Next up in the Layered Security series is the Device layer.
If you haven’t been following this series, you can catch up by either reading my other blog posts (using the link above), or by checking out the PDF version, which contains all articles that have been written up to this point.
The Device Layer
While wired networks certainly have their own challenges (many of the precautions here are applicable to wired devices), it is wireless that really changed this layer’s landscape. The biggest change that came with wireless is the rise of BYOD: bring your own device.
BYOD (not to be confused with BYOB) refers to employees using their own personal devices - such as laptops, tablets, and smartphones - to access the network at work. According to a Unisys study conducted by IDC in 2011, nearly 41% of the devices used to obtain corporate data were owned by the employee. It’s hard to imagine that this number hasn’t increased in the last four years.
Because of BYOD’s increase in popularity, today’s networks often include a myriad of different device types. Adding more devices and device types causes both the network’s complexity and the number of potential threats to increase. This is why it is vital not only to protect each device but also take measures to protect the rest of the network from each device.
Protecting Each Device
The first steps of protecting the device layer occur on the device itself. Most computers these days have their own built-in firewall, which should be used regardless of FortiGate protection. Anti-malware software should also be run on the device regularly, with scans scheduled for a time when it isn’t in use. Finally, you should regularly apply updates for both operating systems and apps, to ensure that any known vulnerabilities are dealt with.
One easy way to protect the devices on your network is to use FortiClient. FortiClient extends the power of FortiGate's unified threat management to endpoints on your network. This includes features such as antivirus, web filtering, two-factor authentication, and being able to securely connect to either SSL or IPsec VPNs.
FortiClient is available for Windows, Mac OS X, iOS, and Android, and can be set up quickly. After being installed, it automatically updates its virus definition files, does a full system scan once per week, and much more. A FortiGate can make sure that all devices using FortiClient have the current updates.
FortiClient can be downloaded at www.forticlient.com.
Knowing Thy Network
The next step to managing devices is figuring out what devices are actually out there in need of being managed. FortiGate interfaces, including wireless SSIDs, can identify the devices on the networks that they connect to. This gives you a list of all the devices on your network. Your FortiGate is also able to identify each and which operating system they use, to a fair degree of accuracy.
Once you know what devices are out there, you can figure out if there’s anything that shouldn’t be allowed in the first place. Below are three recipes from the FortiGate Cookbook that showcase what a FortiGate can do to help with this.
Recipe 2: Block web traffic from computers running on an outdated OS using application control, such as Windows XP.
Recipe 3: Create custom device definitions or groups, allowing you to determine what network access devices have on a case-by-case basis.
Let People Know
In 2013, a Fortinet Internet Security Census found that 51% of the partipants said they would would contravene company policies restricting use of own devices, cloud storage and wearable technologies for work. To help avoid this problem, make sure that you let users know what your policies are and why you have them.
We’ll talk more about network users in the next instalment.