FedTech Magazine

How to Build a Secure Wireless Network

Mike Chapple — Thu, 17 May 2012 09:55:08 +0000

With cyberthreats becoming more prevalent, agencies need to ensure that the security controls surrounding their wireless networks are up to par.

Securing a wireless network isn't rocket science, yet organizations continue to make fundamental mistakes that jeopardize their security. There are a few simple steps that IT managers should follow to ensure that users are being provided a secure wireless experience. By deploying encryption, security policies and guest access management, an agency can build a secure, reliable wireless network.

Encryption: The Secret Code

The single most important way to secure a wireless network is to protect it with strong encryption. Encryption technology basically scrambles network traffic using mathematical algorithms that prevents eavesdroppers from understanding the content. Encryption is fairly straightforward to set up, but there are two important choices that must be made when using encryption to properly secure a network.

First, choose a good encryption method. Refrain from using the Wired Equivalent Privacy (WEP) encryption algorithm. This technology is outdated, and there are many known vulnerabilities that essentially render it useless. An attacker with a little knowledge and some free tools can defeat WEP encryption in a matter of seconds. Instead, choose Wi-Fi Protected Access (WPA or WPA2) encryption. Both versions employ strong encryption algorithms to protect traffic sent over a wireless network.

Second, choose whether to use a pre-shared encryption key or enterprise authentication technology.

If using pre-shared key authentication, there are some potential vulnerabilities that might allow an attacker to crack an organization's encryption key if it uses a common service set identifier (SSID) for its wireless network. Be sure to check the 1000 Most Common SSIDs from the Wireless Geographic Logging Engine and choose something that's not on the list.

The alternative, enterprise encryption, leverages an existing authentication infrastructure to allow users to join the wireless network using the same username and password they provide to access their computers, e-mail and other enterprise resources. Using enterprise encryption makes dealing with employee terminations a breeze. When an enterprise account is deactivated, a user simultaneously loses access to the wireless network. No key changes are required.

Wireless, BYOD and Visitors

Network administrators have always grappled with the challenges posed by those who want to bring outside devices onto agency networks. In the past, the quick response to those requests was “No, the agency network is limited to agency devices.” Over the past few years, however, two emerging trends have rendered this position indefensible in many environments. First, many agencies are instituting a “bring your own device” (BYOD) strategy that allows employees to bring smartphones, tablets and notebook computers from home into the office, where they expect to have access to the network.

At the same time, agency guests are starting to have the same expectations for ubiquitous network access. While these guests certainly don't need access to agency data, guest network access has become a standard expectation, especially in facilities where cell phone signals might not penetrate to interior conference rooms. Organizations need to develop clear policies around who may join external devices to the network, what access is afforded to those devices, and who may approve such requests.

One increasingly common approach to this problem is to create an open, unsecured wireless network that allows access to the Internet and nothing else. Visitors can then connect their personal devices to this network without affecting the security of agency systems or data. It essentially recreates the coffee shop wireless experience within the facility while isolating the guest network from secure systems. Anyone on the guest network who attempts to access agency resources would have the same experience as if they were working at home: They'd have to secure their connection using a VPN or other security technology.

Battling Rogue Access Points

Once an organization builds a secure wireless network, there's still one big issue to worry about — rogue wireless access points. It's far too easy for an employee, frustrated with security controls or coverage issues, to drop $60 on a wireless AP and connect it to a wired network. This creates a small “private” wireless network that may not be appropriately secured and limits IT staff's visibility into the devices that connect to it.

In order to reduce this risk, conduct periodic scans for rogue APs. This may be as simple as having a technician walk around the building with a notebook running a tool such as NetStumbler to discover wireless networks. Another option is to invest in an automated wireless intrusion prevention system that continuously monitors an environment and automatically alerts IT staff to the presence of rogue wireless networks. These systems fingerprint the unique electronic characteristics of wireless devices to identify APs not on the approved list.

Wireless networking is changing the way employees interact with resources. It is increasingly common for staff to go days or weeks without ever connecting to a traditional wired network. It's essential for the administrators running these networks to understand user behavior and develop secure, flexible options that balance security concerns with agency requirements. Developing solid wireless policies and backing them up with strong encryption technology and rogue AP detection capabilities can go a long way toward creating a secure wireless environment.

How to Build Efficiencies Using Data Center Convergence

Alan Joch — Wed, 16 May 2012 09:55:16 +0000

There’s nothing more critical to an organization’s operations than the data center. But in too many cases, the data center is inefficient, overprovisioned and underutilized.

In fact, enterprise data centers everywhere are reaching limits in power, cooling and space. At the same time, budget constraints are requiring organizations to rethink data center strategy.

Enter data center convergence. By creating a pool of virtualized server, storage and networking capacity — shared by multiple applications as well as lines of business — an agency can reduce the footprint of all elements of its data center.

By reducing the data center footprint, organizations can save on both capital expenditures and operational expenses, along with management, power and cooling — without sacrificing performance and reliability.

Convergence can also help bring IT projects in closer alignment with agency objectives. That can help the agency to gain advantage and efficiency via increased IT responsiveness and incremental tech capabilities.

Why Converge?

