firewall to deliver strong network security management, and make sure it has these FIVE key elements:

  1. Easy-to-Use Policy Tools – This way, administrators can enforce the policies that best meet their environment, whether it is a small retail shop or a multinational, distributed enterprise. And today, you really need to consider a single console that allows for easy integration of both wired and wireless security policies.
  2. Network Segmentation – Today’s solutions need to let administrators easily and quickly set up various network segments, to include virtual assets that can be protected and segmented to maintain compliance and high security. Also consider the capability to segment and secure accordingly via SSID (guest, corporate, finance, etc.).
  3. Smart Logging and Reporting – This may be one of the most valuable resources that IT can leverage for their BYOD strategy. Administrators need to be able to gain deep insight into what is connected to their network, as well as the applications being used. These insights not only help safeguard resources, but also illuminate trouble spots and potential weaknesses, and help to remediate areas of concern.
  4. VPN Functionality – Leveraging smart VPN capabilities, administrators can enforce acceptable use policies for mobile, remote and road warriors who need to access corporate data anytime, anywhere.
  5. Use Best-in-Class Solutions – When we built our XTM line of multi-function, smart firewalls we consolidated many vital security services (Anti-virus, IPS, Application Control, URL filtering, and more). But rather than build these ourselves, we relied on our best-in-class partner technologies (AVG, BroadWeb, Kaspersky, Commtouch, Websense, etc.). The result is a peerless multilayered security, an unrivalled ease-of-use and centralized management experience, and industry-leading UTM throughput performance. These solutions extend network security to the WLAN, critical for securing personal mobile device traffic, which generally utilizes wireless networks in corporate environments.

Without question, BYOD and the cloud is accelerating shadow IT, but strong network security can reduce and eliminate the inherent risks. As a leader in network security, we work to develop solutions to enable a safe and productive BYOD ecosystem. By enforcing a practical policy, we believe that organizations can enable workforce productivity, foster goodwill and trust across the organization, achieve compliance demands, and maintain strong security–without sacrificing flexibility.

Five Network Security Management Protocols for BYOX Compliance

Just when you think you’ve got your BYOD device management policies nailed down, the game shifts again. Recently, the term BYOX (or BYOA: bring-your-own-anything) has forged itself into IT vernacular to characterize the phenomenon by which employees not only use any device, but also any application, content, or service to accomplish their work. When these activities occur beyond the oversight, or explicit authorization, of the IT department, they are commonly referred to as “shadow IT.”

Shadow IT has been around for quite some time, but BYOX adoption is exploding fast and permeating organizations to the point of no return.  In fact, PricewaterCoopers (PwC) estimates 15% – 30% of IT spending now occurs outside the IT department budget. Today’s workforce is imbued with the mindset that, for any task–“there is an app for that.” Illustrating this, Netflix recently found that its employees were using 496 smartphone apps, generally for data storage, communications, and collaboration; while Cisco Systems found that its employees were leveraging hundreds of apps, as well as services for shopping and personal scheduling.

It’s been argued that BYOD can increase employee productivity, and an iPass survey of 1,100 mobile workers suggested that employees who use mobile devices for both work and personal needs put in 240 more hours per year than those who do not. BYOD and BYOX can also result in higher employee satisfaction and greater worker collaboration. All these benefits aside, there still needs to be tools and processes in place for network security management and data security… and there are.

Embrace the benefits of BYOD and BYOX and consider these FIVE network security management protocols:

  1. Establish full network visibility – Take a benchmark snapshot via firewall logs and reports for insight into what devices are actually connected to the network and what applications are being used. Continuously monitor for vulnerabilities, exploit attempts, misuse, and devices that have gone off-line.
  2. Application Access Control is an essential technology – Application Access Control plays a pivotal role in making a BYOX policy secure and efficient. Get visibility and control over shadow IT apps running across your network by identifying specific applications and functions that are acceptable, as well as others that are not. With application access control in place, the network becomes agnostic to the device, and can enforce policies based on specific, acceptable applications.
  3. Apply policy to a segmented network – Sensitive data should always reside on a different network than that which is open to guests, contractors, or other non-employees. With a segmented network, IT can apply one set of policies for employees and another set for guests.
  4. Enforce strong access control passcodes – Far too often, businesses resort to user-generated passwords, which are more susceptible to compromise. Password policies for BYOD devices should be as robust as they are for traditional IT assets, such as laptops or desktop computers.
  5. Establish a policy – We harp a lot about setting IT policy, but that’s because while simple in nature it’s often missing or lax. IT should focus on policy to “keep BYOD/BYOX simple.” Consider making a broad list (a meta-table) of acceptable devices that can access the corporate network and state which devices/operating systems that IT will and will not support. With device sprawl becoming a more palpable concern for IT departments, it makes sense to centrally manage policy per user, rather than having a separate policy per device each user may use. A device-agnostic policy approach makes the platform less important than the needs of the user—and makes network security management easier for IT. When employees access the corporate network on their own device, they should agree to adherence of company acceptable use policies, as well as IT monitoring and risk management tools. Make sure you have tools in place to measure compliance. Finally, your BYOD/BYOX policy should be regularly communicated to all employees.

