Back in June, we talked to Fortinet’s Doug Ramos about issues and trends affecting enterprise wireless environments today. We followed up with Doug to discuss how the growth of wireless devices and enterprise applications affects the way you design your wireless network, and how you control access.
Q & A with Douglas Ramos
As the device landscape shifts from corporate-owned to employee-owned, and as network usage shifts to an ever-greater reliance on wireless, what are the challenges for security?
Wireless is the primary access layer for so much of your network now, and the vulnerabilities of the devices coming onto the wireless network call into question the security on that access layer. Not that many years ago, the furthest you could go from your desk was the length of your Ethernet cable. With your whole organization no longer physically plugged into your network, you have to be able to secure your wireless network, which includes an increasing number of employee-owned devices. Issues include unpatched and unsecured devices accessing, transmitting, and storing corporate data, the proliferation of untested and often vulnerable applications running on these devices, the merging of personal and work tools and data on a single device, and the creation of ‘Shadow IT’, where non-corporate devices and applications store and share critical corporate data on cloud-based networks and services that are unseen and unapproved by IT.
What impact does the growth of enterprise applications have from a security standpoint?
All of these applications come with their own vulnerabilities, so you have to have the ability to perform off-prem web security, as well as securing web traffic within your firewall. Your firewall needs to be able to see and secure applications and data that move across a network border or segment, but you also need to have security for the mobile application layer as well.
With the major security vulnerabilities found in SSL over the last couple of years, for example, everyone had to change protocols and redesign websites. Unfortunately, because many of these sorts of tools are being developed for expediency rather than security, stuff like that has become increasingly common. Hackers are now looking at getting their information by hacking applications rather than users. It’s unbelievable the number of times popular sites get hacked, and passwords and profiles get compromised. And most users are completely unaware of these breaches and associated risks. All of this has begun to create a big push to add an additional layer of security on the application side.
How does the unprecedented growth in application and device diversity affect how you design your network?
Something I talk about a lot is high-density environments. Five years ago, we didn’t have the number of applications that are available today for business use. Now, everyone is connecting with multiple devices, including wireless laptops, tablets and smart phones. And that’s just the start. The amount of traffic that is being generated just from applications is five times what it was five years ago. Most of that data is moving across the wireless network, which has a significant impact on the wireless environment from a security standpoint, including user and application density.
In thinking about a wireless network, the number one thing that should be top of mind is the density of the traffic that you will have going through the network. You need to consider both user density, as well as application density. When you design a wireless network, one of the first things you calculate is how many physical devices you can connect through an access point. Then you need to factor in the amount of bandwidth each device will consume based on the applications they are going to use. And that is a moving target.
Let’s say with very light application use, you can easily connect 50 devices through a single access point. But once they start using web-based applications, that number can quickly drop from 50 down to 20. That has a significant impact on performance, and how and where you’re going to deploy wireless network devices, because it’s no longer just about number of users and devices. It’s also about how much data you’re going to have to push through each access point. And with increasingly bandwidth-hungry application traffic, such as video and voice and interactive tools, that number is growing exponentially.
The main objective of every enterprise is to provide secure but controlled network access—enabling the right person the right access at the right time, without compromising security. How difficult is this to achieve?
Network Access Control is one of my favorite things to talk about because it is a challenge that is top of mind for many security teams, and because Fortinet has some amazing solutions in this area.
Network Access Control is critical, and it’s not just about being able to onboard so many different devices. It’s about making sure those devices are associated to the right people, and those people have the right permissions to access the network and application resources appropriate to their role.
FortiAuthenticator enables such identity and role-based security. It also allows you to provide differentiated access based on device. For example, a user may be allowed to user her laptop to authenticate to the network and have full access to everything. BUT, if she uses her tablet to authenticate herself to the network, she only gets limited resources, say to email, Internet, and basic work tools. And then, if she decides to connect using her smart phone, her devices is recognized and she is automatically restricted to only Internet access. You can also control how many devices users can bring in. For example, you can limit a user to only two devices, such as a laptop and a smart phone. Subsequent devices are refused network access.
Finally, it’s also important to be able to easily grant secure, controlled network and Internet access to guests. With FortiAuthenticator we can create a temporary account, with timed access, for a single device. And we can track that guest user as well.
With so many people accessing the network remotely, how do you make authentication more secure?
Two-factor authentication is critical. We have seen time and time again that password-only authentication has not been enough to prevent security breaches. With two-factor authentication, you use a password combined with a second factor, like an associated PIN that is generated dynamically and sent via text or email to your device. This allows your authorized users to remotely access company resources safely, from a variety of devices.