Anil Desai, an independent IT consultant, says three factors drive data center convergence: maximizing the value of data center assets, maximizing the utilization of those assets, and simplifying the management and administration of those assets.

Indeed, the case for convergence is readily apparent, particularly at a time when organizations are looking for ways to trim both operational and capital expenditures. And lying at the heart of most data center convergence efforts is virtualization.

“The vast majority of data center servers are highly underutilized. They’re using a fraction of their potential,” Desai says. “By consolidating all of those workloads onto a smaller number of servers by using technology such as server virtualization, it makes it a lot easier to gain much higher utilization rates for the hardware.”

Storage virtualization, on the other hand, involves the pooling of physical storage from multiple network storage devices into what appears to be a single device. Managed from a single console, storage virtualization removes the complexity and dramatically reduces the time involved with overseeing traditional direct-attached storage solutions.

And network virtualization is defined as combining hardware and software network resources into a single, software-based administrative body or virtual network. It involves platform virtualization, often combined with resource virtualization, and can be either external (combining many networks or parts of networks) or internal (providing network-like functionality to the software container on a single system).

Cost and Operational Benefits

Energy cost savings often top the list of converged data center benefits. Because virtualization eliminates hardware without sacrificing performance, less energy is used to run the same workload. Additionally, new data center equipment, such as blade servers running on IBM’s POWER7 processor, typically consumes less energy.

“If you introduce more energy-efficient hardware alongside server consolidation, you get a double benefit from that and have much lower energy usage,” says Ian Robinson, IBM virtualization product line manager. “This is very important for some of our customers on Wall Street. They literally tapped out the amount of energy available from the grid.”

Along with cost savings, convergence can improve the responsiveness of the IT department, making internal operations more efficient and cost-effective. Desai points out that virtualizing server, storage and network assets allows IT administrators to centrally manage those resources. It also makes it easier to implement critical functions.

“For storage resources, it makes sense to centralize all of that so they can do things like data duplication, thin provisioning, and support for disaster recovery and backup sites,” Desai says.

By eliminating many of the mundane chores associated with IT management, administrators can focus more on high-value tasks that are beneficial to an organization’s objectives. Along with that comes improved efficiency among end users and the ability to meet organizational demands.

“It provides the ability to get workloads provisioned much more rapidly,” Robinson says. “In the past, if an internal user wanted a new database or some sort of service, they would have to put a request in to the IT staff, and they would have to wait days or even weeks for the hardware to be acquired, for approvals on funding, to get everything set up and running.

“Once you move to that virtualized environment, you can send a request through e-mail, and it can be provisioned within minutes,” he adds. “It can make you a lot more responsive to changes in the marketplace because you can be much more responsive in a virtualized environment.”

Laying the Groundwork

Knowing the benefits of convergence is one thing. Knowing when you’re ready to converge — and what you need to converge — is another. Tim Mackey, senior director of product marketing at Citrix Systems, says organizations first need to know what assets they have and where those assets fit into their strategy.

“The longevity of the individual hardware components and the types of applications themselves will dictate it,” Mackey says. “Once you take a look at the types of applications and analyze how IT can align themselves with the agency needs more appropriately, you can identify the cost factors that are going to drive you toward greater virtualization, and by extension, greater consolidation of the data center resources.”

To assist, organizations can employ different monitoring and management tools to determine the current utilization of their assets, such as CPU and memory usage.

“What the enterprise tends to do is virtualize workloads one by one and then fine tune the settings,” Robinson says. “If you had some workloads that were CPU intensive, you wouldn’t put them all on the same server. Otherwise, they would all contend for the same limited CPU resource. You’d have a balanced mix of some workloads that are more CPU intensive, others that are more memory intensive, others that need a lot of storage.”

It’s also important to make sure your efforts meet compliance requirements, both internally and externally.

“As you’re doing consolidation, you’re changing the operating model, which may have an impact on the compliance model and the compliance regulations you might have to adhere to,” Mackey says. “It’s a case of making certain you identify the data elements that are going to be there as well as recovery models.”

While large organizations are equipped to handle entrenched regulations, new and evolving regulations involving data privacy keep IT departments on their toes, and any consolidation project must take those issues into account. Ideally, you should be able to enforce configuration policies and detect and resolve unplanned changes in any environment.

“Over the last few years, data privacy regulations have reared their heads such that some convergence projects might have a necessary component of re-architecture,” Mackey says. “There might be some types of data that were once passed in the clear in an internal network that now, because of data protection laws, need encryption or controlled access added.”

How to Start Remapping the Data Center

Alan Joch — Tue, 15 May 2012 09:55:50 +0000

Optimization goals are fueling a trend across vertical markets among IT managers who are remapping their data centers. The concept eliminates islands of technology, such as groups of servers, storage systems and network resources formerly dedicated to a single department or enterprise operation.

Instead, these managers are taking a more holistic view of IT and creating pools of resources designed to boost utilization rates and enable on-the-fly resource provisioning.

Hardware consolidation, extensive virtualization and balanced mixes of on-premises and cloud implementations are important elements in data center optimization efforts; however, these ambitious strategies often go beyond the technologies themselves. IT managers also can more effectively use available physical space and fine-tune power and cooling systems for greater efficiencies and less cost.

