×

Message

PLG_KUNENADISCUSS_DEPENDENCY_FAIL

 

MOBILE DEVICE MANAGEMENT (MDM)

The function of mobile device managers, also known as mobile device management (MDM), is to deploy, manage, and monitor the mobile devices that make up the Cisco BYOD solution.

 

These devices consist not only of mobile phones, smartphones, and tablets but also notebooks, laptops, and any other user devices that connect back to the corporate network and that can physically be moved from the office to the home, hotels, and other remote locations offering public Internet connectivity. Specific functions provided by MDM include the following:

 

§  Enforcement of a PIN lock (that is, locking a device after a set threshold of failed login attempts has been reached).

 

§  Enforcement of strong passwords for all BYOD devices. Strong password policies can also be enforced by an MDM, reducing the likelihood of brute-force attacks.

 

§  Detection of attempts to “jailbreak” or “root” BYOD devices, specifically smartphones, and then attempting to use these compromised devices on the corporate network. MDM can be used to detect these types of actions and immediately restrict a device’s access to the network or other corporate assets.

 

§  Enforcement of data encryption requirements based on an organization’s security policies and regulatory requirements. MDM can ensure that only devices that support data encryption and have it enabled can access the network and corporate content.

 

§  Provide the ability to remotely wipe a stolen or lost BYOD device so that all data is completely removed.

 

§  Administration and execution of data loss prevention (DLP) for BYOD devices. DLP prevents authorized users from doing careless or malicious things with critical data.

 

MDM DEPLOYMENT OPTIONS

Within the BYOD solution, there are generally two available options for deployment of MDM, as described in the sections that follow.

 

ON-PREMISE MDM DEPLOYMENT

In an on-premise deployment, MDM application software is installed on servers that are located within the corporate data center and are completely supported and maintained by the network staff of the corporation.

 

The benefits of having an on-premise MDM solution include greater control over management of the BYOD solution, a potentially higher degree of security, particularly with respect to intellectual property, and, depending on the vertical in which the organization resides, an easier means of meeting certain regulatory compliance.

 

Figure 1: Diagram of On-Premise MDM

 

 

 

The on-premise MDM solution diagram shown in Figure 1 above consists of the following topology and network components:

 

Data center:

In addition to the core and distribution layer switches, the data center consists of the Cisco ISE to enforce posture assessment and access control as well as DNS/ DHCP servers to provide DNS/DHCP services for network connectivity, a CA server to enable onboarding of endpoints that meet certificate requirements for access to the corporate network, and an AD server that restricts access to only those users with valid authentication credentials.

 

Internet edge:

The Internet edge, in addition to providing connectivity to the public Internet, includes an ASA firewall to enforce security controls for all traffic going to and coming from the Internet. Also located in the Internet edge layer is a WLC, which is dedicated to any of the APs in the network to which guest users can connect. The last key component in the Internet edge layer is the on-premise MDM, which provides all the policies and profiles, digital certificates, applications, data, and configuration settings for all the BYOD devices that require connectivity to the corporate network.

 

Services:

In Figure 1, this module contains the WLC for all APs to which the corporate users connect; however, any other network-based services required for the corporate network (for example, Network Time Protocol [NTP]) can potentially be found within the Services module.

 

Core:

There are no other functions served by the Core module for the BYOD solution beyond what it normally provides. The Core serves as the main distribution and routing point for all network traffic traversing the corporate network environment.

 

Campus building:

A distribution switch provides the main ingress/egress point for all network traffic entering and exiting from the campus environment. All users requiring network connectivity within the campus building do so through either hardwired connections to the access switches or via WLAN access to the corporate APs.

 

CLOUD-BASED MDM DEPLOYMENT

In a cloud-based MDM deployment, MDM application software is hosted by a managed service provider who is solely responsible for the deployment, management, and maintenance of the BYOD solution.

 

The benefits of having a cloud-based MDM solution include a much more simplified solution from a customer perspective because the customer is no longer responsible for configuring, operating, and maintaining the MDM software. Giving up this control, however, brings with it some potential concerns with the overall security of the solution. The cloud-based solution also brings with it greater scalability, flexibility, and speed of deployment over an on-premise MDM solution.

 

Figure 2: Diagram of Cloud-Based MDM

 

 

 

The cloud-based MDM solution diagram shown in Figure 2 consists of the following topology and network components:

 

Data Center:

In addition to the core and distribution layer switches, the data center consists of the Cisco ISE to enforce posture assessment and access control, in addition to DNS/DHCP servers to provide DNS/DHCP services for network connectivity, a CA server to enable onboarding of endpoints that meet certificate requirements for access to the corporate network, and an AD server that restricts access to only those users with valid authentication credentials.

