The exact composition of an integrated security strategy will vary between organizations, but each strategy will typically share the following major elements: hardening the network infrastructure, hardening the endpoints, protecting endpoints and networks from threats, and maintaining security.
Organizations must harden their networks to eliminate as many vulnerabilities as possible. Hardening a network also involves restricting access. These actions reduce the chances of a successful compromise.
What follows are three effective approaches that apply at a high level to both wired and wireless networks. The details differ based on network type. Just because organizations are integrating wired and wireless network security doesn’t mean that security needs are identical.
Action Item: Implement separate segments for groups of client endpoints. It reduces risk to have different classes of endpoints on different network segments. Having segmented networks also makes it much easier to apply distinct policies to each class of endpoints. For example, an IT department could set network-based security controls on BYOD networks to compensate for the lack of host-based security controls.
Ideally, every client segment should be configured to access servers and other designated systems only, not endpoints on other client segments. This will reduce the spread of malware and other attacks that target endpoints on a local subnet.
A segmented approach has another benefit: It easily allows BYOD endpoints to be treated as less trusted than organization-issued endpoints. An organization can give BYOD clients access to a few low-risk internal resources only, such as e-mail and calendaring.
An organization can also decide to limit authorized configurations, such as prohibiting wired BYOD access. In fact, some organizations are eliminating wired connections altogether for client endpoints — even organization-issued devices.
Action Item: Only allow authorized client endpoints to use the network. Another possible method for network infrastructure hardening is to require some sort of device authentication.
This could be performed using network access control (NAC) for organization-issued endpoints and using enterprise MDM for both organization-issued and BYOD mobile devices. Note: Some enterprise MDM solutions can manage notebooks as well as the smartphones, tablets and other mobile devices more traditionally associated with MDM.
At a minimum, an organization should confirm that each endpoint has the appropriate client software installed (a NAC agent or an MDM agent, for example). It is also important to keep an accurate and comprehensive inventory of all client endpoints authorized to use the network so that other endpoints can be blocked from being able to use the organization’s networks. There also needs to be some sort of incident response capability triggered whenever a rogue endpoint tries to connect to the organization’s network.
Action Item: Protect networks from eavesdropping. Eavesdropping is inherently different for wired and wireless networks. Most wired networks have little risk of eavesdropping because they are fully switched. Organizations concerned about eavesdropping should migrate to fully switched environments for their client endpoints if they haven’t already done so.
For WLANs, network communications must be encrypted to prevent their contents from being intercepted. There are known vulnerabilities in the Wireless Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA) schemes, so it’s recommended that networks be configured to use stronger protocols such as WPA2, which does not suffer from the vulnerabilities inherent in WEP and WPA networks.
Organizations need to reinforce all endpoints to the greatest extent possible. Obviously, whether the endpoints are organization-controlled or BYOD will affect the degree to which the IT team can control this effort.
NAC solutions (discussed in detail in the Network Access Control Software section) can be quite effective at checking the security posture of both organization-controlled and BYOD endpoints before allowing the devices to access the organization’s resources. NAC can be used to enforce minimum policy requirements for endpoint hardening. What follows are three effective approaches to hardening endpoints.
Item: Standardize endpoint security configuration settings. Security configuration settings define the controls of a device’s operating system and applications; for example, providing an option to require or not to require user authentication before granting access to the operating system (OS).
It’s generally recommended that organizations standardize and automate security configurations for endpoints, particularly client endpoints, because doing so can effectively mitigate risk and is far more efficient than manually
implementing settings. Standardizing endpoint settings improves consistency, strengthens overall security, and allows automation of setting implementation and monitoring.
Here are examples of recommended security practices to implement through standardized security configurations:
Implement the principle of least privilege. Each user, application and logical entity on an endpoint then can access only the functions and the information necessary to support approved use of the endpoint. For example, an application that provides a flashlight function should not need access to the address book.
Require users to authenticate before accessing the endpoint’s OS and applications containing sensitive data. This protects each endpoint and the organization’s information from access by unauthorized users.
Action Item: Patch and upgrade endpoint operating systems and applications. Keeping software fully up to date also helps eliminate vulnerabilities. This requires both patching software (installing the latest updates to eliminate known vulnerabilities in the software) and upgrading software (installing newer versions to replace old ones).
Vendors frequently discontinue support of older versions of software, which means that patches will not resolve new vulnerabilities found in the software. The only way to get rid of vulnerabilities, in many cases, is to switch to a newer version of the software still supported by the vendor.
There are many mechanisms available for patching endpoints. Many apps include built-in features to check for, download and install updates. There are also enterprise patch management technologies that organizations can install on desktop and notebook endpoints, and MDM technologies with patching capabilities that they can install on mobile devices.
At this time, no single product can handle all the patching responsibilities for all the OSs and apps on your endpoints; hybrid solutions must be used instead. If an organization supports enterprise mobile device usage, it should already have the necessary technologies up and running. Ensuring patching should therefore require little additional effort.
Organizations also need to carefully consider how well large patches (and full upgrades, when applicable) can be installed over external networks. This can be particularly problematic for mobile devices that use metered networks, such as those of cell phone carriers.
A single application update could be hundreds of megabytes, or even multiple gigabytes. Downloading just one such update over a metered network could use all available bandwidth for a given month or result in substantial overage charges.
Updating such devices generally necessitates either connecting them to an unmetered network (a WLAN, for instance) or connecting them to a notebook or other endpoint that is already connected to an unmetered network, with the networkconnected endpoint acquiring the updates on behalf of the mobile device.
Organizations should plan for these situations and also educate users on the importance of keeping the OSs, software and apps on their mobile devices current.