Tools of the Optimization Trade

IT managers start with virtualization. The widespread server virtualization efforts of the past few years have helped many enterprises reduce physical hardware requirements, increase the utilization rates of remaining devices and alleviate skyrocketing power demands.

Now organizations are looking beyond consolidation to the next big wave of virtualization, says Greg Schulz, founder of the Server and StorageIO consulting group. “The goal is to enable higher productivity.”

Schulz cites the hypothetical example of a server that supports a mission-critical database application.

“The conventional thinking in the consolidation game is that this resource can’t be virtualized,” he says. Why? Because a database’s performance demands require dedicated computing power. But that may be required only during regular office hours.

“Instead of having that server sit idle at night, an organization can use virtualization to move other processes, such as reporting, analytics or backups to the server after hours. Then during the daytime, the critical application goes back to the server and gets all the resources it needs,” Schulz explains. “The result is that you are using the server more effectively, and you are increasing overall productivity.”

In a similar way, organizations can use virtualization to dynamically shift loads across various servers to perform upgrades without incurring downtime, and enhance operations continuity and disaster recovery efforts, he adds.

Virtualization provides similar load shifting and uptime benefits for storage systems. In addition, optimization-minded IT managers are looking to unified storage technologies to provide added value.

Unified storage systems support both block and file storage and the relevant protocols in the same unit, often along with redundant arrays of independent disks (RAID), load balancing and other management capabilities. As a result, IT shops can take another step toward optimization by reducing the range of technology they have to purchase and support.

Networking technology is following suit with virtual, software-based switches that create opportunities for hardware consolidation and dynamic resource allocations.

Management Resources

Virtualization in all its forms isn’t the complete answer for data center optimization. IT departments also need tools to ease the management of resource pools. A number of options are becoming available. For example, Symantec’s ApplicationHA provides application monitoring to help maintain high availability and reduce service disruptions for applications in virtualized environments.

“These technologies are helping organizations take the risk out of virtualizing more of their critical applications,” says Mike Reynolds, product marketing manager for Symantec’s Storage and Availability Management group.

IT managers can use ApplicationHA to monitor applications and receive immediate alerts in consoles such as VMware vCenter if a program crashes for any reason. The solution will restart a failed application if possible or work with native high-availability tools to ensure that it fails over to a healthy virtual machine.

To help optimize storage systems and facilitate rapid provisioning of storage resources, Symantec offers VirtualStore. The technology creates a standard image of Virtual Machine Disk (VMDK) files that can be re-used when new virtual machines are created. Because provisioning virtual machines is fast and easy, administrators can proactively or reactively create them based on agency requirements; however, creating a VMDK for each virtual machine can quickly eat up storage space, Reynolds says. The golden image created by VirtualStore can help organizations reduce VMDK storage requirements by up to 90 percent, according to Reynolds.

Data Center Optimization: Take These Steps First

Define objectives: Identify what will probably be a mix of goals, including maximizing current IT investments, achieving faster provisioning of enterprise services, boosting the organization’s productivity and creating a foundation for future growth.
Prioritize goals: Organize discussions among key operations and IT stakeholders to identify which goals are top priorities. This will help determine where to make investments in new technologies and data center redesigns.
Target high-value projects first: Build support for ongoing optimization investments by initially focusing on the financial rewards of quick-win efforts, such as consolidations of underutilized servers and storage systems.

Review: Apple MacBook Air

Jason Holbert — Mon, 14 May 2012 16:59:45 +0000

First introduced in 1996, the Apple MacBook line of notebook computers ranks as one of the oldest series still on the market today. While predominately deployed to consumers, Apple’s wares are making inroads in enterprise shops, and its products are worth considering.

There are currently two MacBook models available: the MacBook Pro, a powerful device boasting a quad-core i7 processor and dual video cards; and the MacBook Air, a platform that favors portability without sacrificing the fundamental processing power that most mobile professionals require. Sporting a small form factor and negligible weight, the MacBook Air brings a lot to the table with its speedy processor, all-flash storage and respectable Intel HD 3000 graphics chipset.

End-User Advantages

While the MacBook Air may lack the versatility of the MacBook Pro series, it still boasts some impressive hardware: The 128-gigabyte model offers a 1.7 gigahertz dual-core Intel i5 processor with hyper-threading technology to provide the most bang for your processor buck.

With the power of the Apple OS X operating system, users can manipulate multiple desktop environments with ease simply by performing finger gestures on the trackpad. This effectively emulates all the functionality of a multiple-display environment on a deceptively modest 13.3-inch screen. The OS remains responsive and fluid, even when the system is under load, providing a consistent experience for the end user.

Given this machine’s compact design, the MacBook Air is sure to be a hit with road warriors who want a capable notebook they can actually use on airline tray tables. With physical dimensions of just under 13 inches wide by 9 inches deep, it fits the bill without sacrificing a full-size backlit keyboard or a multi-touch trackpad. Also, weighing less than three pounds, it won’t slow down mobile workers running to catch their flights.

