Bring Your Own Device:

Transcription

1 Bring Your Own Device: Finding the perfect balance between Security, Performance, Flexibility & Manageability SECURELINK WHITEPAPER 2012 By Frank Staut

2 Management summary This white paper discusses some scenarios for bringing your own device to the office and goes more into detail on network access security. We will show that access to the network from within the office can be treated in exactly the same way as access from remote locations. As SecureLink is an independent network and security integrator we will give our advice on a best practice approach. We will explain in detail why it is according to us based on the remote access solutions from Juniper Networks and the firewalls of Palo Alto Networks. Wireless access to the network can be foreseen with the wireless solutions from Juniper Networks in a very secure way. The goal of this white paper is to discuss a simple approach in allowing devices to the network. Depending on the current security policies that are in place for the use of laptops there are mainly 2 solutions, either you go for a full blown security or you accept the risks. This white paper is not about legal issues regarding BYOD, nor will we discuss the management of the devices itself. Introduction It is clear that there is a big demand from users to use their own smartphones, tablets and PC s to connect to the corporate network. Whether it is just for reading or making notes on their ipad during a meeting, it all comes down to more flexibility. People want to use their MacBook Air or their newest Samsung smartphone and they want to have the flexibility to use it everywhere, both within the office as well as everywhere else where an Internet connection is available. By definition, more flexibility mostly means less security. This is the challenge that network and security managers have to cope with. Finding the right balance between flexibility and security also depends on the organization itself. For a bank it will be different than e.g. for a small printing company. Different device types There are multiple types of devices such as: Smartphones Tablets Netbooks PC s Navigation systems in cars Instead of classifying devices based on a type it is more important to look at the different operating systems as the operating systems often determine what the functionality is of the device. Apple ios Android Symbian Windows Mobile Blackberry MacOS Windows Linux A very clear trend is that almost all devices have wireless connectivity today and that almost all devices have a browser. As we will discuss further in this document we have to take into account this wireless connectivity especially when we want to allow these devices to the corporate network. By Frank Staut 2

3 Different access types Potential risks are: Dataloss when a device is lost or stolen Viruses or other malware that spread via unprotected devices Smart phones are mostly used for reading s. However it is clear that more and more applications become available for these devices. As tablets have larger screens, they are more useful to run specific applications such as e.g. remote desktop. The main difference between a corporate owned device and a user owned device is typically that the corporate owned device has security software installed and that the user does not have admin rights to turn it off. Depending on the environment, the installed security software is typically a combination of: Anti-virus/anti-malware Personal firewall Data Loss Protection (DLP) Disk encryption If we look at the different types of access we can distinguish the following: access (typically activesync) Access to web based applications Access to specific applications (e.g. Citrix or Microsoft Terminal Services) Full network connectivity As we have identified at least 8 different operating systems and 4 different access types we should further describe 32 scenarios However we prefer a clear and simple approach and we will try to show you that there are two main solutions: either you go for a full blown secure solution or you accept the risks. Depending on your current security policy for laptops this choice can be made very easily. If you look at these access types you can see that there are almost no differences, whether you want to have a remote connection from home or if you want to connect to the office network directly. If you have a smart phone you want to be able to read your s, regardless whether you are in or out of the office. If you have a laptop you want to use it for accessing specific applications, both from home as in the office. Security risks for different scenario s Network access Did you notice that we didn t use the term BYOD yet in this document? In our opinion the concept of bringing your own device and connect it to the network is exactly the same as the remote access concept. Both have similar security risks. Whether you come to the office with a smartphone or with a laptop, the least you would expect is that you have wireless internet/network access. Most companies today have a wireless infrastructure which can be used for this. A wireless infrastructure typically has multiple SSID s: SSID for corporate devices such as corporate laptops SSID for guest access SSID for mobile devices From a security point of view it is important to map these SSID s to different VLANs which are connected to a firewall. The security settings for these SSID s will be different. For example: The corporate SSID is typically protected with 802.1x and an additional machine certificate and is mostly used for company owned laptops. The guest SSID will generally be protected by a captive portal, vouchers for accessing the guest network can be obtained via e.g. a receptionist. The mobile SSID can be protected via e.g. a WPA2 key, an optional user authentication can be implemented. The goal is that all traffic is at least encrypted. By Frank Staut 3

