Network Security

This tag is associated with 23 posts

Five Network Security Management Protocols for BYOX Compliance

Just when you think you’ve got your BYOD device management policies nailed down, the game shifts again. Recently, the term BYOX (or BYOA: bring-your-own-anything) has forged itself into IT vernacular to characterize the phenomenon by which employees not only use any device, but also any application, content, or service to accomplish their work. When these activities occur beyond the oversight, or explicit authorization, of the IT department, they are commonly referred to as “shadow IT.”

Shadow IT has been around for quite some time, but BYOX adoption is exploding fast and permeating organizations to the point of no return.  In fact, PricewaterCoopers (PwC) estimates 15% – 30% of IT spending now occurs outside the IT department budget. Today’s workforce is imbued with the mindset that, for any task–“there is an app for that.” Illustrating this, Netflix recently found that its employees were using 496 smartphone apps, generally for data storage, communications, and collaboration; while Cisco Systems found that its employees were leveraging hundreds of apps, as well as services for shopping and personal scheduling.

It’s been argued that BYOD can increase employee productivity, and an iPass survey of 1,100 mobile workers suggested that employees who use mobile devices for both work and personal needs put in 240 more hours per year than those who do not. BYOD and BYOX can also result in higher employee satisfaction and greater worker collaboration. All these benefits aside, there still needs to be tools and processes in place for network security management and data security… and there are.

Embrace the benefits of BYOD and BYOX and consider these FIVE network security management protocols:

  1. Establish full network visibility – Take a benchmark snapshot via firewall logs and reports for insight into what devices are actually connected to the network and what applications are being used. Continuously monitor for vulnerabilities, exploit attempts, misuse, and devices that have gone off-line.
  2. Application Access Control is an essential technology – Application Access Control plays a pivotal role in making a BYOX policy secure and efficient. Get visibility and control over shadow IT apps running across your network by identifying specific applications and functions that are acceptable, as well as others that are not. With application access control in place, the network becomes agnostic to the device, and can enforce policies based on specific, acceptable applications.
  3. Apply policy to a segmented network – Sensitive data should always reside on a different network than that which is open to guests, contractors, or other non-employees. With a segmented network, IT can apply one set of policies for employees and another set for guests.
  4. Enforce strong access control passcodes – Far too often, businesses resort to user-generated passwords, which are more susceptible to compromise. Password policies for BYOD devices should be as robust as they are for traditional IT assets, such as laptops or desktop computers.
  5. Establish a policy – We harp a lot about setting IT policy, but that’s because while simple in nature it’s often missing or lax. IT should focus on policy to “keep BYOD/BYOX simple.” Consider making a broad list (a meta-table) of acceptable devices that can access the corporate network and state which devices/operating systems that IT will and will not support. With device sprawl becoming a more palpable concern for IT departments, it makes sense to centrally manage policy per user, rather than having a separate policy per device each user may use. A device-agnostic policy approach makes the platform less important than the needs of the user—and makes network security management easier for IT. When employees access the corporate network on their own device, they should agree to adherence of company acceptable use policies, as well as IT monitoring and risk management tools. Make sure you have tools in place to measure compliance. Finally, your BYOD/BYOX policy should be regularly communicated to all employees.

BYOD, BYOX, shadow IT… these aren’t going away, and will likely only continue to proliferate your organization as more apps, devices, and cloud tools become available. These five network security management protocols can help get you started. For more information and five more tips, download the whitepaper – Illuminate Shadow IT and Securely Manage BYOX.

Virtualized Security Capabilities You’ll Need for Ultimate Protection

One of the most critical aspects of virtualized security is the ability to manage the environment. Most virtualized security solutions today need to support rapid deployment and be used to implement virtualization security policies, not just on an inside-vs.-outside basis, but also between organizations or applications within the same infrastructure. It needs to provide compliance and privacy within the organization and be able to migrate within the virtual infrastructure, and protect using the high-availability capabilities of the virtual infrastructure, offering protection continuity even as the infrastructure changes dynamically. It needs to be easily preconfigured and deployed along with the virtual machines that serve multi-component applications, making it easy to protect them and their data by default. Policies should be defined not only at the intersection of physical networks, but also between virtual-only networks within server farms or even on individual servers. Full threat prevention policies must be implemented at the physical perimeter and at the connection point for mobile and personal devices. In short, virtualization security is not a simple task.