Why It Works for IT

Like most Apple products, there’s plenty of wow to go around from an aesthetic perspective, but don’t overlook the practical benefits. For instance, while the MacBook Air’s brushed aluminum body is pleasing to the eye, this design also makes it resilient to everyday wear and tear. Additionally, the flash hard drive is not only appreciably faster than traditional magnetic drives, but it is also durable and shock-resistant.

9

Number of gestures supported by the MacBook Air multi-touch trackpad: inertial scrolling, pinch, rotate, swipe, three-finger swipe, four-finger swipe, tap, double-tap and drag

When emergency data recovery is necessary, Apple’s built-in Time Machine technology allows for easy recovery of documents, e-mail messages and other files with a few simple mouse clicks.

Disadvantages

As with all flash memory, the speed that the MacBook Air’s hard drive affords comes at the price of capacity. While 128GB may seem like a lot of storage on paper, it’s less than half of what many comparable notebooks with magnetic hard drives offer. This warrants careful consideration when IT managers are purchasing for workers who need a lot of storage on the go. If this is a concern, Apple offers a 256GB version of the MacBook Air that may prove a better choice to accommodate those needs.

Additionally, because the Air is ultra-portable, it has no optical drive. This may make some folks nervous, but the inconvenience is easily overcome with Apple’s USB SuperDrive, or simply by using file sharing on nearby workstations or cloud-based storage.

Manage BYOD with Trend Micro’s Mobile Security for Enterprise 7.1

Logan G. Harbaugh — Fri, 11 May 2012 19:12:16 +0000

The “bring your own device”(BYOD) trend is in full swing at many organizations these days, and one real challenge for administrators is ensuring security when dozens of different devices and operating systems can access internal as well as external resources.

Trend Micro’s Mobile Security for Enterprise 7.0 is not simply an antivirus or antimalware client for each device. The total system includes a master server and policy server, a Microsoft SQL server, directory services (usually Active Directory), and a certificate authority and simple certificate enrollment protocol (SCEP) server.

Getting all the pieces installed and communicating with each other is tricky, but this is mostly a function of the requirements of the platform, such as the BlackBerry Enterprise Server (BES) for BlackBerry devices. Once the servers and certificates are set up, delivering the software to each mobile device is straightforward. During testing, one threat was detected: the airline reservation phishing e-mails that take users to a site that installs a Trojan. Clicking on the link generated a warning, and the site was blocked.

Advantages

Trying to ensure protection against malware is difficult, and many of the products available are unique to a given platform. Mobile Security for Enterprise 7.0 is one of a few products that support nearly any type of mobile device, including Windows mobile devices, iOS, Android, Symbian and BlackBerry.

In addition to installing and updating security software, the system can implement specific policies. This includes a remote wipe of data on lost or stolen devices, encryption enforcement, and for Android phones, call filtering that can restrict incoming or outgoing calls.

The clients provide antimalware scanning, a firewall feature to block incoming threats, web security to keep users from inadvertently visiting malicious websites and SMS antispam that prevents the device from receiving SMS messages that are malicious or uninvited.

Why It Works for IT

The overall system of the OfficeScan and Mobile Security Server policy server and mobile-device components offers the administrator a unified approach to securing mobile devices. This ensures that data on the devices remains secure and that mobile devices don’t become unintended holes in the organization’s firewall, allowing attackers a back door into the network.

The system can also block certain actions, such as USB connections or data copying, which keeps the device from being connected to unauthorized systems. It also can restrict specific types of traffic, such as incoming calls from 800 numbers, depending on the mobile platform.

Disadvantages

One major disadvantage is not unique to Trend Micro, but to the category as a whole: Each device manufacturer has different requirements, and supporting all available platforms may take quite a while to figure out. Fortunately, Trend Micro has done a good job of documenting the procedures necessary. Also, figuring out costs can be tricky, as the OfficeScan server licenses and Mobile Security licenses are separate and vary with the numbers of licenses purchased.

Data Loss Prevention: How to Stop Inside Jobs

Alan Joch — Thu, 10 May 2012 16:38:54 +0000

Think outsiders represent the greatest threat to an organization’s systems? Think again. Statistics from the 2011 CyberSecurity Watch Survey validate the presence of insider threats. Sure, business and government tech execs who participated in the study acknowledge that outsiders are responsible for most incidents, but ultimately breaches by insiders proved the most costly — financially, operationally and reputationwise.

The survey was a joint effort of the U.S. Secret Service and the Software Engineering Institute’s CERT program at Carnegie Mellon University and conducted by CSO magazine with sponsorship by Deloitte. As if the survey's findings weren’t enough, the Ponemon Institute spelled out the costs associated with security incidents in a separate report. It put the dollar figure at approximately $214 per record breached in a large enterprise, for an average total cost to an organization of $7.2 million per incident.

Fortunately, a new generation of data loss prevention (DLP) technologies and best practices are helping enterprises target insider security breaches that intentionally or accidentally threaten intellectual property, customer lists, employee personal information and other crucial data.

These DLP solutions round out an organization’s arsenal of hacker prevention technologies, such as traditional firewalls and unified threat management (UTM) systems. And in addition to inside-out protection, DLP technologies provide an important ancillary benefit: Their controls and monitoring tools help enterprises demonstrate compliance with complex government regulations.

