This is a guest blog post. Views expressed in this post are original thoughts posted by Glen Kemp, Solutions Consultant at SecureData Europe. These views are his own and in no way do they represent the views of the company he works for.
The Bring Your Own Device (BYOD) explosion has happened, it’s over, and it’s history. Wireless networks are groaning at the seams with hundreds of additional personal devices connected to networks. This post is not about that, it’s about where I believe many organisations have a blind spot in terms of risk.
The migration of “consumer” devices from home to work was perhaps inevitable from the first time a Palm Pilot made its way into the office. However, what is less obvious is the way that Enterprise grade technologies are starting to appear in the home.
The one technology which perhaps has done the most to enable “working from home” policies is ubiquitous access to broadband Internet. In Europe this has mostly been driven by a rollout of “DSL” services and the in the US by a combination of technologies including digital cable. From early on, the home broadband router was established as a cheap and easy way to get a user with a handful of devices onto the Internet and ultimately onto the corporate network. In many cases, a “stripped down” version of Linux provides ready-made network operating system with the basic routing and network address translation features to enable quick and easy access. The use of a Linux as starting point was a no-brainer as the “free” operating system could be easily customised and required very little processing power. As time and processing power has marched on, the level of sophistication in these devices has quietly increased to the point where their capabilities shame some big brand networking vendors. Simple Network Attached Storage (NAS) file and print services are included in products from Netgear and Draytek, full IPSEC VPN branch and remote user VPN tunnel services are built into “consumer” devices from Billion and full VoIP gateway features are available from FRITZ!Box. At this highly competitive end of the market features are piled on to stay relevant. The nature of the beast is that whilst cosmetically these devices may look different, for the most part they use the same basic Open-source applications licensed via the GPL. For example:
Apache used for the administration Web Server
IP Tables used to provide firewalling features
Samba providing NAS services
Twonkyvision providing uPnP services
OpenSSL for encryption services
The issue here is that these services tend to be cut down builds with either default settings enabled and/or security features disabled. Within an Enterprise, patching and maintaining these services would be someone’s responsibility. However, in the home networking word ease of use and features play second fiddle to security; once setup these components do not tend to be patched by vendor, let alone the users as vulnerabilities are uncovered.
Equipment at Home
The unaddressed risks go deeper when you consider what else is being attached to the home network. Whilst devices such as game consoles and the odd Apple product are to be expected, these are reasonably well hardened devices and don’t actually contain relatively few externally exploitable services. What is perhaps more insidious is the rise of home networking appliances. Whilst the utility and ubiquity of the fabled “Internet connected refrigerator” is somewhat in doubt; there are plenty of other Internet enabled devices creeping into the home. In the UK and US outlets such as Comet, PC World, and Best Buy stock home NAS devices from companies such as Netgear, Drobo, and QNAP. This class of device is primarily aimed at providing home users with an easy way of backing up images, music and other files in a “safe” place so they can be accessed remotely. This technology initially was very limited, but to refer to these devices as “mere” Network Attached Storage is vastly underestimating their capabilities and the risks attached. The “home” NAS market suffers from the same competitive demands as the home router market were features are king. As a result, these gigahertz-class devices often have relatively large amounts of RAM, disk space and a very easy to use GUI. They can be easily configured with a full blown Web, email, LDAP, Proxy server and more all with a lovely web interface. At the more extreme end, but still well within the consumer budget, some of the larger devices are fully VMware certified. Whilst many IT technical people will have some sort of setup at home ranging from an extra PC to a scaled down enterprise network, the provision of a full virtual environment at home creates additional, unknown and undocumented risks.
The issue is not perhaps that they are running a home “Asterisk” voice gateway, but that they are making this accessible from the web. Vendors such as Synology and QNAP have “Free” iPhone and Android apps to allow user to access their files from anywhere. Some fairly major networking vendors still don’t have comparable clients their corporate VPN gateways. This may go some way to explain the very high expectations end-users have had for corporate remote access from portable devices. What does this mean for the enterprise security policy?