Today’s virtualization security solution needs to defend against botnets, Advanced Persistent Threats (APTs), and other attacks, while keeping your organization in control when using Web 2.0 applications. The architecture should consist of different security layers that work cooperatively with one another to dynamically detect, block, and report on malicious traffic while passing benign traffic through as efficiently as possible. It should be able to protect your organization from new, unknown threats – often called zero day threats.

  1. As you explore your virtualization security options, here are six capabilities you’ll need to consider:A cloud-based URL reputation enabled defense that protects web users from malicious web pages, while dramatically improving web throughput
  2. Ability to block unwanted email with 100% accuracy along with the viral payloads that spam often carries. Recognize spam regardless of the language, format, or content of the message – even image-based spam that anti-spam products often miss
  3. A URL filtering service that blocks access to dangerous and inappropriate web sites in the workplace. Able to filter URLs on both HTTP and HTTPS to close the HTTPS loophole many web filters leave wide open
  4. A powerful signature-based protection at the gateway against known viruses, trojans, worms, spyware, and rogueware
  5. Ability to scan all ports and protocols to block attacks that comply with standard protocols but carry malicious content, including buffer overflows, SQL injections, and remote file inclusions
  6. Ability to stay on top of the applications running on your network for tight security and high productivity and establish which applications can be used within your organization

If you’re attending Interop in Las Vegas this May, be sure to swing by booth 751 where we’ll be speaking on everything you need to know about virtualization security. Hope to see you there!

Continuous Data Protection: PCI DSS Requirements and the Need for UTM Security

If you own a retail store and accept credit card transactions, then you are undoubtedly aware of the PCI DSS regulatory requirements that you must meet. If you manage a distributed retail environment with multiple store ‘endpoints’ than you are not only aware of the PCI DSS requirements, but likely challenged with what can easily be one of the most complex IT environments for unified security and compliance management.

The distributed retail environment presents a multitude of unique IT challenges that stand apart from a more pedestrian single-store infrastructure; business pressures are forcing retailers to be more agile, more aggressive, and more efficient. To remain competitive, retailers have to invest in IT systems that help retain and nurture customer and brand loyalty, as well as increase sales and, simultaneously, reduce operating costs. No easy task to be sure!

So what does it take to meet the PCI DSS protocol? Simple… you meet these 12 requirements:

Build and maintain a secure network:

  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data:

  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks

Maintain a vulnerability management program:

  • Use and regularly update antivirus software or programs
  • Develop and maintain secure systems and applications

Implement strong access and control measures:

  • Restrict access to cardholder data by business need to know
  • Assign unique IDs to each person with computer access
  • Restrict physical access to cardholder data

Regularly monitor and test networks:

  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes

Maintain and information security policy:

  • Maintain a policy that addresses information security protocol for all personnel

Any retailer found to be non-compliant may face substantive financial penalties, regardless of whether or not a breach has occurred. Typically, fines for non-compliance are levied based on the size of the retailer, but in some cases, a credit card provider reserves the right to expel a retailer from its program, thus effectively cutting off acceptance of that vendor’s credit card. Therefore, it is critical that a retailer maintain PCI DSS compliance.

One way to protect yourself and your distributed retail environment is with a UTM system (preferably from WatchGuard). UTM systems provide unparalleled firewall protection to control data traffic in and out of a distributed network. Additionally, UTM systems protect against unauthorized access from the Internet and include integrated IPS to prevent hackers from gaining access to internal resources.

Specifically designed for distributed retail environments, our RapidDeploy solution is a unique cloud-based configuration utility that enables uniform, rapid deployment of UTM security appliances across a distributed environment. This eliminates the need for IT professionals to pre-configure devices or travel to deployment sites for installation, which significantly reduces total cost of ownership, while also reducing the risk of UTM misconfiguration.

