“Information security” is not just for businesses looking to safeguard their intellectual property, financial data or customer data. It is also a vital component of ensuring that students around the world maintain a positive learning environment. As we detailed in our last post, the ability to support numerous devices per student, enable access to public websites, and still maintain a commitment to student and teacher privacy is a battle school districts face globally.
As Catholic Regional College in Melton, Australia has found out, WatchGuard’s Unified Threat Management (UTM) platform enables it to offer its students secure browsing, but also delivers the performance to handle the bandwidth demands that are key in today’s learning environments.
The school, which serves more than 950 students, has committed itself to delivering a 1:1 student to computing device ratio for its students. Three years ago, the College network was much smaller and all activity was governed by Catholic Education Office rules. Making changes to policies or access control was difficult. But, recent growth in the College’s enrollment made a higher throughput option necessary to meet student and staff needs.
To meet these challenges, the school deployed two WatchGuard XTM solutions.
The flexibility and management WatchGuard delivers has enabled the school to support the introduction of new services for the school community. For example, parents were provided access to the school network, enabling them to view student grades and potentially sensitive welfare information. As any breaches of privacy could have legal ramifications, keeping this information secure is critical.
Now, everything running in and out of the network runs through the WatchGuard appliances, from data to the phone and security systems. With the System Manager and central console the school can see what’s going on in real time and take action.
Initially deployed just for its firewall capabilities, the team quickly deployed a second WatchGuard XTM 1050 at a central location to leverage the complete feature set available in the Unified Threat Management (UTM) platform, which includes IPS, AntiVirus, URL Filtering, AntiSpam, Application Control and more. The WatchGuard appliance also supports the school’s expanding range of IP addresses, increased throughput demands, and the need for Network Address Translation (NAT).
You may know what to do about WLANs at the office. But, what about your employees when they go home? As many have pointed out, “wireless” is very affordable. And it works. So, how do you help safeguard your users — and the corporate data on their computers? It starts with your (and your employees’) understanding the web security risk.
Understand the web security risk
First, we realize that the web security risk is going to be a function of the vulnerability, the level of threat, and how much it would cost your company if someone were able to steal proprietary information (or at the minimum, to piggy-back on your Internet connection). The vulnerabilities are in the very infrastructure of WLAN technology.
Threat, or threat rate, is more difficult to measure. We have to take into account physical parameters. For example, not only does it matter how far the WAP can transmit, but it also matters how close people can get to the user’s house without being obvious.
Also, the web security threat increases if attacking your network is attractive to a would-be attacker. Has the employee recently ticked off his neighbor (or worse, his neighbor’s teenaged son)? Does your company deal in military secrets or pizza dough recipes? And what’s the competition like in the pizza industry, anyway? The same kind of web security threat analysis that you do for your company network has to be extended to employees’ homes. Not in as much detail, not with as much effort, but similarly. Attacking your employee’s network and system is either worth something to someone or it is not. No matter how we figure the threat, it is greater than zero.
How do you estimate the cost to the company (or the individual, for that matter) of a break-in — the event cost? It depends. What secrets does the home network hold? Does it have corporate information? How about military secrets or personal, financial, or medical information? Having a home WAP is similar to running Cat-5 wire connected to a hub inside your house, out to the end of your driveway, with an RJ45 socket on it. Someone could drive up, plug in, and access your home network. They can do the equivalent via a connection to the WAP. And they could sniff all packets traveling by radio between the WAP and each wireless client.
Bridging web security policy and practice
Perhaps by now you are convinced that the best acceptable use policy for home users with WLANs is to not allow them. You would be right. However, since we know that people will ignore that directive, after explaining the web security risks to them, as I did above, you will need to put some guidance in place that they might actually follow. This is neither meant to be fatalistic nor overly pragmatic. As web security professionals, our job is not to provide security. It is to secure the mission requirements of the organization.
Let us assume we are talking about average-grade web security risks. Our main concern is not with targeted attacks by agents of other governments. (Because in that case we can say, “Thou Shalt Not Do This,” making sure people realize that infractions could lead to time in a federal penitentiary.)
Users should change all defaults on their WAPs. Default keys must be replaced, default web security settings changed, default broadcast channels switched, and the SSID renamed to something non-generic. It is best if the name does not identify the name of the owner (though in a small neighborhood, this might be a moot point). It certainly should not identify the employer of the individual. An SSID that broadcasts “ABC1” is less interesting than one that says, for example, “cia-home1.” From a risk standpoint, it is irrelevant that “CIA” are the homeowner’s initials.
They should change the default IP address of the WAP as well as the default administration password. Some WAPs use a hard-connected USB port for administration, but many can be administered via a network-connected Web interface. If the kid next door enables his wireless card, and sees your WAP broadcasting (because it broadcasts on the same channel as his), and sees that your SSID is “linksys”, he might be tempted to try to connect to IP address “192.168.1.251” and login with password “admin.” Every vendor has a list like that. That’s why it is important to change the defaults.
The user with a WLAN is arguably at greater risk than other mobile users. Disk encryption protects the data on a PC while it is powered off and at rest, but if that data flows over a home network, we need extra protection for that network or the computer. Personal firewalls must be used, with a policy that disallows SMB services between computers. Otherwise, there is no good way to keep that teenager next door from your computer’s folders.
Finally, and this is perhaps most important: establish a web security policy that says users of home WLANs must configure their WAPs to filter, only talking to a fixed set of MAC addresses. This is tedious to do in an organization with many computers. It is a short job for someone working on a home network.
Many IT security professionals face conflicting demands from management and network users when it comes to web security. The need for speed is always in demand, but delivering that speed while enhancing web security for a broader, more dynamic threat environment is quite challenging. Following are some of the most frequent obstacles to achieving this goal:
The options for overcoming these obstacles to proactive, multi-layered web security are either unappealing or insufficient. For example, one defense against the widespread proliferation of malware is to install anti-virus scanning at the gateway, capturing malware before it ever enters the network. But scanning every page and object at the URL can slow down web page delivery and affect both throughput at the device and the user experience at the browser. Finally, desktop or browser-based scanning solutions only catch threats once they are in the network. By the time these solutions alert users, today’s malware could have already inflicted great amounts of damage to the organization’s computing infrastructure and/or compromised sensitive data from within the organization.
URL Filtering is Not Enough
Since the 1990s, reputation services have been helping organizations block unwanted or bad traffic to ensure that threats never enter the network. By identifying and blocking threats at the perimeter, reputation services help prevent attacks, reduce the on-premise IT footprint required to scan traffic, and lower the costs associated with the bandwidth, hardware, and other resources required to block threats. As web technologies and the web itself have grown more sophisticated, early generation reputation services have become less effective in identifying and blocking threats.
Effective Security is Proactive and Multi-Layered
The most effective approach for defending against the web’s dynamic threats is a proactive, multi-layered approach to web security. Being proactive requires that the web security solution reach into the Internet cloud, obtain the latest threat data from multiple threat-monitoring sources, and prepare a network’s perimeter in the event that one of the threats presents itself to the network. Effective defense is multi-layered, applying additional measures of threat scanning, depending on the type of content that attempts to enter the network.
Our Reputation Enabled Defense leverages the cloud-based intelligence of millions of global sources and users. This shares information about threats associated with URLs and domains in real-time to automatically block new threats before they enter an organization’s network. By scanning for hostile content and blocking malicious URLs at the connection level, this type of solution bridges the web security gap left exposed by simple URL filtering, provides safer web surfing and faster web performance.
Reputation services complement gateway antivirus and traditional desktop web security solutions by providing improved performance and an additional layer of protection. Unlike traditional gateway anti-virus solutions, which typically update signatures on an hourly or daily basis, reputation services provide the equivalent of real-time updates of malware intelligence. The broader and improved URL reputation data they provide result in greater protection from web security threats and faster, more productive web surfing. However, not all reputation services function in the same manner, so IT security professionals should exercise caution when evaluating potential solutions.
As a cloud-assisted service, Reputation Enabled Defense provides instantaneous web security that is updated continuously. Not only does it improve proactive security, it helps organizations take advantage of greater computing and processor power from servers hosted in the cloud. IT can save valuable processor resources on local appliances. As a result, more users can be served at higher rates of throughput – for less money.
We’ve seen Reputation Enabled Defense provide a broad set of security and performance benefits arising from the ability to perform proactive security measures in the cloud. Below are the seven most salient benefits that we see for IT and network administrators. Check them out and then be sure to check your ReputationAuthority score using our online tool.
Malware continues to spread across the web. The ability of a single organization’s IT staff to monitor and protect against all web security threats is eaten away by growing threat volumes and by new and ever-morphing threat variations. That is why we try to constantly push the envelope to improve methods for proactive and cloud-based security, taking into account the critical balance that must be maintained between security and performance.