Different DLP Options

The key for IT managers lies in identifying the appropriate DLP solution for their particular needs; however, they also need to implement the technology so it provides protection without disrupting day-to-day operations.

DLP solutions typically come in three varieties: endpoint, network and channel.

Endpoint solutions: This DLP flavor protects data at rest — stored in a database or housed on a file server, for example. IT managers can set this DLP option to send an alert or set up a roadblock if a staff member tries to download sensitive data to a DVD, USB thumb drive or other portable storage device.

This approach reduces the risk that someone will walk out of the building with valuable information hidden in a pocket or briefcase. The data-at-rest capabilities in modern DLP tools can also scan local and network hard drives in search of sensitive data that’s been inadvertently or surreptitiously moved to an unauthorized location, which could expose it to unauthorized viewers.

Network solutions: These DLP products examine data files as they pass over the network. Depending on the settings chosen by IT managers, these tools report on and block transactions that violate an organization’s data management policies. For example, if the policies do not allow personal identification numbers to be sent across the LAN, a network DLP solution will spot the prohibited traffic and take the appropriate action.

Channel solutions: These DLP solutions monitor activities in particular areas rather than looking at all traffic across a network. Thus, a channel-specific application integrated with an antispam gateway would identify data leakages via e-mail attachments, for instance, but not potential breaches from malicious File Transfer Protocol (FTP) sites or web browsing.

Some solutions employ both endpoint protection and network-based components, the benefit being that IT managers can centrally enforce security policies through two integrated solutions. This simplifies the task of deploying DLP capabilities across the enterprise. But there’s a trade-off: A hybrid approach may compromise the full power of the individual solutions.

Organizations that are particularly concerned about data loss should separate their network-based DLP solutions from their endpoint protection DLP tools. This will allow the best protection in both areas.

Makers of DLP products also point to a distinction between content-aware and content-neutral technologies. Content-aware detection integrates the scanning of outbound traffic with content discovery, such as identifying stored credit card numbers, personal information or sensitive data in unauthorized parts of the network.

To be effective, content-aware DLP tools must scrutinize all types of traffic leaving the network, including e-mail, web traffic, file transfers and instant messaging. By contrast, content-neutral products apply controls without regard to the information itself; for example, blocking all downloads to thumb drives. In practice, both content-aware and content-neutral loss protection occur in endpoint protection and network-based products.

[subhed] Evolving DLP Capabilities

Although DLP solutions have existed for several years, they have evolved to become more effective in both their traditional roles and in new ones, particularly when it comes to addressing insider threats. For instance, many of today’s technologies are now mobile-aware.

“DLP is being impacted by the consumerization of IT and the trend for more people bringing their own mobile devices to work,” says Andrew Forgie, director of strategic solutions for Websense, a maker of DLP, unified web security and e-mail protection products.

The mobility of users within enterprises has pushed security companies to expand their DLP offerings to remain competitive, adds Rick Holland, senior analyst with Forrester Research. In his report, Content Security: 2012 Budget and Planning Guide, Holland points out that Websense now offers a mobile DLP solution that extends the company’s unified TRITON architecture to include the Apple iPad and iPhone, as well as Android devices.

Similarly, Symantec recently introduced Symantec Data Loss Prevention for Tablet. It monitors and protects sensitive data sent from iPad mail clients, browsers and applications, such as Facebook, Twitter and Dropbox.

Second, security product manufacturers have succeeded in tackling the implementation and data-profiling complexities that traditionally have challenged DLP rollouts. “DLP is great in concept,” notes Dave Amsler, president and CIO of Foreground Security, a security consulting, training and services firm. “But unless you’ve actually classified and tagged your data, it does little good.” He adds that although many solutions include tools for tagging data automatically, IT managers often must intervene to make adjustments for accuracy.

Applying third-party services can help address some of these challenges. The RSA DLP RiskAdvisor Service leverages the RSA DLP suite for automated discovery of unprotected sensitive information and provides a snapshot of potential exposure points.

This type of tool can help enterprises quickly identify sensitive data on target file-shares and desktop infrastructure components. The RiskAdvisor service includes a high-level mapping of business functions associated with the sensitive data to help determine the exposure risk of the information.

Ease of Use

DLP vendors also now offer a number of other innovations to help make their solutions easier to launch and manage. One way is to integrate DLP within other types of traditional security solutions, such as antivirus software and server-based e-mail scanning applications. For example, users of Trend Micro’s OfficeScan endpoint security suite can add a DLP plug-in for multichannel data monitoring and scanning for Payment Card Industry (PCI) compliance.

In a further nod to simplification, Trend Micro and other vendors also provide templates with default settings to help enterprises quickly comply with PCI, Health Insurance Portability and Accountability Act (HIPAA), Sarbanes–Oxley and other reporting regulations.

“Enterprises know what compliance regulations they’re up against — they just select the right template, and it configures the DLP solution so it knows what to look for to meet data management rules,” says Steve Duncan, Trend Micro’s senior product marketing manager for data protection. “Thanks to these types of templates, IT managers don’t have to become experts in the details of each regulation.”

Similarly, SonicWALL, a vendor of network security and data protection solutions, includes approval boxes that collect data that’s been red-flagged for possible policy violations. “This means that if the word ‘confidential’ is in a file and somebody tried to e-mail the content out of the company, the file would get routed to an upload box,” says Swarup Selvaraman, product line manager for e-mail security and antispam at SonicWALL.

