Safeguarding mobile device access
Many employees bring personal mobile devices to work for accessing data and applications. Organizations are rapidly embracing this bring-your-own-device (BYOD) approach as a way to increase worker productivity. However, before permitting access to the enterprise network, IT must find a way to safeguard the corporate environment by ensuring that employee mobile devices do not introduce malware and bots.
Just as importantly, the organization must control who can have access to which data. Further, the introduction of unmanaged devices may diminish network productivity by consuming bandwidth needed by business-critical applications.
Before extending current remote-access policies to include mobile devices, organizations are well advised to identify the similarities and differences between portable-computer remote-access security and smartphone remote-access security. With these distinctions in mind, IT organizations can implement best practices to help ensure the security of communications from both inside and outside the network perimeter.
Security distinctions: portable PCs vs. smartphones
Given their compute power, today’s smartphones could be considered a class of portable computer. Yet, portable computers such as laptops and notebooks differ from smartphones in several important ways, some of which affect security. To maintain a safe network, IT administrators first must consider key remote-access issues and then identify when to make similar provisions for both portables and smartphones and when to make separate or specialized provisions.
The fundamental security practice for remote-access devices, including portables and smartphones, is to start with an enterprise-level Secure Sockets Layer (SSL) virtual private network (VPN). By acting as an intermediary between the enterprise network and the mobile device, a reverse proxy via SSL VPN allows a high degree of control over end users and data. Moreover, it helps insulate the environment from the effects of malware. In this scenario, portables and smartphones benefit from the same solution.
For end users who require direct network access, SSL VPN via tunnel access should also be considered. But in this situation, all traffic must be scanned for malware and intrusions. Therefore, one basic strategy is to deploy a next-generation firewall situated after or integrated into the point of termination of the SSL VPN tunnel. A next-generation firewall is designed to decrypt and then scan content from remote devices and decontaminate threats before they enter the network. It is equally effective on traffic from portables and smartphones.
Applications on portables and smartphones are also important to consider when securing remote access. With company-issued, IT-controlled laptops, IT has the option of locking down the operating system to prevent the installation of potentially insecure applications. However, for employee-owned laptops running standard Microsoft® Windows®, Macintosh® and Linux® operating systems, consumerization and BYOD have resulted in an open, uncontrolled application environment.
If a laptop that is compromised by insecure applications logs in to the network through remote access, it presents a direct threat to an organization’s resources. The highly flexible nature of laptops allows end users to download any application. Accordingly, IT organizations should perform device interrogation on remote laptops to determine whether inappropriate applications are active and the proper security applications are running.
Endpoint-control and interrogation software helps enforce security policies by correlating information about the device, the person using it, what is on the device and what is absent from the device. This correlation enables the software to automatically modify security on the fly to open or narrow access to information. Powerful tools are available that allow for this deep interrogation of laptops without requiring additional infrastructure beyond an enterprise-level SSL VPN solution.
In contrast, issues arising from the presence of random apps on smartphones are different from those on portable computers because of the devices’ disparate distribution models. Most smartphone apps are downloaded through white-listed online stores. The store operators perform code inspections that help make the apps trusted, though it must be noted that they cannot guarantee the apps are secure. Provisioning tools, distribution software and mobile device management (MDM) solutions may also help strengthen security.
However, smartphones can be rooted or jailbroken so that any app can be loaded on the device. Once compromised, the mobile phone becomes as dangerous as an unmanaged, uninspected laptop. So, as part of a fundamental security approach for employee-owned smartphones, remote-access systems should perform device interrogation and check for jailbroken devices before allowing network access. The systems should automatically block connectivity for compromised smartphones.
Connections from inside the network
The rise in popularity of remote computing puts significant security pressures on remote access. Yet mobile devices are used not only remotely, but also from inside the network perimeter. As a result, IT organizations also must consider what impact these devices may have from the inside.