Although it is very much still the “thin end of the wedge” other Internet connected devices are starting to make use of this “connected” home technology without spending a king’s ransom. Devices such as the Heatmiser Wifi-enabled thermostat allow you to control your home’s central heating from anywhere via and iPhone app or via any Internet connected web browser.
The risk not (re)assessed
This provides the biggest indication of the risks lie. When we started down the “working from home” route, the number of devices at home was very few and the access was allowed outbound only. Now, the number of home devices has increased dramatically. Through services such as Dynamic DNS and integrated cloud solutions, an end-user can easily host application services at home. This begs the question: Should an enterprise security audit include home workers’ personal device management? Ideally, yes; the enterprise should have some visibility over local services. In the real world; this is not going to happen in any meaningful way.
Why does this or should this matter to Mr Joe Average network administrator? There are a couple of reasons I can think of:
Unless your device management data leakage prevention technology is very effective and/or draconian there is a much greater risk that a user will copy “for safe keeping” corporate data onto their lovely big NAS device. This is much more likely if you have corporate policies with tight user data quotas or have suffered an unrecovered loss of data
The current generation of consumer technology provides means; motive, and opportunity for a user working from home expose company data (deliberately or otherwise) to the Internet. Locking a user out of the network no longer effectively prevents them exploiting or sharing digital assets. Data sharing sites such as Dropbox and SkyDrive are much more readily available and do not require a degree in computer science to utilise.
Addressing the risk
How can we address this? Well, the obvious thing is to stop categorising users working from home as anything like being trusted.
The time has come to end the tyranny of the “Any Any Accept” rule on the VPN edge for even strongly authenticated users. IT Departments must start to take an interest and understand what types of applications users are actually accessing across the WAN and VPN.
“Always on” security controls for any device accessing corporate data mail are a necessity, not an option. This means the basics need to be covered in terms of Firewall policy, Anti-Virus and patch Management.
Active Data Leakage Prevention needs to brought up the agenda; organisations need to understand who is using their data and where is it going when the user walks out of the front door.
User education needs to underline all of the above; technical controls can prevent many screw ups and deliberate attacks; but alone they cannot cover every base. Users need to understand the fluid nature of data and accept some level of responsibility for its care and use. It’s a hackneyed saying, but prevention is better than cure in this case.
How can Juniper help?
To combat these kinds of threats Juniper’s Junos Pulse suite of tools can give much better visibility and control over smart devices and conventional “fat client” platforms. Junos Pulse Mobile Security Suite can ease the burden of BYOD and the consumerisation of IT by delivering anti-malware, loss and theft protection and mobile device management (MDM) for a variety The Junos Pulse client for Windows integrates VPN, Endpoint protection and network access control features in a single, unified managed client.
I would be interested to hear your thoughts on the consumerisation of IT and what this means from a security stand point, so please do add your comments below.
Ben has been working with service providers around the world for the last 15 years developing business cases for a variety of product concepts and new ventures.
Ben holds an MBA from MIT and a BS & MS in Mechanical Engineering from Johns Hopkins University.
A Marketing and Business Development professional with 24 years extensive Sales/Business Development, Marketing and Technical experience in the Networking/Telecoms/Datacomms and Mobile market segments, focused on selling to Service Providers.
Fomerly VP Marketing at the Metro Ethernet Forum (MEF)
David Noguer Bau is the head of Telco Vertical Marketing at the SP Strategic Marketing team in Juniper Networks. He has extensive experience in Service Provider network evolution and regularly runs executive sessions with technical and marketing teams of important telecom operators to accelerate the adoption of virtualisation.
David is based in Barcelona and has over 15 years of experience in the telecommunications sector. Prior joining Juniper Networks, Mr. Noguer Bau spent seven years at Nortel where he was a Business Development Manager specializing in Carrier Ethernet and Broadband areas. Before Nortel he worked at Eicon-Dialogic as Technical Manager in Spain. David has been the Country Marketing Chair at Metro Ethernet Forum for Spain.
Mr. Noguer has wide experience speaking at international Conferences. He was graduated as Computer Engineer by Universitat Autonoma de Barcelona (UAB) and has an executive MBA from EADA Barcelona and executive education at the Thunderbird School of Global Management (Arizona) and the Henley Business School (UK).
