Strong Endpoint Security Offers Firewall Alternative for SMBs and Branch Offices

Ahh, the firewall… that invaluable tool which monitors and protects traffic to and from an organization, as employees and servers communicate with the Internet and other networks or devices.

What would we do without them? Firewalls can block unauthorized access and inspect packets and prevent malware from infecting your network. A company might have an enterprise firewall at its headquarters office in Austin, TX, and another at its branch office 1,200 miles away in Charlotte, NC, and use these firewalls to enforce traffic and security policy across its network and access points. It might open a new office location in Chicago, IL, and equip that location with a third firewall and integrate it into the traffic and protection scheme. Or, conversely, the company might turn to a cloud firewall model to eliminate the amount of investment in physical security equipment and maintenance at its various sites. Either way, the company is taking prudent steps by incorporating firewall protection to help keep its electronic databases and other assets safe from infection, corruption, misuse, theft or ransom.

But what about a company that has only one office and 50 employees distributed across the country, most of whom travel extensively and are out of the firewall’s protective range? Do we expect them to log into the VPN when they work from their home offices or while visiting a client or attending a conference? Do we trust that they will log in? Does an enterprise-firewall-with-VPN strategy do much good here? And what if this small company doesn’t have the servers, routers and other equipment in its HQ office and instead leverages infrastructure in the cloud? Is a firewall appliance or cloud firewall really the most appropriate security solution for this type of organization?

Consider this: Firewall appliances at each office are there to protect the resident users, equipment (physical and virtual), and data. If your organization becomes so distributed as to have only a few people in the office and your server and database equipment in the cloud, the whole premise of the enterprise firewall loses its purpose. With intellectual property no longer on the premises to protect, it’s smart to consider a strategy in which network and security policy follow your employees wherever they are and wherever they go as they access private enterprise data from the cloud, and share data with one another.

Security at the Endpoint

Endpoint security is a strategy in which organizations or individuals attempt to stave off cyberattacks by fortifying remote equipment with on-device cybersecurity protection. Typically, this protection consists of antivirus software and scanning and complements a firewall. But when the firewall and VPN are eliminated from the equation, endpoint security must be stronger.

Cyber-attacks target individual users and their workstations via ransomware, Web browsers, document viewers, and multimedia players that download and execute content from the Internet in the hope of gaining a beachhead into the corporate environment. One wrong click or download by the end-user and the infection can spread laterally (east-west)… within the firewall… and across the internal network. No longer limited to big organizations and brands, SMBs are in the crosshairs of cyberattacks, with 43% of cyberattacks worldwide targeting small businesses.

Strong endpoint protection doesn’t replace all rationale for firewall use, but it can supplant traditional firewall and VPN strategies in certain scenarios.

  • In organizations in which many IT applications (e.g., Office 365 and Salesforce) and/or sensitive digital assets are no longer hosted in internal network datacenters. Often, traffic from remote workers is backhauled over the VPN to an enterprise control center, from which it is then routed back over another VPN connection to IT services in the cloud. This method of backhauling traffic is expensive, unreliable, and slow.
  • In organizations in which there are few or no company offices, and employees operate outside any firewall protection… Here, the workforce is largely distributed and transient, connecting to enterprise apps hosted in the cloud. In this scenario, endpoint protection needs to be more advanced and adaptive than static antivirus and firewall protection, and the flexing protection must be always-on.
  • In small organizations consisting of an owner and one or more 1099 employees, where workstations are limited to computers located in remote offices. Firewall and VPN protection for these companies may seem heavy-handed, while host-based antivirus and scanning may not be enough to enforce security concerns and Zero Trust best practices.

In these scenarios an organization wants to be able to protect its remote workers from cyberattacks, protect these users’ connections to Internet and cloud access points, and prevent the spread of malicious code or file-less malware. The firewall becomes obsolete in some environments, and the VPN impractical. Strong endpoint protection and network segmentation become a smart, effective defense.

OPAQ Endpoint Coverage

OPAQ Endpoint Protect provides easy-to-deploy advanced security-as-a-service for your distributed endpoint users. Organizations can employ it as a complement to the firewall or when firewall or VPN protection doesn’t make sense – for example, small offices of 25 to 50 users.

OPAQ secures remote workers and the private network from the latest threats. Security follows users wherever they go – whether they are in a coffee shop, inside an airport or on a plane or train. The protection goes beyond host-based antivirus signatures and scans and includes:

  • Network intrusion prevention and detection (IPS/IDS)
  • Network anti-virus/malware/spyware
  • External IP inspection and filtering
  • Network URL inspection and filtering
  • Zero-Day protection
  • Internet exposure minimization
  • Protection from both DNS- and Web-based assaults.

Meanwhile, OPAQ Endpoint Control governs your lateral traffic, providing secure access control and network segmentation. Using OPAQ Endpoint Control, organizations can place sensitive IT applications on the open Internet or in the cloud, while ensuring that only authorized users can access those applications. It can also be used to lock down internal networks, closing off unnecessary avenues for lateral movement by attackers who have compromised devices behind the corporate firewall.