Mobile devices can introduce malware into networks, intentionally or not. Problems may occur when portable computers or smartphones compromised outside the corporate network are later introduced back inside the perimeter. Many client-side technologies help remediate issues before they generally spread. Still, for robust security, the inside perimeter requires a layered strategy. Organizations should take advantage of the capability provided by a next-generation firewall to scan traffic inside the network — especially from WiFi — as well as traffic entering the network from outside the perimeter.
To help safeguard against these malware threats, IT must scan traffic from portable computers and smartphones that connect from within the perimeter. A next-generation firewall is designed to provide stringent protection from inside the environment by scanning every packet of traffic coming over the internal wireless LAN through anti-virus, intrusion prevention and anti-spyware gateway services (see figure).
Scanning network traffic inside the enterprise perimeter through a next-generation firewall
Next-generation firewalls allow organizations to control malware and set policy on what constitutes acceptable and unacceptable applications. In this way, a next-generation firewall helps IT manage how devices consume critical resources, such as network bandwidth.
The application control functionality in the firewall is designed to allocate bandwidth to critical applications and to constrain or eliminate bandwidth for wasteful applications.
Bandwidth allocation can be set at per-user and per-group levels, which dramatically helps improve the experience and productivity of internal users, enhances productivity and minimizes wasteful activities. Next-generation firewalls also provide content filtering on the wired and wireless network, allowing IT to consolidate the functionality of a secure web gateway with the firewall.
Best practices for securing mobile devices
Based on years of experience, the Dell SonicWALL team has developed the following best practices to help IT groups implement a secure BYOD solution. Because each organization has its own particular requirements, these best practices should be considered as guidelines, subject to an organization’s internal assessment.
The following best practices apply to portable computers and smartphones connecting to the network from outside the perimeter:
- Establish a reverse web proxy: By providing standard browser access, reverse proxies can authenticate and encrypt web-based access to network resources for both laptops and smartphones.
- Implement SSL VPN tunnels: Agent-based tunnels add easy network-level access to critical client-server resources.
- Utilize endpoint control and interrogation: Powerful tools are available to enforce security policies via the VPN by correlating what device is being used, who is using it and what is or is not on the device.
- Assume smartphones are running more than white-listed apps: IT should apply jailbreak or root detection and automatically block connectivity for compromised smartphones.
- Scan all remote-access traffic: A next-generation firewall should be deployed to control malware, set policy on acceptable applications and manage how smartphones and portable computers consume critical resources.
- Add authentication: The solution should integrate with standard authentication methods such as two-factor authentication and one-time passwords.
Inside the perimeter
Organizations should consider the following best practices for portable computers and smartphones connecting to the network from inside the perimeter:
- Integrate a next-generation firewall: The firewall should scan all traffic, even from employee-owned laptops and smartphones, to protect the network from intrusions, malware and spyware.
- Define which applications are critical: The application intelligence and control functionality of next-generation firewalls should be used to allocate prioritized bandwidth to critical applications and to throttle or eliminate bandwidth for low-priority applications.
- Monitor network bandwidth: IT should be aware that smartphones are basically portable computers with the ability to generate video and game traffic while on the network.
- Enable content filtering: The content-filtering capabilities of next-generation firewalls should be enabled to comply with company browsing policies, as well as regulatory and legal mandates.
Integrated platforms for implementing BYOD security
Smartphones have joined laptops as de facto network endpoints in organizations ranging from businesses to academic institutions and government entities. When employees use their own laptops and smartphones for work, securing mobile device access is an imperative.
For heightened mobile device security, organizations can deploy solutions such as Dell™ SonicWALL™ appliances, which have the capability to enforce suggested best practices. SonicWALL next-generation firewalls are appliance-based devices that provide application intelligence, control and visualization. The SonicWALL SSL VPN solution comes either as a stand-alone appliance or as a virtual appliance that runs in a VMware® environment on Dell PowerEdge™ servers.
SonicWALL appliances minimize the complexity of delivering anywhere, anytime access to applications from a broad range of devices, helping to increase the productivity of both end users and IT staff.
Patrick Sweeney is Executive Director at Dell, where he oversees the Dell SonicWALL network security, content security and policy management product lines.