BYOD, BYOX, shadow IT… these aren’t going away, and will likely only continue to proliferate your organization as more apps, devices, and cloud tools become available. These five network security management protocols can help get you started. For more information and five more tips, download the whitepaper – Illuminate Shadow IT and Securely Manage BYOX.

5 BYOD Device Management Strategies for Securing Your Network

In our last blog post – 4 IT Risks and Challenges with BYOD Device Management – we highlighted some things that IT needs to be aware of when it comes to maintaining control of network security in a BYOD environment. We closed with the fact that IT must face the reality that BYOD is here and they need to enforce a BYOD strategy as part of their service to the organization. So what can you do, and where should you start?

Here are 5 BYOD device management strategies you can use to secure your corporate network and prevent data loss:

  1. Create a policy. In an effort to make BYOD as simple as possible to manage, create a broad list of acceptable devices that can access your corporate network. The policy should also clearly outline which devices and operating systems the company will and will not support. In this way, your employees know what they will ultimately be responsible for.
  2. Get insights before making decisions. One of the biggest mistakes we see in creating a BYOD strategy is the failure to know what employees are doing on the network. Take a benchmark snapshot via firewall logs and reports, so you can gain insight as to what devices are actually connected to the network, and perhaps more importantly, what applications are being used.
  3. Manage passwords more effectively. Password management is something that most organizations do not do a good job with (read one of our previous blogs – We May Know Your Password). User generated passwords are traditionally weak, compromising network security. Make sure that any passwords used on mobile devices in the office environment follow the same rigor as required for office-owned technology.
  4. Understand your own compliance needs. Is your organization subject to regulatory controls, such as HIPAA or PCI DSS? If so, be sure that damage controls are in place so that if an employee loses a smartphone or tablet, it can be wiped to avoid data loss.
  5. Limit access via VPN technologies. For businesses that require higher degrees of protection, you may want to limit access controls to devices that support some level of VPN connectivity. This way a secure connection is required to access corporate data, regardless of where a consumer device is used.

With the future of computing swaying more and more toward mobile, you’ll face an uphill battle against BYOD adoption, so embrace it. But remember that communicating your BYOD policy, and updating it as needed, is critical.

For more information on BYOD device management and mobile device security solutions, check out our recent whitepaper – BYOD: Bring Your Own Device – or Bring Your Own Danger? You’ll also find 5 more strategies for managing BYOD effectively in your organization.

4 IT Risks and Challenges with BYOD Device Management

Make no mistake about it – BYOD is here to stay. A 2011 IDC survey stated that 40 percent of devices used to access business applications are consumer-owned, up 30 percent from 2010 while Gartner published a report that by 2014, 80 percent of professionals will use at least two personal devices to access corporate systems and data. So BYOD is the new workplace reality. In the end, there are multiple reasons – from cost reductions to increased employee efficiencies – that support corporate adoption. IT must, however, take into account the risks and challenges associated with BYOD device management.

In many ways, BYOD started at the top. Senior executives who wanted to work from home and abroad were among the first to demand that IT enable access to corporate resources from their personal devices. Because these C-level exceptions were relatively infrequent, IT could manage risks associated with the requests.

The trickle down from this exception quickly escalated, and many organizations have been caught off guard without a BYOD policy in place. And, because consumer devices are so diverse in capability, form factor and function, IT departments can be frustrated with efforts to develop a scalable and manageable plan on how to allow or deny specific consumer devices into the organization.

Unquestionably, BYOD challenges long-standing IT controls to minimize and mitigate risk. And, as businesses explore how to adopt BYOD, the risks associated with it must be examined. Here are 4 risks and challenges inherent in BYOD device management.

1. Data loss. Data loss can vary, and the consequences can be extreme. For example, a recent study by the  onemon Institute estimated that a data breach could cost a company about $200 per compromised record, based upon a variety of factors including the cost of lost business because of an incident; legal fees; disclosure expenses related to customer contact and public response; consulting help; and remediation expenses, such as new security technology and training. Additional costs can also hamper the bottom line… as an example, a retailer that experiences a data breach may have to pay for credit monitoring services for customers, payment of legal settlements, and PCI DSS information controls for up to 5 years.

2. Viruses entering the corporate network via consumer devices as well as intrusion attacks. Granted, the industry is at a nascent stage of targeted intrusion attacks via mobile devices, but the expectation is that hackers will be able to break out of device browser “sandboxes” and get access to other device functions. This could easily lead to directory harvest attacks or new types of BYOD-driven botnets.