“The upload box could be assigned to an engineering manager, someone in human resources or the chief financial officer, based on what kind of data it is,” he says. “The appropriate manager can then step in to allow or block the transmission.”

Managers can key in project codes or other identifiers to make sure critical information never leaves their organization. To help, SonicWALL provides subject-specific dictionaries, including ones tailored for HIPAA or financial regulatory compliance. “You can write a policy that routes a message to an approval box if the subject, body or an attachment contains any words from this dictionary,” Selvaraman explains.

Reduce Risk with Vulnerability Scanning

Joel Snyder — Wed, 09 May 2012 16:45:34 +0000

With attackers constantly probing networks, smart IT managers know that performing security audits once a year isn’t enough. Best practices now call for continuous monitoring to obtain an up-to-the-minute view into networks and systems.

Vulnerability analyzers provide independent information about network traffic and link this information to knowledge bases showing real and potential vulnerabilities.

Security pros can choose from two complementary vulnerability analysis techniques: active scanning and passive scanning. Active scanning tries to connect to every IP address on a network and determine open TCP/IP ports, application version information and device vulnerabilities. On the other hand, passive scanning uses one or more network taps to see which systems are actually communicating and which apps are actually running.

The two techniques are often used together. For example, when a passive scanner detects a new system, it can launch an active scan of the system to gather more information about network apps that may be running, but unused.

Many manufacturers, including eEye, McAfee and Tenable, sell active vulnerability scanners or scanner signatures. Passive scanning is a new technology that presents fewer options, but choices include Tenable and Sourcefire. Here are some guidelines for choosing when and how to use active and passive scanning.

Start with active scanning, both inside and outside the firewall.

“Credentialed scanning,” which gives the vulnerability analyzer a username or SSH key to log on to each system, is a necessary part of active scanning. Together, these techniques provide a view of systems, operating system and application versions. They highlight out-of-date applications, missing patches and potential misconfigurations that could lead to security vulnerabilities.

Managers of IT environments with a rapidly changing application mix or weak configuration control should add in passive scanning.

Vulnerability analysis based on active scanning is only as accurate as the frequency of the scans, while passive scanning instantly identifies new systems and new active apps, as well as some version information. Discoveries made by passive scanners should update the same database as active scanners to build the most complete picture.

Regularly and continually test organizational firewalls with “lightweight” active scans.

Firewalls are easy to misconfigure, and their policies become out of date very quickly. Scans outside the firewall provide “third party” knowledge of what is alive and able to respond across the Internet. Hackers constantly scan organizational networks anyway; self-scanning just helps to level the playing field a little.

Passively scan user networks.

With mobile devices popping up every few seconds and green eco-conscious users preferring to turn systems off at night, there is little point in actively scanning user networks. Passive scanning can help track devices across subnets, and also responds instantly to user-installed (or malware-installed) applications that begin chatting across the network.

This is an area where vulnerability analysis and intrusion detection/prevention begin to overlap. Several network access control products already include both passive and active scanners to discover new user network devices.

Understand that IPv6 and “black box” networks create complications.

Network managers planning to move to IPv6 should be aware that active scanning of IPv6 subnets is impossible. A typical IPv6 subnet is 16 million times larger than a typical IPv4 subnet, so any plans for IPv6 support may require a rethinking of vulnerability scanning strategy. “Black box” networks, which are invisible to vulnerability scanners, are also becoming big issues.

As more and more individual hosts and servers have their own firewall capability enabled, vulnerability scanners without credentials quickly lose effectiveness. Additional techniques, such as passive scanning, careful attention to application firewall logs, and security information/event monitoring are needed to maintain security visibility.

5 Rules to Make BYOD Manageable and Secure

Alan Joch — Tue, 08 May 2012 15:53:41 +0000

How can the IT department assure that an organization sees the benefits of BYOD instead of unmanageable mobility that creates chaos for the existing IT environment?

“You have to address what end users want in terms of personal choice — but don’t start there,” says Jack E. Gold, president and principal analyst with the consulting firm J. Gold Associates. “Think about what your agency needs first, then retrofit the technology that works the best to achieve those goals.”

That means seeing BYOD not as an end game. It’s one component in a robust mobile strategy that addresses all the areas in which mobility makes sense and creates a long-term roadmap for delivering the appropriate applications and services.

“You don’t want to do BYOD with a series of short-sighted projects,” Mark Jordan, senior product manager for mobility at Sybase, advises.

Enterprises also should update their existing mobility policies, which may have been tucked away in three-ring binders or file cabinets since their initial creation a decade ago. “Organizations really need to re-evaluate all these policies in light of the latest technologies and the most recent regulatory issues for information management that apply to their industries,” recommends Sean Ginevan, product manager for MobileIron, which supplies a mobile-device management (MDM) solution to the company.

For security and management ease, BYOD rules should address five core considerations:

Which workgroups can bring in their own gear?
Should groups be segmented by job function, organizational unit or region?
To what data will BYOD devices be granted access?
What kinds of mobile devices will be allowed?
What will be allowable minimum capabilities of the devices and operating systems?

