Defending the Border

The increasing consumption of data on mobile devices and the Internet of Things (IoT) revolution have both transformed the edge of the network. Mobile has moved the edge of the network from the traditional wired LAN to the Wireless LAN, and IoT has triggered a need to connect many more types of devices to the network, generating data in many different formats and protocols. In parallel, attackers have increased their sophistication and threats come in so many forms that maintaining a secure yet effective network has become a time-consuming and costly challenge.

Traditional security models focus on preventing attacks from getting inside the network. Therefore the focus is to defend the borders, since these are typically the weakest points. Firewalls are a good example of this – they inspect traffic passing in and out of the network and can block anything suspicious to prevent threats getting in, or sensitive data from leaving. However relying solely on a firewall for network protection is like locking your front door while leaving the back door wide open.

Protection from the User

It is generally accepted that the weakest part of a secure network are the human users, usually through inadvertent behavior. Social engineering techniques take advantage of this phenomenon to defeat even the most secure networks by tricking users into disclosing sensitive information that can be used by an attacker. In 2017, the University of Illinois ran a “baiting” experiment where USB drives were left near building entrances. 45% of those USB drives were inserted into network connected devices. Therefore, the network needs to be protected at all potential intrusion points, including at the wired and wireless edge, from mobile users and IoT devices.

Anti-virus tools and security policies can be effective in protecting the network from misuse by desktop and laptop users (“wired users”). Wireless users pose different challenges to the security of the network because they consume and generate large amounts of data, using a wide variety of applications from any number of uncontrolled sources. Traditional methods of securing the network edge from wireless devices include registering the device’s MAC address and Network Access Control (NAC) which requires the mobile device to run an agent that collects security data. Both methods together can be effective but they are cumbersome since the user must install the agent on their device, and if they change their device, it will no longer have network access.

IoT devices introduce yet another risk because they are typically simple devices that contain some code, and are therefore seldom inherently secure. Effective IoT security should consist of two components: identification of the device, and inspection of the data it is transmitting. Digital certificates provide a reliable means of secure identification but not all IoT devices support these, so data inspection is mandatory to ensure that no threats are being injected.

Balancing Requirements

With tightened security, usability issues and management overheads increase, which add costs to the network operating budget. So a balance needs to be found that optimizes security, cost and usability. The key is to select network infrastructure that can provide the necessary functionality to enable the required protection. Allied Telesis has a range of smart security solutions that leverage intelligence built into the network to provide strong security but without the usability hassles and the extra management overheads.