UTMs also offer gateway antivirus protection, and with a security subscription it’s updated automatically and seamlessly. And at WatchGuard, our UTM security supports extensive policy controls. This way, distributed retailers can maintain and enforce uniform policies across a variety of geographic locations. With our LiveSecurity service, your UTM security solution provides best practices and related security updates for retailers to ensure they are up to speed on the latest security developments.

Today’s distributed retail environment architecture is one of the most challenging IT environments, rivaling that of banks and financial institutions. While the distributed retail environment offers substantive business advantages, such as increased sales, improved customer loyalty, and operational efficiencies, it also poses significant challenges. With a smart UTM in place, you can spend more time generating sales, and less time worrying about PCI DSS compliance.

5 BYOD Device Management Strategies for Securing Your Network

In our last blog post – 4 IT Risks and Challenges with BYOD Device Management – we highlighted some things that IT needs to be aware of when it comes to maintaining control of network security in a BYOD environment. We closed with the fact that IT must face the reality that BYOD is here and they need to enforce a BYOD strategy as part of their service to the organization. So what can you do, and where should you start?

Here are 5 BYOD device management strategies you can use to secure your corporate network and prevent data loss:

  1. Create a policy. In an effort to make BYOD as simple as possible to manage, create a broad list of acceptable devices that can access your corporate network. The policy should also clearly outline which devices and operating systems the company will and will not support. In this way, your employees know what they will ultimately be responsible for.
  2. Get insights before making decisions. One of the biggest mistakes we see in creating a BYOD strategy is the failure to know what employees are doing on the network. Take a benchmark snapshot via firewall logs and reports, so you can gain insight as to what devices are actually connected to the network, and perhaps more importantly, what applications are being used.
  3. Manage passwords more effectively. Password management is something that most organizations do not do a good job with (read one of our previous blogs – We May Know Your Password). User generated passwords are traditionally weak, compromising network security. Make sure that any passwords used on mobile devices in the office environment follow the same rigor as required for office-owned technology.
  4. Understand your own compliance needs. Is your organization subject to regulatory controls, such as HIPAA or PCI DSS? If so, be sure that damage controls are in place so that if an employee loses a smartphone or tablet, it can be wiped to avoid data loss.
  5. Limit access via VPN technologies. For businesses that require higher degrees of protection, you may want to limit access controls to devices that support some level of VPN connectivity. This way a secure connection is required to access corporate data, regardless of where a consumer device is used.

With the future of computing swaying more and more toward mobile, you’ll face an uphill battle against BYOD adoption, so embrace it. But remember that communicating your BYOD policy, and updating it as needed, is critical.

For more information on BYOD device management and mobile device security solutions, check out our recent whitepaper – BYOD: Bring Your Own Device – or Bring Your Own Danger? You’ll also find 5 more strategies for managing BYOD effectively in your organization.

Three (Network Security) Roadblocks to Achieving Retail Success

roadblockAs we coast into the Nation Retail Federation’s (NRF) big annual show in New York City next week businesses of all types face the daunting task of securing their business network from outside threats. Perhaps it’s fitting that online retailers in particular are concerned with the growing number of advanced persistent threats that are poised to make 2013 a potentially busy year in data loss prevention.

So with the NRF just around the corner, here are three network security roadblocks that threaten the success of online retail organizations of all types:

      1. Giving all employees access to the same websites and applications. While it might seem like the fair, and certainly easy, thing to do is to allow all employees at all levels access to the Internet carte blanche, it can expose your company network to unnecessary risk. Part of IT security’s job is to balance the threat management with risk management, and this means determining which employees need access to what in order to effectively and efficiently do their job. Interview employees and departments and set up policies that allow you to manage Internet and application access control.
      2. Only focusing on ingress and not egress. Monitoring inbound Internet traffic is certainly critical for data security protection, but with drive-by downloads and increased redirection capabilities hackers can easily manipulate your outbound traffic to gain network access. We recommend road blocking your business to all outbound traffic as a starting point. Then add back in ports 443 and 80 so you have some web based capabilities and then add back DNS traffic so you have some name resolution. While not an easy thing to do, tools like our ReputationAuthority – part of our XTM network security solution – can make this task easier to manage.
      3. Not updating security to account for server virtualization. Virtualizing your IT infrastructure can be a great thing; it saves time in provisioning, saves money in hardware requirements and cooling, and provides IT scalability. But as Neil MacDonald at Gartner says, “Unless you put virtualized security controls – virtual sniffers, virtual firewalls, all the same controls you’d use on a physical server – inside that network, you don’t see what’s going on.” In fact, 84 percent of our customers are proceeding slower than they’d like into virtualization simply because of the security concern. Make sure you consider virtualization security solutions as part of your overall network security plan.