Action Item: Use host-based firewalls. Endpoints no longer necessarily reside behind network firewalls and other network-based security controls. They are increasingly connected directly to public networks, such as open WLANs.
Host-based firewalls can prevent unauthorized connection attempts to the endpoint from other hosts. Host-based firewalls have been widely available for desktops and notebooks for many years. But they have relatively limited availability for smartphones, tablets and other mobile devices because people have relied on network-based firewalls from cell phone carriers to shield them from malicious activity. As organizations migrate mobile devices to WLANs, however, these network-based firewalls no longer protect them, so host-based firewalls are needed to compensate.
Eliminating vulnerabilities isn’t sufficient to totally protect endpoints and networks because it’s impossible to eliminate every last vulnerability. What’s more, many threats succeed by tricking users through a technique known as social engineering. Therefore, organizations must protect their endpoints and networks from threats in several ways, including the following action items.
Action Item: Detect and block malicious activity. Antivirus, antispam, and intrusion detection and prevention software are all useful at spotting and rejecting malware. And though there are host-based and network- or server-based versions of these tools, most are not widely available for smartphones and tablets. For those endpoints, it is particularly important that network- and server-based controls be used to provide protection by monitoring the endpoints’ network communications.
This works fine when users connect to the organization’s enterprise but not for the use of external resources. One option is to use a VPN tunnel to direct all communications for the endpoints through the organization’s network infrastructure.
Although this may be the only protection that this network traffic receives — making it invaluable — its raises some serious concerns: the slowing of network activity, the privacy implications of monitoring personal activity and the bandwidth requirements for carrying all the traffic. Ideally, such controls should be on the endpoint, so it’s wise to encourage security product vendors to make versions of their controls available for smartphones and tablets.
Exfiltration of sensitive data is another growing concern for organizations. Data may be exfiltrated by malicious insiders (such as disgruntled employees), by employees who make innocent mistakes or by a successful cyberthief. The primary security control for discovering data exfiltration is data loss prevention (DLP) software (see Data Loss Prevention section).
Action Item: Protect network communications from eavesdropping and manipulation. Although this white paper has touched on the need for encrypting wireless network communications, organizations also must protect the confidentiality and integrity of all communications passing over untrustworthy networks. Otherwise, information may be intercepted and accessed or manipulated.
Even if a wireless network provides strong protection for its communications, it can only protect them on the wireless network itself — not the wired network to which the wireless network connects. Therefore, the IT team needs to use encryption to protect sensitive information sent over any untrusted networks.
One option is to protect traffic at the network level, typically through establishing VPNs. Many mobile device carriers support private VPN services that protect an organization’s mobile device communications.
A downside of such VPN solutions is that they may direct all traffic for the organization’s mobile devices through its networks. This may not be a problem for organization-issued endpoints, but it may be a major issue for BYOD endpoints, whose owners may have privacy and performance concerns about having all of their personal computing activities routed through the organization’s networks and monitoring technologies.
There may also be problems with bandwidth and other aspects of supporting increased traffic flow. In addition to VPNs, IT departments can protect communications at the application level. An example of this is when a web-based app uses the Secure Sockets Layer or Transport Layer Security protocol to protect HTTP communications (better known as HTTPS).
HTTPS can be used to protect web traffic. If an organization transmits most or all sensitive information through webmail or other webbased apps, HTTPS offers a way to achieve confidentiality and integrity for sensitive information without the overhead of a VPN.
Action Item: Reconfigure endpoints to block emerging threats. Suppose that a not-yet-patchable server vulnerability is discovered in a service that only a handful of the organization’s staff members use, for non-mission-critical purposes.
What if remotely exploiting the vulnerability can give a hacker full administrator-level access? The IT department should be able, either through domain policy management or through thirdparty security automation technologies, to rapidly disable this service on all endpoints until a patch becomes available and is installed.
When focusing on security maintenance, a key ingredient is configuration management. From time to time, the configuration of endpoints will need to be updated.
The most obvious example (as explained earlier) is the installation of patches and upgrades. Another example is the adjustment of security configuration settings to reflect changes in policy, threats and vulnerabilities. Additionally, software patches and upgrades may offer new or altered security configuration settings; these need to be set properly.
Another important component of security maintenance is performing periodic assessments of endpoint and network security. As vulnerabilities and threats change over time, and the effectiveness of security controls waxes and wanes, so does the level of risk to be mitigated in endpoints and networks. It is important to periodically reassess risks to determine if changes to security controls are needed, including the addition of new controls.
A relatively recent trend known as continuous monitoring can reduce (but not eliminate) the need to perform periodic assessments on endpoints. Continuous monitoring, which essentially performs vulnerability assessments all the time, is made possible through automated security technologies. Tools such as patch and vulnerability management software can quickly check an endpoint and identify missing patches, unsecure configuration settings and other security-related problems.
It is easy to see why continuous monitoring plays an increasingly critical role in maintaining endpoint security. Vulnerabilities are being exploited all the time, so it’s no longer sufficient to audit the security of an endpoint every year, or even every month. It’s imperative to remediate weaknesses as quickly as possible, and continuous monitoring can discover them very quickly.
A final security maintenance component is incident response. Every organization needs to be prepared for security incidents involving their endpoints, such as malware infections and lost or stolen devices. Incident response efforts should strive to protect the organization’s sensitive information from disclosure by detecting and containing incidents quickly, by removing compromises from endpoints and by remediating the vulnerabilities that the incident exploited
For more information on integrated wireless and wired network security, download CDW's white paper, "Integrating Wireless and Wired Security."