Answering the last question will be complicated because security and management capabilities of some hardware and OS combinations are still a work in progress, experts say. For example, some Android smartphone manufacturers, including Samsung, Motorola and LG, are customizing the Android OS with proprietary management capabilities, such as enhanced password controls, hardware-based encryption and hardened e-mail security.

These extensions are a security plus for IT managers, but the lack of standardization means the enterprise will need to develop alternative management policies for other Android smartphones that run more basic versions of the OS. But what kind of alternative policies?

IT, for example, may decide to force users of the basic OS to access corporate e-mail through a security application. By contrast, the IT department may decide it is safe for devices with proprietary security extensions to connect directly to the corporate e-mail server. Or it may decide that some systems or data are off-limits to all BYOD devices.

For added security, and an absolute necessity for organizations in highly regulated markets, IT shops may want to issue an authentication certificate for each BYOD device. A step up from password security, the certificates confirm that both the users and their individual hardware have been authorized to access the network.

Cool Tools for BYOD

Fortunately, a variety of tools are available to help IT administrators implement and enforce the BYOD policies they create. Mobile-device management software can act as a kind of command center, letting IT managers centrally configure access authorizations and business applications.

MDM solutions also let the IT department track devices, confirm device security settings, and create virtual private networks (VPNs) that establish protected communications links between users in the field and the enterprise network. An MDM application can also check that each device is running an updated version of its OS and scan for malware before a user device connects to the corporate network. If the hardware is lost or stolen, IT administrators can go to the MDM command center to wipe the data.

“MDM can push down a variety of settings to individual devices, but just as importantly, it enables IT managers to take all those settings back,” Ginevan says. “So when someone leaves the enterprise, I can delete all the corporate e-mails, corporate applications and any security certificates that identify the device to the network.”

Because MDM tools can streamline or automate so many basic device-management tasks, IT isn’t scrambling to service hundreds or perhaps thousands of individual devices. “That gives IT administrators more time to focus on strategic tasks, such as building and mobilizing applications inside their enterprises,” he says.

Role for Desktop Virtualization

Another important mobile management technology is desktop virtualization, which lets IT create individualized desktop environments tailored to each notebook, smartphone or tablet. With virtualization, staff members use their mobile devices to send screen images and keyboard clicks over wireless networks to applications centrally stored in the back-end data center, which also houses all corporate information. Because data doesn’t reside on mobile devices, there’s less risk of a security breach if portable hardware is hacked or stolen.

For its BYOD strategy, Citrix Systems enhances each device with its own commercial technology, Citrix Receiver. It connects end-user hardware to virtual desktops created by central IT administrators. To protect the messages flowing back and forth between users and data center systems, Citrix establishes VPNs that support data encryption.

Michael McKiernan, vice president of business technology at Citrix, says members of the Citrix staff that are part of the BYOD program accept client virtualization in part because data and applications stored in a central location make those resources accessible from any one of the multiple computing devices they may own.

“If the data is stored on a C drive in one computer, they may not always have access to it,” he says.

And what about the potential for greater security risks if IT doesn’t have complete control over the devices that each person uses? “The rubber hits the road with our results after three years. We have not seen our exposure increase,” he says. “If you provide the right incentives for people to protect corporate data, they will. Just because someone chooses to use their own MacBook, they don’t suddenly turn into a deviant.”

How to Evaluate Managed Print Services Providers

Alan Joch — Mon, 07 May 2012 17:39:05 +0000

Because a contract for managed print services covers so many areas - from simple replenishment of supplies to a full-blown audit of the printing environment - IT managers need to carefully evaluate the expertise of potential providers to find the best fit for the organization.

“The first thing an end user needs to do is find an impartial services provider that doesn't have a bias toward a particular manufacturer,” says Mike Cohen, vice president of sales for Brother International, a manufacturer of printers and multifunction print devices (MFPs). “Ask the printer-agnostic reseller to come in and evaluate what you have and take a look at how you can optimize your printing. In fact, I would have more than one person come in just because everybody has a slightly different approach to managed print services.”

Next, evaluate the service provider's capabilities for performing thorough and accurate audits of the existing printing and imaging infrastructure. Ask for examples of reports the provider created that use audit numbers to flag opportunities for decommissioning and consolidating equipment.

The optimization plan should determine what legacy equipment should be refreshed with faster page-per-minute models; these can boost productivity by eliminating queues that spring up while staff members wait for large print jobs to finish. But while some equipment replacement may be necessary, be wary of a managed services provider that recommends a costly rip-and-replace solution, experts say.

Instead, a consultant may be able to suggest how an existing but still reliable printer that is being replaced by a workgroup MFP can offer a performance improvement for a finance manager who needs a dedicated unit for privacy or security reasons.

In addition to rightsizing hardware, the managed print services approach may save money by consolidating related contracts. For example, the organization might be coming to the end of an expensive lease for an outdated copier that can be replaced by a modern MFP. In some cases, older copier contracts include cost penalties that kick in when output volumes stretch over the contracted rate. Other “gotchas” include charges for a full-color page when the only color on a document is a URL highlighted in blue.