 

Internet edge:

The Internet edge, in addition to providing connectivity to the public Internet, includes an ASA firewall to enforce security controls for all traffic going to and coming from the Internet. Also located in the Internet edge layer is a WLC that is dedicated to any of the APs in the network to which guest users can connect.

 

WAN:

The WAN module, which you didn’t see within the on-premise MDM solution, serves three primary functions for the BYOD solution: (1) It provides MPLS VPN connectivity for the branch office back to corporate network, (2) Internet access for the branch office, and (3) access to the cloud-based MDM functionality. As with the on-premise solution, the cloud-based MDM provides all the policies and profiles, digital certificates, applications, data, and configuration settings for all of the BYOD devices that require connectivity to the corporate network.

 

WAN edge:

The primary function of the WAN edge is to serve as the ingress/egress point for the MPLS WAN traffic entering from and exiting to the branch office environment.

 

Services:

In Figure 2, this module contains the WLC for all APs to which the corporate users connect; however, any other network-based services required for the corporate network (for example, NTP) can potentially be found within the Services module.

 

Core:

There are no other functions served by the Core module for the BYOD solution beyond what it normally provides. The Core serves as the main distribution and routing point for all network traffic traversing the corporate network environment.

 

 

Branch office:

In Figure 2, a pair of routers provides the main ingress/egress point for all network traffic entering and exiting from the branch office environment. All users requiring network connectivity within the branch office do so through either hardwired connections to the access switches or via WLAN access to the corporate APs.

 

 

 

THE END

 

 

BYOD ARCHITECTURE FRAMEWORK

There are many different ways to implement a BYOD solution, and each organization must decide on the level of openness and flexibility it wants to enable its employees in terms of the type of devices they can connect and the amount of access each of these devices will be granted.

 

The bottom line, however, is that the organization’s security policy must be leveraged to govern the level of access for BYOD devices, and then certain technologies will be used to ensure the security policy is managed and enforced.

 

The Cisco BYOD solution architecture leverages the Cisco Borderless Network Architecture and is based on the assumption that best common practices (BCP) are followed in network designs for campus, branch offices, Internet edge, and home office implementations.

 

Figure 1 shows a high-level view of the Cisco BYOD solution architecture. Each of the components of the Cisco BYOD solution is explained in detail in the following section.

 

Figure 1: High-Level BYOD Solution Architecture

 

 

 

BYOD SOLUTION COMPONENTS

Each of the following components makes up the Cisco BYOD solution. See Figure 1 for an idea about where each respective Cisco component fits in topologically within the overall Cisco BYOD solution:

 

BYOD devices:

These are the corporate-owned and personally owned endpoints that require access to the corporate network regardless of their physical location. This physical location can be within the corporate campus, the branch office, the home office, or from a public location such as a coffee shop or hotel. BYOD devices include laptops, smartphones, tablets, e-readers, and notebooks.

 

 

Wireless access points (AP):

Cisco wireless APs provide wireless network connectivity to the corporate network for both corporate-owned and personally owned BYOD devices. These APs can be physically located in the corporate campus, the branch office environment, or in the home offices of the employees.

 

Wireless LAN (WLAN) controllers:

Cisco WLAN controllers (WLC) serve as a centralized point for the configuration, management, and monitoring of the Cisco WLAN solution. WLCs are used to implement and enforce the security requirements for the BYOD solution that map back to an organization’s security policies. The WLC works with the Cisco Identity Services Engine (ISE) to enforce both authentication and authorization policies on each of the BYOD endpoints that require connectivity to the corporate network, both direct and remotely.

 

Identity Services Engine (ISE):

The Cisco ISE is a critical piece to the Cisco BYOD solution. It is the cornerstone of the authentication, authorization, and accounting (AAA) requirements for endpoint access, which are governed by the security policies put forth by the organization.

 

Cisco AnyConnect Secure Mobility Client:

The Cisco AnyConnect Client provides connectivity for end users who need access to the corporate network. For users within the corporate campus, branch, and home offices, the AnyConnect Client leverages 802.1X to provide secure access to the corporate network. For users who are using public Internet access (coffee shops, hotels, and so on), the AnyConnect Client provides secure VPN connectivity, including posture checking, for the user’s BYOD device.

 

Integrated Services Routers (ISR):

Cisco ISRs will be used in the Cisco BYOD solution to provide WAN and Internet access for the branch offices and Internet access for home office environments. In addition, the ISR will provide both wired and WLAN connectivity in the branch office environments. Finally, the ISRs can be leveraged to provide VPN connectivity for mobile devices that are part of the BYOD solution.