The views expressed here are my personal opinions , have not been reviewed or authorized by Juniper Networks and do not necessarily represent the views of Juniper Networks.
I’ve been 29 years in the industry, first as a trainee IBM operator at Barclays Bank, later starting my own business which was ultimately acquired by French listed company EasyVista – [giving me great insight into working as part of an internationally focused company alongside organisations like Reuters, UBS Warburg, GlaxoSmithKline and London Electricity].
I am Sales & Marketing Director at Netutils – a specialist IT Networking and Security solutions provider. My passion continues to be making enterprise more efficient via the intelligent deployment of technology, with a view to delivering real value for my clients.
Donyel Jones-Williams is Senior Product Marketing Manager overseeing SDN and Core Service Provider Product line for Juniper Networks. In this role, he leads all of the internal and external marketing activities for T-Series, PTX, IP/MPLSView and NorthStar SDN Controller.
Prior to joining Juniper Networks in January 2014, Donyel was a Senior Product Line Manager for Cisco Systems with in the High End Optical Routing Group managing product lifecycle for multiple products lines helping telecom providers operate efficiently and effectively including; ONS 155xx Product Family, ONS 15216, ONS 15454 MSTP, Carrier Packet Transport Product Family, ME 2600x, & ASR 9000v. He also negotiated favorable agreements with 3rd-party vendors furnishing components and parts and conducted both outbound and inbound marketing (webinars, case study-development, developed and delivered both business & technical at Cisco Live 2005-2012).
Donyel graduated from California Polytechnic State University-San Luis Obispo with a Bachelor of Science in Computer Science. While attending Cal Poly SLO he was a collegiate student athlete playing football as a wide receiver and a key member of the National Society of Black Engineers. Donyel is now an active volunteer for V Foundation.
With 20+ years of global IT management experience, Gary Clark oversees all technology services to support 9,600 employees at Juniper Networks, a $4.5 billion networking innovator with operations spanning 123 offices in 47 countries. Prior to Juniper, Gary held senior IT management roles at BlackRock/Barclays Global Investors and Deutsche Post/DHL.
Senior Systems Engineer for NEC NZ. Focused on Juniper Networking equipment, SDN and NEC compute platforms. Busy studying for the JNCIP-SP and ENT.
Outside of work I enjoy the great outdoors: Mountaineering, Bouldering, Rock or Ice climbing, Tramping (hiking to non-Kiwis) and Snowboarding.
I have been in the networking industry for over 30 years: PBXs, SNA, Muxes, ATM, routers, switches, optical - I've seen it all. Eleven years in the US, over 20 in Europe, at companies like AT&T, IBM, Bay Networks, Nortel Networks and Dimension Data. Since 2007 my focus has been on services at Juniper: support services, professional services, service automation. Our market is characterized by amazing technological innovations, but technology is no use if you cannot get it to work and keep it working. That is why services are so exciting: this is where the technology moves out of the glossy brochures and into the real world!
Follow me on Twitter: @JoeAtJuniper
For more about me, go to my LinkedIn profile: http://fr.linkedin.com/pub/joe-robertson/0/4a/34a
Jon joined Fujitsu UK&I as Chief Technology Officer in January 2011 from the public sector, where he was Chief Information Officer, Transformation Director and SIRO at the Valuation Office Agency. Prior to this he was Her Majesty’s Revenue and Customs’ first Chief Technology Officer, leading the integration of the former Inland Revenue and Customs & Excise organizations.
His roles in both organizations drove out savings in excess of £600m, as well as bringing about significant technology transformation, building high performing teams in the process.
Jon was a founding and core member of the UK Government Chief Technology Officer Council and recruited and led a team creating Public Services Network, XBRL mandation and cross government channel strategy.
Jon’s client side board level experience is built on 11 years at Accenture, with clients including Barclaycard, Legal & General, BP, Castrol and BG Group.
Jon now leads the UK & Irelands 1,200 strong Architecture Community, driving standard solutions, reinforcing rigorous re-use and a collegiate collaborative community and culture, leading with courage and conviction.
Jon is a firm believer in the 4Ps – Pace, Passion, Pride and Professionalism. He is a Chartered Engineer, Fellow of the British Computer Society, founding Fujitsu Fellow and a member of the Advisory Board for AppDynamics.
I'm a Distinguished Systems Engineer at Juniper Networks. My main technical interests are routing protocols, MPLS, PCE/WAN Controllers, automation, and optical integration. Before joining Juniper Networks in 1999, I worked at BT for several years, at first in the Photonics Research Department and later in the data transport and routing area. I have a PhD in ultrahigh-speed optical transmission and processing and an MA in Physics, both from Cambridge University. I co-authored the book "MPLS-Enabled Applications: Emerging Developments and New Technologies", with Ina Minei. The book is now in its third edition.
Marcel Wiget is Consulting Engineer Specialist and member of the Advanced Technology team for EMEA. His career within Juniper started back in 2009 as a Senior Systems Engineer driving one of the first MX based Broadband Edge deployment to success. Prior to Juniper, Marcel held various positions in pre-sales, professional services and development at Chantry Networks, Spring Tide, Nortel Networks and Wellfleet.
I love the intracacy and intimacy of succesful communications. Why and how people engage with each other is fascinating. I am also consumed with the way IT changes behaviours, values and expectations in society.
I bring this sense of wonder to my role in EMEA Service Provider Marketing Programs at Juniper Networks.
Down time: My passions are music, reading, politics, Derby County and playing the guitar (and the harmonica).
You can follow me elsewhere:
my personal blog: http://neilpound.tumblr.com/
my LinkedIn account: Neil Pound
I am one of a small team of Network Engineers working for Lumison Ltd, a UK ISP/MSP based in Edinburgh, Scotland. I have been with the company for almost 6 years moving from frontline support to the Managed Services team dealing with customer network design and implementation before talking up the role of Network Engineer. As well as the JNCIE-ENT certification.
I am currently a Sr. Product Marketing Manager specializing in Juniper's Security Portfolio in the Service Provider industry. I am an experienced senior technical leader, technical marketing engineer, solutions architect, and product marketing manager with over 20 years of Internet and Enterprise industry experience developing solutions from scratch often in relation with business units and technology groups, my projects ranged from product, solution, and technology development to corporate technology strategies. I have strong analytical skills and I am able to crunch and articulate complex technology to a variety of audience knowledge levels. I possess a deep hands-on technology and business knowledge of Service Provider and Enterprise architectures with deployment hands-on skills. I also bring a unique perspective of open source philosophy, including but not limited to open innovation, software development methodologies, open source monetization and business models, and licensing and compliance in software integration. I am a strategic leader with proved ability to empower a team to improve their product, themselves, their team, and our company’s market position.
An inspirational marketing leader working across the entire marketing mix to transform brand into business value, activity into results and thought leadership into measurable pipeline. You can follow me on Twitter at @PaulGainham
I have been at Juniper Networks since 2004, focused on Corporate Communications (media relations, analyst relations, customer reference progam) for the Europe, Middle East & Africa region.
I have worked in the networking industry since 1988.
Raghu Subramanian is VP of Sales Engineering for Asia-Pacific at Juniper Networks. Prior to this, he has served Juniper as chief strategist for the security business, product evangelist to channel partners, and product manager for M-series routers.
In past lives, Raghu was a chip designer at Hewlett Packard, and an R&D manager at a start-up acquired by PMC-Sierra.
Raghu has an MBA from the MIT Sloan School of Management, Ph.D. in Computer Science from the University of California at Irvine, and a B.Tech.in Electrical Engineering from the Indian Institute of Technology at Kanpur. In his spare time, he enjoys reading non-fiction, coaching kids for the Math Olympiad, and traveling with his family to other countries to learn about their ways.
Russell is the global leader of the Advanced Technologies team specializing in Data Center Virtualization and Automation. Russell leads the team that provides Juniper’s major customers with solutions to provide the network underpinnings for highly virtualized and automated data centers.