The services provider may also help clients craft printing policies that promote cost cutting and efficiency. For example, setting MFPs for two-sided duplex printing will save on paper costs. In addition, a printing policy might designate which individuals or departments are authorized to use color printers to keep consumable expenses to a minimum.

Security expertise is another factor to consider. Central printers and MFPs assigned to workgroups may be more efficient than stand-alone units. But they increase the risk that a document with sensitive information is left in an output tray or that an unauthorized employee uses a device's scan-to-mail capabilities inappropriately.

The right service provider can help IT managers instruct users about security best practices for printing environments, as well as advise organizations about useful technologies, such as data encryption solutions that protect files being temporarily stored on an MFP's internal hard drive.

Finally, IT managers should push for quarterly reviews to analyze how well the provider is executing its plan to cut costs and increase efficiency in the printing environment, Iburg recommends.

Should You Disable IPv6 on a Windows 7 PC?

Mitch Tulloch — Fri, 04 May 2012 18:15:15 +0000

Both the Internet Assigned Numbers Authority and the Asia-Pacific Network Information Centre have run out of IPv4 addresses to allocate, and RIPE, the European numbering authority, is soon to follow. Large ISPs are now beginning to turn on IPv6 for their customers, and most vendors of firewalls, load balancers and other network appliances are starting to claim that their devices fully support IPv6. Is it time then for agencies to stop worrying about IPv6 and simply leave it enabled on Windows PCs?

The Myth of Disabling IPv6

Actually, you can’t fully disable IPv6 on a computer running Windows 7. For example, if you clear the checkbox for IPv6 for your Local Area Connection network interface (see Figure 1), it won’t disable IPv6 on the system. It simply removes the binding for it from that particular network interface.

And if you edit the registry as indicated by this article in the Microsoft Knowledge Base, the binding for IPv6 will be removed from all network interfaces on your system, including LAN, WAN and VPN interfaces. But the underlying components of IPv6 won’t be removed from your system, which is easy to see by opening a command prompt and pinging the IPv6 loopback address ::1 from a command prompt window on the system.

Figure 1: Clearing the selected checkbox only removes the binding for IPv6.

Disabling IPv6 Breaks Functionality

Are there negative consequences to disabling IPv6 on a Windows 7 PC? Several features of Windows 7 depend on IPv6 to function as intended, including:

DirectAccess, which allows users to remotely access agency resources whenever they have Internet connectivity, as if they were directly connected to the agency LAN.
Remote Assistance, which enables users to invite remote users to connect to their computer to help them when they have problems.
HomeGroup, which makes it easy for users to share their libraries and printers on their home network.

Because Microsoft performed most of its internal validation testing of Windows 7 with IPv6 enabled, disabling IPv6 may have unintended consequences that even Microsoft isn’t yet aware of. Users could end up with mysterious issues requiring the help of Microsoft Support for troubleshooting, and one of the questions they may ask is, “Have you disabled IPv6?” If you have done so, you might be asked to turn it back on to resolve the issue.

Leaving IPv6 enabled might seem to go against a system administrator’s prime directive: “If you’re not using it, don’t enable it.” But there’s another directive that says: “If it ain’t broke, don’t fix it,” and in this case it’s the latter that should take precedence.

Will leaving IPv6 enabled result in a lot of additional network traffic that could lead to poor application performance? No. Windows systems that need to communicate with other Windows systems on the same subnet simply prefer using IPv6 Link Local addresses over IPv4 addresses, and this has only a negligible impact on the overall network traffic.

But My Vendor Doesn’t Support It Yet

If you contact your vendor for firewall appliances or other network security devices, you’ll probably find that they do have updated hardware that now fully supports IPv6. If they don’t, they probably won’t stay in business for very long.

And if your legacy routers and gateway appliances don’t currently support IPv6 or don’t have it enabled, then IPv6 traffic isn’t going to flow in and out of the network anyway. So monitoring or controlling the flow of IPv6 traffic across your boundary isn’t really an issue. But if your ISP has already enabled IPv6, then maybe it’s time to upgrade your routers, gateways and security appliances. The reality is that almost all routers sold during the past 10 years support IPv6 as well as IPv4.

For Users Who Travel

What if someone has a notebook running Windows 7 with IPv6 enabled, and they travel to another city and use the LAN connection in a hotel to connect to the Internet? Are there possible security consequences of having IPv6 enabled on systems that travel beyond an agency’s perimeter firewall?

The reality is that IPv6 is a much more secure protocol than IPv4, which actually has no security at all. In fact, IPv4 application developers have found it necessary to implement additional security at the application layer because there’s no inherent security built into IPv4. By contrast, IPv6 is built from the ground up with security in mind.

Disabling IPv6 on Windows 7 PCs provides no additional security or any other real value to a network. And leaving IPv6 enabled on these PCs enables certain valuable Windows features to work properly. So the bottom line is, don’t disable IPv6 on Windows 7 PCs unless you can justify your decision with a more compelling reason than “But I haven’t had time to learn about it yet.”

Start thinking long term, and get that IPv6 migration plan in order for your agency. If you want to learn more about IPv6 and how to prepare for its inevitable arrival, visit the IPv6 Blog on TechNet at http://blogs.technet.com/b/ipv6/.