VPNs and Common-Sense Policies Make BYOD Safer

By Patrick Oliver Graf, General Manager, NCP engineering Mobility and bring-your-own-device (BYOD) programs have become staples of today’s workforce. For employees, the ability to use their own personal smartphones, tablets and laptops provides a measure of comfort and convenience. For their employers, it can reduce IT hardware costs and increase productivity by allowing individuals to use devices familiar to them. It’s a win-win. BYOD also has the added bonus of enabling companies to build custom mobile applications designed for specific business tasks. However, one drawback is that each mobile operating system comes with its own architecture and security concerns. Any company that embraces BYOD and mobile technologies must account for the different platforms its employees use to complete work-related functions. Aligning Consumer Desires and Business Needs  Most of the personal devices people bring into the workplace are designed and marketed with consumers in mind, not businesses. So how do you reconcile the consumer desires of convenience and style with the functionality and security businesses require? The goal is to allow authorized users to access and transmit sensitive data by way of a secure tunnel that unauthorized third parties cannot intercept. VPNs do exactly that. However, not all VPNs are alike. IT administrators benefit greatly from versatile solutions that enable them to manage VPN security settings on the various end devices used by their workforces. This offers the flexibility needed to address specific issues that require technical support, and roll out patches on whatever scale may be needed, whether it’s for one device or 100. It also makes it easier to offer support to individual employees who encounter any IT-related problems...

Expert Q&A: Preventing Mobile Hacking: Must You Take Precautions?

*Editor’s Note: This column originally appeared in TechTarget’s SearchNetworking.com  Question: How do I protect my mobile devices from intrusions via the network? How much can I rely on my service provider to defend me from mobile hacking? Rainer Enders, VPN Expert and CTO, Americas, at NCP engineering:  In general, service providers of mobile networks do a good job of keeping the networks secure. The public wireless broadband carrier networks incorporate secure storage, mutual authentication and strong encryption, as well as air link ciphering, to keep data secure. However, it is still a good idea to use a device firewall and VPN technology to protect all mobile device communication. Also, keep in mind that, at times, devices roam into far less secure mobile networks, such as Wi-Fi networks and hotspots. An integrated device firewall and IPsec VPN clients are excellent protection mechanisms....

Conversation on Multi-Tenancy in VPNs, Part 2

VPN Haus recently spoke with Rainer Enders, CTO of NCP engineering, about multi-tenancy in VPNs and its advantages. In the final post of this two-part series, we look into some of the drawbacks of multi-tenancy and what it all means for enterprise users. For part one, click here. Q: Are there any disadvantages to deploying a multi-tenant network? What are they, and how can they be mitigated?  Enders: The main disadvantages of multi-tenant networks come into play at the backend. Great care must be taken that data domains are not breached so that unauthorized access can occur and potentially result in data leakage. From a technical standpoint data domains must be shielded against unauthorized access in multiple ways implementing the classical defense-in-depth approach. This can be accomplished by building software/virtual firewalls around the virtual containers. Those firewalls allow for filtering of customer assigned address spaces as well as protection against traffic that originates in adjacent domains from co-located VMs. Additionally implementing an integrated AAA approach is mandatory to enforce strict user and device authentication. Centralized authorization and provisioning systems play a key role in this strategy. Q: Why are multi-tenant VPNs important to the enterprise sector?  Enders: Multi-tenant VPNs play a key role in the service provider sector. The technology serves as a powerful enabler for cloud-based secure services, as it delivers the power and balance of operational and economical scale and efficiency without compromising security to the enterprise network...

Firewall Rule Set Complexity: Good Configuration Comes in Small Policies

By Dr. Avishai Wool Practically every corporation that is connected to the Internet uses firewalls as the first line of its cyber-defense. However, the protection these firewalls provide is only as good as the policy they are configured to implement. It has been said that the single most important factor of your firewall’s security is how you configure it, yet according to feedback provided by payment card brands and PCI auditing firms, 80 percent of firewalls examined in a breach investigation are misconfigured. Curious about this phenomenon, I obtained rule-sets from a variety of corporations that use the AlgoSec Firewall Analyzer [ed. note: Wool is CTO of AlgoSec]. Considering 36 vendor-neutral configuration errors that create risk behind the firewall, I evaluated more than 80 Check Point and Cisco firewall rule sets. After determining a measure of firewall complexity for each vendor, I discovered that indeed firewalls are poorly configured – and that there is a strong correlation between a rule-set’s complexity and the number of detected configuration errors. Serious errors are alarmingly frequent. For instance, Microsoft services, which are a vector to numerous Internet worms, are allowed to enter networks from the outside in 42 percent of the surveyed firewalls. Furthermore, among the most complex firewalls, I detected at least 20  errors in 75 percent of the configurations. Complex firewall rule-sets are too difficult for their administrators to manage effectively. It is safer to limit the complexity of a firewall rule-set. For example, instead of connecting an additional subnet to the primary firewall, which in turn generates more rules and objects, a company can reduce its risk by installing...

What You Need to Know about Branch Networking: Central Management

Last week’s post on Branch Networking focused on High Availability, so this week we’ll take a dive into central management. As a quick overview, a central VPN management system is required for effective networking of branch offices. Even if there are only a few branch offices, the time and money that have to be spent on local network administration is out of proportion, especially with M2M networking. Central management automates the management of remote / branch office VPN gateways. So the more VPN relevant systems the central management contains, the simpler and more manageable the network becomes for administrators. Of course, management should include configuration and software updates – but it should also include managing of digital software or hardware certificate rollouts, an LDAP console for identity and rights management, and security monitoring of the end-devices (Network Access Control / Endpoint Security). Example Authentication We know a VPN system secures all data transfers in an encrypted tunnel. However, sealing this communication has to take place as early as Internet dial up, which is the most frequent point of vantage for hacker attacks. The core problem is how the branch offices authenticate towards the central gateway. One possibility for authentication are pre-shared keys, another is the use of certificates. For security reasons, certificates are the better option because they can be adapted. This means old certificates can be locked and new ones can be issued. Certificate handling has to be organized; i.e. if one certificate expires, the VPN management should offer automatisms that request and issue new certificates. Often, there’s another security requirement is simply overlooked. The firewall must only...