4 EX PoE PSU 1 Provide an Earthing Connection V~/ V~ 50/60Hz, 4/2A! DISCONNECT ALL POWER BEFORE SERVICING PSU 2 Console WLC8 7 Uplinks 8 Link MP PoE ! CONSOLE INTERNAL EXTERNAL SA 4500 An important remark is that you need to take into account that wireless access is often more protected than wired access. In order to access a wireless network, you typically need at least a username and a password or an encryption key and in many cases also a certificate. In order to connect to a wired network you just plug in the cable unless an 802.1x solution is used. Practical implementations What we see as a best practice for most companies is a combination of a Palo Alto Networks firewall and a wireless and remote access solution from Juniper. The reason why we prefer a so-called next generation firewall is that it combines classic firewall features with user authentication, content filtering and application awareness. A best practice design is also to separate the server infrastructure from the users. Especially in dynamic environments where you need to allow machines on the LAN that are not under control of the company we would advise to make separate VLANs for both servers and users and connect them through a firewall. A possible network design for a medium sized company could be as presented in the next drawing. This network design has the following features: The Palo Alto firewall is the central routing point for all traffic. This means that all traffic, both incoming and outgoing, is scanned. Palo Alto firewalls have the ability to scan for malware and to detect intrusions when the threat prevention license is installed and configured. A secure access to the network is foreseen via the Juniper Secure Access or the newer MAG series Junos Pulse gateway solution. The Juniper Secure Access solution has a number of features to allow access in a very granular way to the network, ranging from basic web access to full network connectivity. Incoming traffic will be scanned by the Palo Alto firewall. The Juniper Secure Access solution can also act as a gateway for activesync traffic. Secure wireless access can be foreseen with the Juniper wireless solution. There are a lot of options in order to allow devices to access specific SSID s. Guest wireless can be integrated. Wireless access from unknown devices can be given access to the network either directly or via the secure access solution in the same way as if they were located outside the network. JunOS Pulse can be used as a VPN client on mobile devices. User network VLAN B... T T SSID Guest VLAN C SSID Mobile VLAN D Juniper wireless controller Private DMZ Server network VLAN A Internet Palo Alto Networks firewall Juniper Secure Access Public DMZ Cisco mail relay White paper design Typical medium size enterprise Reference: 2011xxxx v1.0 Date : 14/02/12 SecureLink nv / Frank Staut By Frank Staut 4

5 Security versus performance, flexibility and manageability Network access Finding the right balance! It depends on the requirements of the company whether security is the most determining factor in the network design or not. In order to have the highest security you should already have taken measures in order to prevent unauthorized access to the wired network via either physical protection, MAC based protection or a full blown 802.1x solution. All devices should be under strict control of the IT department and the necessary security software has to be installed on all devices. At least disk encryption and antivirus/anti-malware software has to be installed. Is the physical network protected? Is DLP software installed on coporate PC s? For companies with these security requirements a concept of BYOD will be very hard as you always will have to compromise on security. In our opinion the only acceptable solution in this case is a remote desktop solution. Even with remote desktop you need to be aware that screen captures can be taken from the host device and as such it is still possible that valuable company data leaks Do you trust network anti-virus/antimalware? The only option is to use a terminal server solution whereby all data remains in the corporate datacenter. For companies that have less strict security rules the main question is whether a network anti-virus is a good alternative for a host based anti-virus? In our design we will always isolate user devices from the server infrastructure via the Palo Alto firewall with an active threat prevention license. If not, then also the remote desktop solution is the only viable solution. If yes, then devices can connect to the network either via wireless or via a VPN. A flexible solution can be implemented as described in our best practices design. The next flowchart determines what type of network access you can allow depending on the existing security policies. It is necessary to make a distinction between only access and all other access. Typically smart phones are used for reading mail. The question that comes to mind is what happens if this device is lost or stolen? For a company it can be important to erase the data as soon as possible as otherwise data loss could occur. Next question is of course whether the device is managed by the company or by an individual? If the device belongs to an individual does he or she allow to install software that can be controlled remotely by the IT department of the company? By Frank Staut 5

6 Mobile device access Do you have DLP software on laptops? Does the user accept to install security software? Does the user accept to install a client certificate? Require Juniper Mobile Security software on devices. Junos Pulse VPN software can be used as well as activesync. There are existing solutions such as the Juniper Pulse Mobile Security Suite that can be integrated in our best practices design. The main question however is, who will manage all the mobile devices? ActiveSync, the protocol that is mainly used for reading s on smart phones, is encrypted natively. However, it only needs a username and password to connect. With the Juniper Secure Access solution we can limit this ActiveSync traffic by checking on a client certificate so that s can only be read from devices that have a valid certificate. Again the question arises, who will manage these certificates? Very important is the management and configuration of the mobile devices. If you allow users to bring their own devices you need to be aware that many users will have questions regarding the configuration of their devices to read their or to access the network. As already mentioned, this part is out of scope for this white paper. Best to only allow activesync Conclusion In this white paper we discussed a number of security issues which arise when you allow unknown devices to the network. Depending on the security requirements of the company you can allow more or less but it is important to understand that with our reference design we can cope with the majority of the possible issues depending on the configuration of the devices. Mobile devices are more vulnerable for lost or theft than laptops, however the security measures that you have to take in order to allow these devices on the network are very similar. By Frank Staut 6

7 About SecureLink: SecureLink is a highly appreciated, Benelux oriented security and networking integrator. Our key differentiators are our obvious networking and security specialization, our vendor partnerships and excellent managed services. Our approach results in a good night s sleep for our customers! About Juniper Networks: Juniper Networks unique blend of security, networking, and management expertise provides customers with the most robust solutions in the industry. In addition, Juniper Networks provides optimized system designs that offer best-of-breed capabilities and deliver a proven total-costof-ownership advantage when compared to competing product offerings. About Palo Alto Networks: Founded by security visionary Nir Zuk, Palo Alto Networks offers real innovation in the firewall by enabling unprecedented visibility and control of applications and content - by user, not just IP address - at up to 10Gbps with no performance degradation. Based on patent-pending App-IDTM technology, Palo Alto s next generation firewalls accurately identify applications - regardless of port, protocol, evasive tactic or SSL encryption - and scan content to stop threats and prevent data leakage. Enterprises can for the first time embrace Web 2.0 and maintain complete visibility and control, while significantly reducing total cost of ownership through device consolidation. About the author: Frank Staut is a senior consultant and co-founder of the company SecureLink. Frank has more than 15 years of experience in the networking and security market space. He holds a degree in engineering and a number of industry certifications. By Frank Staut 17