Today, IT must ensure secure access to corporate
In theory, with company-issued, IT-controlled laptops, IT has traditionally had the option to lock down the operating system to prevent the installation of potentially insecure or non-approved applications. Nowadays, though, employees demand the same freedom-of-technology at work as they have in their personal lives. This consumerization of IT (as well as the budgetary incentive of offsetting inventory costs) has led companies to establish “bring your own device” (BYOD) policies that enable employees to select their own personal mobile devices for use at work.
For laptops using applications running on standard Windows®, Macintosh® and Linux® operating systems, consumerisation and BYOD has resulted in an open, uncontrolled “wild west” application environment. In effect, end users can install any applications they like, even those that are potentially insecure or dangerous and not sanctioned for corporate use, without any additional layer of security screening or review. If a laptop compromised by insecure applications logs into the network, it presents a direct threat to corporate resources. Because of their open application environment, these laptops also require device interrogation to enable IT to see if the proper security applications are running on the device, and enforce a security policy to allow, quarantine or deny access to the device and/or user based on the defined security policy of the company. For these unmanaged laptops, security demands using reverse proxy portal access or a virtual private network (VPN) tunnel with endpoint control.
Furthermore, other administrative distinctions include ease of use, deployment and administration, as well as unified clients and security policy. For instance, unlike laptops, smartphone devices often come pre-loaded with IPSec/L2TP tunnelling agents. However, these agents are not pre-configured, so the user or IT administrator still has to configure the client. Moreover, deploying these tunnelling agents across other mobile laptop devices can affect IT administrative overhead. Alternately, IT can deploy a reverse proxy or web portal solution universally across mobile devices without the need for manually deploying individual IPSec/L2TP clients.
Taking the important distinctions above into account, best practices for securing mobile access for laptops and smartphones are in many ways similar. For instance, both laptops and smartphones may connect to the network remotely over wireless connections, and are subject to man-in-the-middle attacks. As a result, both laptops, smartphones and tablets require encrypted access through a VPN to ensure the confidentiality of communications outside the network.
IT must also have the ability to scan all traffic to ensure network integrity and security. Organizations are grappling with the reality that mobile devices are not only conduits of information flow but, unfortunately, also a delivery vehicle for malware into networks, either inadvertently or intentionally.
Different security practices apply depending upon whether the mobile devices are connecting from outside or inside the network perimeter.
Securing access from outside the perimeter
Establish reverse web-proxy: By providing standard web browser access to web resources, reverse proxies can authenticate and encrypt web-based access to network resource proxies can authenticate and encrypt web-based access to network resources. Reverse proxy delivers access agnostically to both laptop and smartphone platforms, thus minimising deployment overhead.
- Establish SSL VPN tunnels: Agent-based encrypted SSL VPN tunnels add easy “in-office” network-level access to critical client-server resources from both laptops and smartphones.
- Deploy endpoint control for laptops: To help establish and enforce acceptable security policy compliance for manage and unmanaged Windows, Macintosh and Linux laptops, endpoint control can determine the presence of security application and allow, quarantine or deny access based on security policy and user identity. As addressed above, this is very important for laptops, but less important for smartphones due to their white-listed app distribution environment.
- Create a secure virtual desktop for laptops: Secure virtual desktop environments can prevent users from leaving sensitive data behind on unmanaged Windows laptops.
- Apply cache cleaner technology for laptops: The cache cleaner can remove all tracking information from the laptop once the user closes the browser.
- Scan VPN traffic through the Next-Generation Firewall (NGFW): Both laptops and smartphones can act as conduits to enable malware to cross the network perimeter, even over WiFi or 3G/4G connections. Integrated deployment with an NGFW establishes a Clean VPN the decrypts and then scans all the content. NGFW gateway security measures (Anti-Virtus/Anti-Spyware, Intrusion Prevention Service) can decontaminate threats before they enter the network.
- Add strong authentication for both laptops and smartphones: An effectively secure solution should integrate seamlessly with standard authentication methods such as two-factor authentication and one-time passwords.
Securing access from inside the perimeter
- Scan WiFi traffic over NGFW: Integrating NGFW with 802.11 a/b/g/n wireless connectivity creates a Clean Wireless™ network when the user is inside the perimeter.
- Control app traffic: In general, mobile device apps are either critical business solutions or personal time-wasters. A Clean VPN solution featuring application intelligence, control and visualisation can enable IT to define and enforce how application and bandwidth assets are used.
- Prevent data leakage: Data leakage protection can scan outbound traffic for watermarked content.
- Block inappropriate web access: Content filtering can help mobile users comply with regulatory mandates by ensuring a non-hostile network environment.
- Block outbound botnet attacks: Anti-malware can identify and block outbound botnet attacks launched from mobile devices connected to the network. Should reallocate budget to uses that are more productive.
SonicWall mobility solutions
To implement these best practices, IT requires solutions with the capability to enforce them.