 

Aggregation Services Routers (ASR):

Cisco Aggregation Services Routers (ASR) provide WAN and Internet access at the corporate campus and serve as aggregation points for all the branch and home office networks connecting back to the corporate campus for the Cisco BYOD solution.

 

Cloud Web Security (CWS):

Formerly ScanSafe, Cisco Cloud Web Security (CWS) provides enhanced security for all the BYOD solution endpoints while they access Internet websites using publicly available wireless hotspots and 3G, 4G, and 4G LTE mobile networks.

 

Adaptive Security Appliance (ASA):

The Cisco ASA provides all the standard security functions for the BYOD solution at the Internet edge. In addition to traditional firewall and intrusion prevention system (IPS) functions, the ASA also serves as a VPN termination point for mobile devices connecting over the Internet from home offices, branch offices, public wireless networks, and 3G/4G/4G LTE mobile networks.

 

RSA SecurID:

The RSA SecurID server provides one-time password (OTP) generation and logging for users that access network devices and other applications which require OTP authentication.

 

Active Directory:

The Active Directory (AD) server enforces access control to the network, to servers, and to applications. It restricts access to those users with valid authentication credentials.

 

Certificate authority:

The certificate authority (CA) server provides for, among other things, the onboarding of endpoints that meet certificate requirements for access to the corporate network. The CA server ensures that only devices with corporate certificates can access the corporate network.

 

 

THE END

 

 

 

INTRODUCTION TO BRING YOUR OWN DEVICE (BYOD)

 

 

INTRODUCTION

The concept of BYOD brings with it the constant challenge for network and security administrators, engineers, and management. This challenge is to provide seamless connectivity for users bringing their own network-connected devices while also maintaining an appropriate security posture.

 

The organization must provide a level of security that meets the organization’s security policies and ensures that network devices, systems, and data do not get compromised through the proliferation of vulnerable devices starting with the devices brought in by employees from “the outside.”

 

It is no longer a “nice to have” to enable an organization’s users to use their own devices both on the corporate network and remotely—home, hotels, coffee shops, and so on—through the use of encrypted virtual private networks (VPN). Employees not only demand but, in today’s business landscape, legitimately need to be able to use their devices to connect to and from any network-enabled location in the world.

 

Following are a number of business reasons that are driving the need for BYOD solutions:

 

Wide variety of consumer devices:

It seems like every day there is a new vendor, a new device, or a new version of an existing device that requires connectivity to the Internet. It used to be simple when we had PCs that remained “fixed” to our desks at work, each one with a direct connection, via an Ethernet cable, to the corporate network. Now we have laptops, smartphones, and tablets, all of which not only require connectivity to the network but which also get carried throughout the office and to and from home, all while having connectivity to the Internet in some fashion.

 

 

 

Blurred lines between work and play:

The term 9 to 5 used to signify the rigid start and end times of our (well, for those of us old enough to be working back then) traditional 8-hour work day. Obviously, times have changed and, not only have the start and end times changed, but we don’t even necessarily have a defined work “day.” We work on our commute to work, we work during lunch, we work on our commute home, we work at nights, and we work while watching our kids play baseball, softball, basketball, and ice hockey on the weekends! Heck, some of us even work while on vacation—now that sounds like an oxymoron.

 

Connect me anytime, anywhere:

End users expect to be able to connect their devices whenever and wherever they may be regardless of whether they are “on the clock.” These needs are satisfied by the continuing growth of wireless networks, 3G/4G mobile networks, and publicly available wireless networks at coffee shops, hotels, and so on.

 

 

THE END

 

 

METHODS AVAILABLE FOR MALWARE IDENTIFICATION

 

 

While by no means an exhaustive list, the following tools and technologies provide network engineers with the ability to identify the existence of malware on the network:

 

Packet captures: Collecting, storing, and analyzing the raw packets that are traversing the network is certainly one way of inspecting traffic for the presence of malware. Although packet captures provide the most granular look into the traffic that is on the network, one primary hurdle in the use of packet capture for malware identification is the fact that you are looking for the proverbial “needle in a haystack” due to the volume of data generated by packet captures.

 

Snort: Snort is an open source intrusion detection and prevention technology developed by the founder of Sourcefire (now a part of Cisco). The speed, power, and performance of Snort have made it the most popular intrusion detection/prevention system (IDS/IPS) technology in the world. The Snort engine consists of threat identification, detection, and prevention components that combine to reassemble traffic, prevent evasions, detect threats, and output information about advanced threats while minimizing false positives and missing legitimate threats (false negatives).

 

NetFlow: Packet capture is often referred to as micro-analytical in terms of the granularity of data being analyzed, but NetFlow data is considered more of a macro-analytical approach. The use of NetFlow data collection consists of the creation of buckets or flows of data that are based on a set of predefined parameters such as source IP address, source port, destination IP address, destination port, IP protocol, ingress interface, and type of service (ToS).

 

Each time one of these parameters differs, a new flow is created. Flows are stored locally on the device for a configured time interval, after which time the flows are exported to external collectors. Although NetFlow data will not provide the same details sometimes needed for the identification of malware on the network, it can serve as an excellent tool in the toolbox to help trace back evidence of a compromise once some of the details of the malware become known to network security administrators.

 

IPS events: When using IPS devices on your network, it is possible to leverage the alarms triggered on the IPS device as an emergency flare that network traffic should be further analyzed for the presence of malware. Often, IPS devices have signatures for specific strains of malware, which, when triggered, can be an indication that malicious traffic exists on the network.

 

Advanced Malware Protection: Cisco Advanced Malware Protection (AMP) is designed for Cisco FirePOWER network security appliances. It provides visibility and control to protect against highly sophisticated, targeted, zero-day, and persistent advanced malware threats. AMP helps to identify inconspicuous attacks by continuously analyzing and monitoring files after they’ve entered the network, utilizing retrospective security alerts to help administrators take action during and after an attack, and provides multi-source indications of compromise to aid in the correlation of discrete events for better detection.

 

NGIPS: The Cisco FirePOWER next-generation intrusion prevention system (NGIPS) solution provides multiple layers of advanced threat protection at high inspection throughput rates. The NGIPS threat protection solution is centrally managed through the Cisco FireSIGHT Management Center and can be expanded to include additional features such as AMP, application visibility and control, and URL filtering.

 

 

 

THE END

 

 

SOCIAL ENGINEERING METHODS

 

 

Malicious actors employ social engineering by relying on the human element of networking to find and create holes in the fortress known as cyber security. Social engineering is evolving so rapidly that technology solutions, security policies, and operational procedures alone cannot protect critical resources. Even with these safeguards, hackers commonly manipulate employees into compromising corporate security.

 

Victims might unknowingly reveal the sensitive information needed to bypass network security, or even unlock workplace doors for strangers without identification. Although attacks on human judgment are immune to even the best network defense systems, companies can mitigate the risk of social engineering with an active security culture that evolves as the threat landscape changes.

 

SOCIAL ENGINEERING TACTICS

Common forms of social engineering include the following:

 

§  Phishing: Phishing elicits secure information through an e-mail message that appears to come from a legitimate source such as a service provider or financial institution. The e-mail message may ask the user to reply with the sensitive data, or to access a website to update information such as a bank account number.

 

§  Malvertising: This is the act of incorporating malicious ads on trusted websites, which results in users’ browsers being inadvertently redirected to sites hosting malware.

 

§  Phone scams: It is not uncommon for someone to call up an employee and attempt to convince employees to divulge information about themselves or others within the organization. An example is a miscreant posing as a recruiter asking for names, e-mail addresses, and so on for members of the organization and then using that information to start building a database to leverage for a future attack, reconnaissance mission, and so forth.

 

DEFENSES AGAINST SOCIAL ENGINEERING

A security-aware culture must include ongoing training that consistently informs employees about the latest security threats, as well as policies and procedures that reflect the overall vision and mission of corporate information security. This emphasis on security helps employees understand the potential risk of social-engineering threats, how they can prevent successful attacks, and why their role within the security culture is vital to corporate health.

 

Security-aware employees are better prepared to recognize and avoid rapidly changing and increasingly sophisticated social-engineering attacks, and are more willing to take ownership of security responsibilities.

 

Official security policies and procedures take the guesswork out of operations and help employees make the right security decisions. Such policies include the following:

 

Password management: Guidelines such as the number and type of characters that each password must include how often a password must be changed, and even a simple declaration that employees should not disclose passwords to anyone (even if they believe they are speaking with someone at the corporate help desk) will help secure information assets.

 

Two-factor authentication: Authentication for high-risk network services such as modem pools and VPNs should use two-factor authentication rather than fixed passwords.

 

Antivirus/antiphishing defenses: Multiple layers of antivirus defenses, such as at mail gateways and end-user desktops, can minimize the threat of phishing and other social-engineering attacks.

 

Change management: A documented change-management process is more secure than an ad hoc process, which is more easily exploited by an attacker who claims to be in a crisis.

 

Information classification: A classification policy should clearly describe what information is considered sensitive and how to label and handle it.

 

Document handling and destruction: Sensitive documents and media must be securely disposed of and not simply thrown out with the regular office trash.

 

Physical security: The organization should have effective physical security controls such as visitor logs, escort requirements, and background checks.

 

 

THE END

 

Go to top