There are many other roadblocks that can hinder growth and expose data, and we’ll certainly be blogging about them in the days and weeks ahead, but these three are certainly important and worth consideration. For online retailers, customer data security is the foundation for success.

If you’re at the NRF Show in New York, swing by booth # 1681 and say hello. We’d love to see you!

A UTM Appliance Might be Your Network Security Muscle in 2013

In our last blog – What is UTM Security and is it Right for my Business? – we outlined the importance of a UTM appliance in combating today’s advanced persistent threats (APTs). Well since that blog went live, our own Corey Nachreiner, published a press release that revealed his top security predictions for 2013.

At the tail-end of a busy year for network security workers, Corey had this to say about 2013…

This is a year (2013) where the security stakes reach new heights, attacks become more frequent and unfortunately more damaging as many organizations suffer attacks before taking measures to protect themselves from the bad guys.

 Read the release for more detail, but here’s what he thinks might be in store for 2013:

    • A cyber-attack results in a human death
    • Malware enters the matrix through a virtual door
    • It’s the browser – not your system – that malware is targeting
    • The idea of ‘striking back’ gets a lot of lip-service, but does little good
    • We’ll pay for our lack of IPv6 expertise
    • Android pick-pockets try to empty mobile wallets
    • An exploit sold on the ‘vulnerability market’ becomes the next APT
    • Important cyber security-related legislation finally becomes law

If attacks such as these happen in 2013 as Corey predicts, then losses stemming from them will ultimately continue to rise and take their toll on not only small businesses, but enterprises as well.  Organizations that are serious about network security – protecting data, intellectual property (IP), and their reputation – are increasingly demanding best-in-class, multilayered solutions. These solutions centralize security controls in a single device, improving the IT organization’s control and simplifying management of network security.

Be sure to have the latest network security solutions in place as you head into 2013. These predictions are scary!

Network Security with Virtualization Best Practices

On October 23rd, at the Gartner Symposium ITxpo in Orlando, Florida, our own Cory Nachreiner will be speaking on virtualization best practices for network security. His session – Securing Networks in a Virtual, Cloudy World: Virtualization Best Practices – will highlight what you need to know about network security in today’s virtualized IT environment.

Neal MacDonald of Gartner Group has estimated that “60 percent of virtualized servers will be less secure than the physical servers they replace.” MacDonald also identified some of the most common security risks for data center virtualization projects:

  • Information security isn’t initially involved in the virtualization projects
  • A compromise of the virtualization layer could result in the compromise of all hosted workloads
  • Workloads of different trust levels are consolidated onto a single physical server without sufficient separation. Adequate controls on administrative access to the hypervisor (Virtual Machine Monitor) layer and to administrative tools are lacking
  • There is a potential loss of Separation of Duties (SOD) for network and security controls

Traditionally, network security has been designed as a ‘one appliance, one application’ model and designed with physical networking in mind. Firewalls and UTM appliances are leveraged in network designs based on the fundamental notions of:

  • Perimeter enforcement – protecting the “inside” from the “outside” – with network architectures that are built on this separation
  • All traffic flows over physical networks, so security can be implemented by interposing physical devices on the wire

With virtualization, these fundamental assumptions may not be true:

  • Network architectures blur the definition of the “perimeter” with private resources spanning locations in arrangements leveraging VPNs
  • Multiple organizations and applications within a business, and multiple businesses hosted by a service provider, can be on the same side of a physical perimeter
  • Compliance and privacy requirements make it necessary to offer security and auditability between entities within the same virtual infrastructure
  • Mobile users can easily bring malware into a shared infrastructure
  • For service providers, the ability to offer full protection is even more critical when multiple customers are hosted on the same server farm – or even on the same server
  • Physical appliances cannot offer in-line protection in a dynamic virtual infrastructure
  • High-availability and live motion capabilities can mean that applications do not always run on the same physical servers
  • Traffic can pass over virtual-only networks within a server, making it impossible to interpose a physical device

In his presentation, Cory will touch on what you need to know about securing your virtual network, and showcase our latest network security solutions designed for virtualization infrastructures, including the XTMv and the XCSv. So mark your calendars and be sure to stop on by.

VoIP Growth and the Strain on Network Security

According to industry research firm IBISWorld, between 2000 and 2011 VoIP revenue has grown over 193 percent, and comes in at the top of their list of top 10 growing industries.

Despite VoIP’s worldwide explosion, most of the network security issues surrounding VoIP technology have not been adequately resolved.

Why do you need VoIP security today? Well “Security and complexity are often inversely proportional,” goes one of the old security axioms from Fred Avolio. In other words, the more complicated a process is, the more it leaves room for mistakes, flaws, and insecurity. That does not bode well for VoIP mainly because basic operations of VoIP require:

  • Converting an analog voice to digital signals
  • Compressing those digital signals into packets the Internet can carry
  • Reassembling the packets at the receiving end as audible voice
  • Translating telephone numbers into IP addresses (and vice versa)
  • Letting the telephone system know where to find phone users

In short, implementing VoIP introduces your network to numerous codecs protocols, and transport methods. If complexity does not promote network security, VoIP exposes substantial attack surface for malicious hackers.

VoIP and network security have always had that “inversely proportional” relationship. When administrators first tried to implement Session-Initiation Protocol (SIP) and H.323, firewalls typically broke VoIP connections. That was because these protocols initiate a connection on a known, standard port, but then they want to open other ports dynamically, as needed. It took security vendors a while to create special services that could handle the dynamic ports temporarily and close them cleanly after a session terminated. The result is that many firewall security vendors now claim “VoIP Support!” – not because they secure VoIP in any sophisticated way, but simply because they no longer break VoIP. That is clearly not the same as VoIP network security.

In 2007, Cisco made headlines when it published a Security Response admitting that a bug in their Unified IP Phone’s implementation of Real-Time Transport Protocol (RTP) could allow a remote attacker to eavesdrop on VoIP phone calls. Six months later, the security vendor VoIPShield announced that it could document more than 100 security holes in Cisco, Avaya, and Nortel VoIP products. Scary stuff!

Since 2006, attackers have increasingly exploited network security flaws in codecs. By injecting malicious code into files that your computer must decompress to use, attackers found they could execute malware on victim computers using file formats previously considered benign (such as QuickTime .MOV and Windows Media Player .WMP and .WAV files).

Given that attackers like to exploit codec flaws, VoIP provides the kind of technical wilderness that attackers love. VoIP incorporates audio, video, fax, and text, and provides numerous codec options in each of those technologies. Take audio alone: some users demand stereo sound and great audio quality, and thus prefer codecs that result in larger packets. Other, more bandwidth-sensitive, users prefer codecs that create smaller packets using a lower average bitrate, but requiring intensive processing. For reasons such as these, VoIP audio has at least eight codecs in common use.

Thus, to enjoy VoIP functionality, you must accept unregulated IP traffic from strangers, in a format that your computers must execute in order to use, mingled with traditional data packets on your LAN. Clearly, VoIP technology magnifies the risk to any network, many with a firewall security solution in place.

From our perspective, as bad as it is that an attacker might be able to eavesdrop on a call or teleconference, there are even worse problems with VoIP. Because VoIP runs mingled with your IP network, its most serious threat is that any hole in VoIP provides a stepping-stone to all your network data. So all that said you need to choose your firewall security solution carefully!

XTM 330 Review: Sophisticated Network Security

PCPro recently reviewed our XTM 330 Network Security Appliance and we’re pleased to say that they’ve put it on their “Recommended A-List.”

The XTM 330 network security appliance provides a suite of flexible, integrated management tools designed to help small and mid-sized businesses stay in control of their network. It includes the Pro version of Fireware XTM operating system, which includes VLAN support, multi-WAN load balancing, and dynamic routing. Add in real-time monitoring and deep reporting at no additional cost and the XTM 330 is terrific value!

In the words of PCPro…

WatchGuard already lays claim to a sizable chunk of the SMB network security market, but with its latest multifunction appliance it wants even more. In this exclusive review we look at the new XTM 330, which offers impressive performance and strong features for a surprisingly low price.

To see video testimonials and see how our XTM network security appliances stack up to the competition, check out our YouTube Channel.

Network Security – 5 Reasons Hackers Want into Your Network (Besides Data)

© Galinka86 | Dreamstime.com

You’re not the Pentagon. Or Microsoft. Or NASA, Wells Fargo, AOL Time Warner, or Daimler Chrysler. You’re not even headquarters for a burger franchise.

No, you’re just part of a small- or medium-sized enterprise (SME), perhaps even a home-based business with enough employees to count on one hand. You may not even be thinking about network security. After all, there are a gajillion companies in the world larger and more affluent than yours, so they’d be more logical targets for a hacker, right? After all, what does your network have that any e-punk would want? Well, here are five reasons hackers want into your network, besides data…

  • Hacking isn’t personal. The Internet is not a school yard. No one is going to push your network security around because you wear ugly glasses or momma packs your lunch with chocolate cake every day. Typically, you’ll be a random victim, the poor kid who happened to be on the wrong playground toy at the wrong time.

The first step in a hack attack is to test for vulnerability. This is usually done with a “scanner,” a commonly available application that queries thousands of arbitrary Internet addresses, hunting for any network with open ports through which a hacker can easily enter. Imagine a burglar sneaking down your street at 3:00 AM, trying every front door, looking for one that’s unlocked. If you get robbed, it’s not personal. You just made it easy — you didn’t lock your door.

  • Hackers want your computing power. Once inside your network, the hacker has free reign, but odds are he didn’t come looking for credit card numbers, trade secrets, or incriminating pictures from last year’s besotted Christmas bash. Instead, the hacker can make use of much more plentiful, ubiquitous resources.

First among these are your CPU cycles, the processing horsepower in each computer on your network. With 15 PCs and a high-speed Net connection, Corporate Health Systems came to WatchGuard Technologies for help after persistent hacks had enslaved the company’s network for one purpose: to help the hacker win an encryption-cracking contest.

A WatchGuard network security appliance instantly solved Corporate Health Systems’ hacking problem. Just the same, being roped unknowingly into such “distributed computing” applications poses a serious risk to any company, in part because most such attacks keep a low enough profile as to be unnoticeable.

  • Hackers want your connection bandwidth. Just as your CPU bandwidth can be commandeered for illicit processing tasks, your Internet connection bandwidth can be hijacked and used to damage other businesses. Distributed denial of service (DDoS) attacks involve numerous computers bombarding an Internet server with data, overloading it and causing the server to stall or crash. Hackers don’t want their exploits to point back at their own machines, so they enslave other computers, turning them into “zombies,” forcing them to attack in concert.
  • Hackers want your (or your computer’s) identity. Hackers can abuse your identity in several ways. A hacker might use your machine as a relay, a bouncing-off point from which to probe for weaknesses in other networks: Some network admin notices unauthorized activity in the accounting files, works with the police to trace the intrusion back to your PC, and the hacker waltzes away with a smile. Similarly, the hacker would much rather have you do his port scanning than his own machine. You might also be one in a chain of relays.

If a hacker can learn your name and e-mail address — not a particularly hard feat — he’s at liberty to change his mail, news, and chat settings to impersonate you. He might send death threats to an ex-boss under your name. He might raid your contacts list and then pretend to be you while asking vendors for information about your order history, including the account numbers used to pay invoices. If the masked hacker slanders your competitors in a newsgroup, you could be faced with trying to clear yourself in court.

  • Hackers will hack you just for the practice. Or you may become a guinea pig. Hackers stake their reputations on “owning,” or seizing control of, prestigious companies’ servers. But even established hackers begin as novices, and learning the ropes of deception and destruction inside your company’s humble network is as good a place to start as any.

Be sure to take advantage of network security solutions and protect yourself and network. There’s too much at risk in today’s business environment to ignore hackers.