- SonicWall Aventail™ E-Class Secure Remote Access (SRA_ Series, SRA Series for Small-to-Medium-Sized Businesses (SMB), and SonicWall Next-Generation Firewalls deliver easy, policy-driven SSL VPN access to critical network resources from an extensive range of mobile device platforms, including Windows, Mac and Linux-based laptops, Windows Mobile, iOS, Google Android and Nokia Symbian smartphones.
AventialSSL VPN solutions provide Secure ActiveSync® Support for access to Microsoft Exchange email, contact and calendar services from iOS, Android, Symbian, Windows Mobile and Windows Phone 7 smartphone and tablet devices. SonicWall Device Identification lets administrators chain a specific smartphone or tablet to a specific user so, in the event that phone is lost or stolen, they can quickly revoke corporate access.
- SonicWall Aventail Advanced End Point Control (EPC) (available for Windows, Mac and Linux-based devices) integrates unmanaged endpoint protection, encrypted virtual Secure Desktop and comprehensive cache control. EPC offers advanced endpoint detection and data protection for enterprises, by interrogating endpoint devices to confirm the presence of all supported anti-virus, personal firewall and anti-spyware solutions from leading vendors such as TrendMicro®, McAfee®, Symantec®, ComputerAssociates®, Sophos®, KasperskyLab® and many more.
- SonicWall Aventail SecureDesktop creates a virtual session on Windows laptops that enables users to browse the Internet, check email and work with personal files using client/server applications. Once the session is over, all sensitive data is removed automatically and thoroughly from the unmanaged laptop.
- SonicWall Aventail Cache-Control extends beyond basic cache cleaning to purge browser cache, session history, cookies and passwords.
- SonicWall Mobile Connec™ unified client app solutions for iOS and Google Android provide smartphone and tablet users with superior network-level access to corporate, academic and government resources over encrypted SSL VPN. Only SonicWall offers Clean VPN (when deployed with a SonicWall Next-Generation Firewall) to authorise, decrypt and remove threats from iOS (Apple, iPad, iPhone, and iPod touch) or Android traffic over SSL VPN outside the network perimeter. Additionally, SOnicWall Application Intelligence and bandwidth assets are used. Users can download and intall the app easily via the App Store or Google Play, Providing secure SSL VPN connections to SonicWall Aventail E-Class SRA, SRA for SMB or SonicWall Next-Generation Firewall appliances. In addition, SonicWall Aventail Connect Mobile™, in combination with SonicWall Aventail E-Class SRA appliances, provides a remote access solution for Windows Mobile smartphones and Google Android smartphones and tablets. Both Mobile clients provide “in-office” access optimised for the device, combining a seamless network experience for users, along with a single centrally managed gateway for mobile access control.
- SonicWall Aventail E-Class SRA solutions support Vasco, RSA solutions support Vasco, RSA, Active Directory, LDAP, RADIUS and ACE authentication, as well as integrated One-Time Password (OTP) generation for two-factor authentications.
- SonicWall Clean VPN delivers the critical dual protection of SSL VPN and high-performance Next-Generation FIrewall necessary to secure both VPN access and traffic. The multi-layered protection of CLean VPN enables organisations to decrypt and scan for malware on all authorised SSL VPN traffic before it enters the network environment. CLean VPN protects the integrity of VPN access by establishing trust, for remote users and their endpoint devices, using enforce authentication, data encryption, and granular access policy. Simultaneously, Clean VPN secures the integrity of VPN traffic by authorising this traffic, cleaning inbound traffic for malware, and verifying all outbound VPN traffic in real time.
- SonicWall Clean Wireless delivers secure, simple and cost-effective distributed wireless networking by integrating universal 802.11 a/b/g/n wireless features with an enterprise-class firewall/VPN gateway.
- SonicWall Application Intelligence and Control can maintain granular control over applications, prioritise or throttle bandwidth, and manage website access. Its comprehensive policy capabilities include restricting transfer or specific files and documents, blocking email attachments using user-configurable criteria, customising application control, and denying internal and external web access based on various user-configurable options.
- The SonicWall Application Flow Monitor provides real-time graphs of applications, ingress and egress bandwidth, active website connections and user activity. This visualisation capability enables administrators to effectively monitor and revise policy based on critical observations.
The difference between laptops and smartphones affect security approach, particularly in areas of device interrogation and VPN client provisioning.
Still, corporations, academic institutions and government entities must require both laptops and smartphones to support strong VPN or remote proxy connectivity when used outside of the corporate network to ensure data confidentiality and security while taking advantage of external wireless connectivity, hot spots, etc.
When used inside the corporate network, laptops and smartphones should be able to take advantage of all the protection and security offered from leading-edge Next-Generation Firewall technology. IT must be able to guarantee critical bandwidth to critical applications, while limiting the negative impact of undesired traffic.
SonicWall solutions, including SSL VPN, Mobile Connect, Clean VPN, and Next-Generation Firewalls with application intelligence, control and visualisation, can help organisations easily implement the best practice to secure smartphone use in corporate network environments.
Other Articles You May Enjoy: