In Part 1 of this series (Part One: Why are Branch Offices so Vulnerable?), I looked at some of the reasons why branch offices are so vulnerable to data breaches. In Part 2, (The changing face of malicious attacks), the topic was the new forms these attacks are taking. In Part 3, I’d like to talk about how the solution Cradlepoint has developed with Zscaler defeats these new attempts to access corporate networks.
Part 3: The Rise of Intelligent Routing
As I stated in the last blog, we at Cradlepoint are very excited to be announcing Zscaler Internet security. So is Zscaler. Cradlepoint is proud to be the first to market with Zscaler’s Internet security solution.
What we're doing with this solution is combining our router with the Zscaler Security Cloud to provide intelligent routing of web traffic for security and application control. We call it intelligent routing because once you configure the Zscaler Internet security on the Cradlepoint router, it routes traffic in one of three specific ways:
Trusted Websites: For trusted sites such as Salesforce.com. When a user enters a trusted address, our router will communicate with the Zscaler Cloud via DNS. When Zscaler Cloud recognizes the site, it allows our router to access it. If the user is on a trusted site and wants to go to another site, Zscaler will conduct any further web-based security and filtering to make sure these additional sites are safe as well.
Websites that should be inspected: These represent the majority of users’ Web destinations. When the user tries to access these sites, their request will go through the full Zscaler Web proxy, with Zscaler security Cloud inspecting the site for malware and applying content and application filtering policies. If Zscaler finds that the site is secure and does not violate content policy, it will allow access. If not, it will block the user’s access to the site.
Known Malicious Sites: The third instance of intelligent routing is when a user navigates to a site that Zscaler has already identified as a known malicious site, such as a botnet or CCN site. In this case, Zscaler will automatically block the site at the Cradlepoint router, again through a DNS return message. Zscaler will automatically block access to any such bad sites or known bad destinations.
All this occurs seamlessly for all devices connected to the Cradlepoint router – including mobile devices and guest WiFi. The solution also enforces ‘Safe Search’ on Google, Yahoo, and Bing.
So how does this work in real life? Let's say the user is on Google and tries to go to a gambling site and you have defined on this particular router that gambling is a policy violation. When the user tries to access the site, he or she will get a message that access is restricted.
Let’s say someone in your office wants to look for images of Playboy bunnies. With Zscaler in place and enforcing Google SafeSearch, the images that come up will not be what the employee was looking for: they’ll be pictures of real bunnies. If the user tries to turn Google SafeSearch off and try the search again, they’ll find that Zscaler has turned it back on again. Users can't defeat security policies because Zscaler enforces them at the router level. This is true whether the user is on an iPad, an iPhone, an Android, or any other device on that network.
The solution also defeats phishing attempts that link to malware. Many phishing emails work by taking recipients to nefarious websites that install malicious code to try to steal information from them. With Zscaler in place, if users get a phishing email that tries to send them to a malware site, Zscaler will block the site. Zscaler decision to block access to a site is based on the more than 100,000 security updates it gets each day from an enormous number of sources.
The pinnacle of Internet security is what Gartner defines as “Unified Threat Management,” which is comprised of three capabilities Cradlepoint can provide:
A stateful firewall (one that keeps track of the state of network connections)
VPN capabilities and network segmentation.
Network intrusion prevention
The fourth capability, "secure Web gateway," is the ability to protect users anytime they access the Web—not just from a content filtering perspective and application control, but also by protecting them from the bad guys on the Web. That’s where Zscaler comes in, and that’s why they are the perfect partner for us.
In my fourth and final blog on this topic, I’ll talk more about how Cradlepoint and Zscaler work together to provide Unified Threat Management.