Addressing network security challenges at the edge
For the distributed enterprise, emerging technology and tools are a blessing and a curse. They can greatly benefit a company’s efficiency and the bottom line, but they also often present additional security challenges at the edge.
Gartner Research estimated that by 2016 more than 30% of advanced targeted threats will target the branch office/network edge as the vulnerability entry point. It’s important to consider not only the risks at hand, but also the types of solutions that will be most effective for your unique situation.
The move to cloud apps raises new security issues
From a network perspective, branch offices have been treated as extensions of the corporate office, connected to the main hub using MPLS. But since MPLS is so expensive, companies have used alternatives, including broadband DSL with IPsec VPNs.
But if you are moving more cloud applications to your branch offices, do you want that traffic to go through a VPN tunnel to corporate for filtering, have policies slapped on it, and then go out to the Internet? Or do you want it to go directly from that branch to the Internet?
Local Internet paths replace older networking solutions
Known as Direct Internet Access (AKA Direct to Net or Direct to Internet), DIA leverages local Internet paths for public cloud and Internet access. DIA is an efficient way to provide cloud services such as Office365, email, productivity tools, web-based content, and collaboration tools like Salesforce. It’s cost effective, and it provides a better user experience.
The problem with DIA is that when users go directly to the Internet, it opens the doors to all kinds of potential attacks. If an employee using gmail as a personal account is the target of a phishing attack, the next time he or she logs on at work, malware can reach the main corporate network. How do you as a network administrator prevent that from happening — not just at this one employee’s computer, but also at every computer, smartphone, and any other devices in this BYOD world?
UTM appliances increase latency
One approach is to buy an all-in-one device such as a UTM (Unified Threat Management) appliance. Then, as your requirements grow, you just add more of these devices. But when you start turning on a variety of security devices on each appliance, you run into the problem of increased cycle time and latency.
As your organization moves to cloud-based apps that have animation video and other latency-sensitive content, you need to either add more appliances (and, in the process, continue to increase latency) or add a significant cloud-based component to your security strategy.
Cradlepoint has a better idea
Focused as we are on computing at the edge, Cradlepoint has developed a deep understanding of the pros and cons of various branch office security solutions. We believe that DIA has a lot to offer distributed enterprises, as long as the accompanying threat of attacks is successfully addressed.
That’s why we’ve formed partnerships with Trend Micro and Zscaler. Provisioned using our network management and application platform, NetCloud Manager, Trend Micro and Zscaler streamline the process of centralized on-premise and cloud-based security to companies with large numbers of branch locations both stationary and mobile.
Providing on-premises security
On-premise attacks can take many forms: a hacker getting on your network locally at a branch office, a WiFi attack against a vehicle, targeting devices that gains access to the network and allow hackers to run special “intrusion tools,” or maybe a USB drive loaded with malware that gets slipped into a retail computer.
Trend Micro’s Intrusion Protection System (IPS) monitors incoming traffic and actively prevents intrusions that it detects. If, for example, Trend Micro sees someone executing a brute force attack against remote desktop protocols, the Trend IPS engine will notify NetCloud Manager. The attack can be automatically blocked or as an operator, you will see the Trend alert and can manually block the attack.
Implementing cloud security
For web security, Zscaler enables you to identify what kinds of content you want users to be able to access. This can be particularly useful if you are making WiFi browsing available on a school bus and want to make sure specific kinds of content are blocked to meet CIPA requirements.
For threat security, Zscaler basically stays in block mode. It prevents the downloading of malware and keeps users from taking links to known phishing sites, or to sites that are known security threats.
One of Zscaler’s most helpful features is that it has IP reputation built in. Zscaler has its own threat lab — and it gets feeds from other threat labs located all around the world. If a lab in Kuala Lumpur explodes some executable and finds a security problem, Zscaler instantly puts that IP address on its list of known malware and prevents your users from accessing it.
Where some high-end security companies tout the effectiveness of their threat labs — and charge a lot of money for their protection from the bad actors they discover — Zscaler’s participation in a broad network of threat labs provides much more thorough and up-to-date protection.
Stay safe and save money
Many companies are still struggling to find a combination of web onsite and browsing security tools. Many also are weighing the relative merits of MPLS versus IP sec VPNs, and while at the same time paying more for security solutions that deliver less. Cradlepoint is helping solve these challenges — and allowing IT managers to breathe a little easier.
Network administrators and IT staff working for distributed enterprises can use our complete security package to take advantage of Direct Internet Access, knowing that NetCloud Manager, Trend Micro IPS, and Zscaler are in place to turn back the many emerging security threats at the Edge.
To learn more, check out our e-book.