We think Man-in-the-Browser (MitB) attacks will escalate. Traditional malware tends to infect the OS – typically, as an executable program that modifies various boot parameters so it runs every time a computing device is turned on. In contrast, MitB or browser zombies, arrive as malicious browser extensions, plugins, helper objects, or pieces of JavaScript. They do not infect the whole system; instead they take complete control of a device browser and run whenever the user surfs the web.

3. Policy enforcement. With so many devices available to the consumer, IT departments are simply ill equipped to create device-by-device BYOD device management policies. Due to the wide range of devices, it is critical for IT to be able to identify each device connecting to the corporate network, and be able to authenticate both the device and person using it.

4. Insufficient insight into what’s happening in their network. Without being able to see what is going on in the corporate network, IT is hindered in its ability to protect business and information assets. That lack of insight (both in terms of logging and reporting) supports the adage that “you can’t protect what you don’t know.”

There are a myriad of challenges that IT faces in order to deal with BYOD device management. Some of these are risk-management challenges; others are empowerment and usage challenges. Nonetheless, IT must expect to adopt and enforce a BYOD strategy as part of its services to the organization.

Walking the Tightrope: Embracing BYOD and Protecting Your Network

Employees increasingly use personal devices, including, tablets, smartphones, and laptops, to accomplish their work faster, more flexibly, and from anywhere.  Yet, while BYOD (Bring Your Own Device) offers more control and independence for workers, it can reduce the control organizations have over securing their networks.

Endpoint Security

Endpoint protection and robust encryption are generally mandated on company-owned devices, but personal devices often lack these safeguards.  Moreover, devices used for personal computing and messaging, when off the company grid, lack the protections of the network firewall, leaving the entire organization exposed to hacker exploits, or malware infection, when the device re-connects to the network.

More than a quarter of companies reportedly lack security requirements for smartphones.1 However, companies that do implement security policies for mobile devices still face the threat of employees trying to bypass these requirements. A Ponemon and Websense joint survey highlighted just that—59% of respondents claimed that employees circumvent or disengage security features such as passwords and key locks.2

Lost Personal Devices: A Data Minefield

In the case of a lost or stolen personal device that stores company-owned data, an employee may be unwilling to have their device data wiped remotely.  In fact, only 55% of mobile workers report having remote wipe enabled on their smartphones, and just 30% on their tablets.”2 The inability to rapidly dispose of sensitive data, particularly unencrypted data, exposes organizations to considerable risk.

What You Can’t See, Can Byte You!

A Mobilisafe study encompassing 130 million device connection events reported that over a third of the devices with network access and/or corporate data went inactive for more than a month.3   The presence of so many personal devices used for work that are unaccounted for, and that may retain sensitive data and user credentials, poses a latent threat to organizations.

Outdated Firmware and Version Control

The sheer number and variety of personal devices and operating systems that may be in use across an enterprise poses daunting challenges for IT.  Mobilisafe found that 71% of mobile devices contained high severity operating system and application vulnerabilities. Mobilisafe theorizes that severe vulnerabilities could be reduced 4-fold simply by updating firmware.3

Malware Breeding Grounds

Smartphone users routinely download music and games, access applications, and execute files with minimal regard to file source or authenticity.  Ponemon and Websense reported that, in a one year period, 51% of surveyed organizations experienced data loss resulting from employee use of insecure mobile devices.2

With all the potential pitfalls, it’s easy to understand why some people more cynically refer to BYOD as “Bring Your Own Danger/Disaster.”

Taking BYOD Head-On

Organizations that try to ban personal devices outright, may repel productive and creative workers, or induce employees to work outside the rules.

A successful BYOD security policy should strive to:

  • Establish full visibility of all devices connected to the network
  • Enforce strong access control passcodes on all devices
  • Mandate minimum system and device requirements
  • Continuously monitor for vulnerabilities, exploit attempts, misuse, and devices that have gone off-line
  • Encrypt all company data on personal devices
  • Enforce use of antivirus, data loss prevention, and application control
  • Allow company access to the device for forensics, or to wipe company data
  • Measure compliance

As a leader in network security, WatchGuard Technologies develops solutions to make your BYOD environment a safe and productive ecosystem.  By enforcing a practical policy, we believe that organizations can enable workforce productivity, foster goodwill and trust across the organization, achieve compliance demands, and maintain strong security–without sacrificing flexibility.

Check out WatchGuard’s white paper on how to create a secure BYOD policy for your network.


  1. iPass. “The iPass Global Mobile Workforce Report: Q3 2012: Understanding Global Mobility Trends and Mobile Device Usage Among Business Users”.  August 2012.
  2. Ponemon Research Institute (sponsored by Websense). “Global Study on Mobility Risks: Survey of IT & IT Security Practitioners”. February, 2012.
  3. Mobilisafe. “Four Steps To Mitigate Mobile Security Risks”. White Paper.