Stephen is currently a Partner Acccount manager at Juniper Networks, and has held this role for 3 years. Prior to Juniper, he worked at Extreme Networks for 11 years in a variety of roles.
Stephen is a Father of 3 children, a keen cricket fan and enjoys cooking, reading and theatre in his free time.
Stephen Liu is Senior Director of Product Marketing for Juniper Networks. In this role, he leads product marketing for Juniper’s industry-leading service provider portfolio of high-performance routing and switching products. These products include Juniper PTX Series, T Series, MX Series, and ACX Series platforms along with software and security.
Prior to joining Juniper in 2013, Stephen served as Director of Service Provider Marketing at Cisco Systems. In that role, he led product and solution marketing worldwide for the service provider routing, switching, optical, and software portfolio. Products included NCS, CRS, ASR, and ONS platforms.
Stephen attended the University of California, San Diego, where he received a bachelor’s of science degree electrical engineering – communication systems.
Hobbies include restoring old Volkswagens and coaching competitive youth soccer. He is based in Sunnyvale, California.
About Stuart Borgman, Business Systems Architect
Having spent many years in the telecommunications and networking industry, I understand just how complex networking technology can be, and equally, just how important it is for today’s fast-moving business.
Making the right IT choice for any organization is paramount, especially when it is helping drive business strategy. In my role at Juniper, I’m committed to helping all organizations plan and design their IT systems to make sure that each part works together to fully meet the needs of the business. Together with my colleagues in Professional Services, our aim is to ensure that all you need focus on is your business strategy, not the technology.
I'm currently working on a number of Service Provider projects focusing on Identity Management. These range from Mobile Operator WiFi offload projects & 3G SCADA device management to broadband authentication encompassing quota and service management for P2P and video traffic control.
I have over 15 years progressive experience designing complex RADIUS platforms to meet the demands of the most multifaceted businesses. One of the most successful projects focused on the consolidation of 22 separate RADIUS platforms spread over a large estate onto a single pair of RADIUS servers, offering the same functionality and business logic as the prior estate.
In addition I have spent a number of years observing and implementing solutions for the enterprise space in the BYOD and NAC market. It's a keen area of interest for me as it combines the whole concept of identity management and business needs together. My largest project in this space was for a UK company with global offices providing a NAC solution for over 200 sites, with over 150,000 staff.
Over the last 10 years Netutils have invested heavily in developing a technical team to support me and the business on these key areas. I strongly believe that a solution designed by Network Utilities should be the right solution technically and commercially for the customer, so my over-riding focus is on customer satisfaction. This follows on in the technical support service the Netutils team offer post implementation.
Not making tea, NAC, RADIUS, Quota Management, Diameter, full life cycle of the subscriber management. Working with large organisations taking a concept through to delivery around identity management whether authentication or Quality of Service.
An accomplished network engineer with 14+ years’ experience, and a Juniper employee since 2004, Tony leads the IT team focused on deploying “Juniper on Juniper”, using Juniper technology to run the business and deliver core business services across the enterprise. Tony holds a double JNCIS certification in Enterprise Routing, Security (JNCIS-ER, JNCIS-SEC) and a BS degree from California Polytechnic State University. Outside of work, Tony serves on a School Advisory Council, loves biking and good coffee.
Zoe Sands is Head of Digital Marketing at Juniper Networks and is responsible for digital marketing and social media across EMEA. She is an experienced Digital Marketer since 1997 with PRINCE2 practitioner status, during this period Zoe has successfully launched many new online innovations for Juniper Networks, Cisco, Dialogic, the Chartered Institute of Marketing (CIM) and Hyundai, including content managed and e-commerce based websites to integrated social media programmes. She has International exposure running projects globally, regionally and at a country level.
Zoe’s approach is to create an environment where those around her can share her passion for the Internet and the opportunities it presents. She says sharing knowledge, championing and communicating the benefits of digital capabilities enhances both the user experience and offers additional online communication channels and business opportunities. Zoe has a blog ‘Learning and sharing...’ to share her experience of all things online marketing, social media, chat online, SEO, SEM and mobile related content. You connect with Zoe via LinkedIn or find her on Twitter: @zoe9 and @ZoeSands.