Benefits:

Firewall displacement: Is a physical firewall at every office a waste? Are your remote users not logging into the VPN? OPAQ offers always-on advanced protection that doesn’t require your staff to invest and maintain the equipment.

Tightened endpoint security. Endpoint Protect ensures that every Internet connection initiated by the endpoint goes through OPAQ’s security cloud. This model provides affordable cloud-delivered enterprise-grade security for organizations that previously couldn’t afford or manage advanced security.

Stopping stowaways. The best approach to distributed security is to segment internal networks using software to contain the spread of attacks. OPAQ Endpoint Control is a network segmentation solution that gives you the visibility to see suspicious activity, quickly search for malicious network processes across your user base, and stop all network communication from infected endpoints.

Backhaul offload. Many organizations today are stuck backhauling full tunnel VPN traffic from remote workers to their enterprise. IT applications are increasingly hosted in private clouds, which are reached over endless VPN connections. Using OPAQ Control, organizations can break free from this inefficiency, moving to a model where trust is anchored in the user and the device, rather than the network they are on.

Security cannot be a static defense. To protect remote workers harnessing the cloud, leave the firewall behind and leverage strong, smart endpoint protection that is always on and evolving ahead of the latest threat.

Learn more about OPAQ EndPoint Protect

Read about Securing Remote Workers

The Virtual Private Network Is Dead Again? Not so fast…

Regardless of what you call it, the VPN concept remains crux in your defensive blueprint for secure Internet access.

The virtual private network (VPN), which must have more lives than a cat, has reportedly died again, and according to some industry prognosticators and influencers, VPN is now a bad word. It’s a term to be avoided by unblinking believers of the marketing-driven sleight-of-digit and word-wizardry mesmerism claiming the VPN is no longer an important concept for security. Don’t say VPN, they tell you. Be cool and use alternatives such as software-defined perimeter and secure Internet access instead.

Okay, I’ll try to remember that, I tell myself.

Then I see the new Spider-Man movie, “Spider-Man: Far From Home,” and the VPN term comes up in dialogue between the two main characters. Mary Jane advises Peter Parker (aka Spider-Man) to download a VPN on his phone so he can’t be digitally spied on. So, the hottest new movies are treating VPNs as still relevant, and even Spider-Man is consuming a cool VPN app that he can use to protect himself when ‘far from home.’

VPN. There, I said it. It’s just a word, right? A word we should be able to continue to use to describe a discipline and extended-zone principle that means more than Vendor A and B’s product marketing du jour. From a sound security standpoint, VPN is not just some product you have to buy and manage. It is still an important scheme in your WAN without boundaries defensive strategy.

The technical definition of VPN is a secure, often encrypted connection between trusted device and private network or server. With the network expanding and your mobile employees going wider into unsafe waters, do you want to stop focusing strategically on virtual private networks? All a VPN is an extended zone of protection. You can’t just magically wave a wand and say you’re protected without extending network security policy out to endpoint devices.

Industry projections support the VPN’s immediate survival, dispelling some of this zeitgeist semantical doomsday talk which can be misleading from an overall security perspective. As organizations expand their networks, or outsource some or all of their IP backbone, applications or services in the cloud, the VPN doesn’t disappear; it just gets more virtual like the cloud itself.

The cloud VPN market is estimated to grow at a CAGR of over 21% by 2024, led by increasing shift toward virtual applications and the surge in demand for cloud services, according to Global Market Insights. Another report from Market Research Future puts the VPN market CAGR at 18% through the end of 2022.

So what is all this hog-splash about VPN being a dirty word, a nonexistent thing, a strategy component that some vendors would have you strike from your lexicon, something to be hidden from your transformative security strategy?

Authentication: A Pain in the Protective VPN Ring

Maybe this sustained campaign to bury the VPN – or call it something else – is because the VPN carries associations in which remote user traffic is backhauled to data centers hundreds of miles away, resulting in latency and the use of expensive private lines.

Maybe it’s because traditional VPNs often hassle end-users for constant sign-ins and additional passwords, and users don’t bother using the VPN when they work on company devices, leaving the organization exposed. Although organizations strongly encourage employees to use the VPN when remote or using public networks, the majority of the time employees don’t bother. Requiring additional authentication by end-users can mean more pain, and this has emboldened some vendors to get into semantics hype, or maybe they’re attempting to skirt privacy issues. There’s no more VPN, but you’re safe, they say. Voila. Never mind the man behind the curtain.

What product marketers are actually getting at is they are replacing the traditional prompt-based authentication and authorization with less-jarring solutions under the veil of buzzwords like software-defined networking and software-defined perimeters (SDPs). We’re doing SDN and SDP, too, but for those looking to protect all traffic from the IP layer (Layer 3) and up, VPN is still a requirement.

Engaged employees want access to data and tools that empower them to get the information they need, without being pulled aside for additional verification.

Whether it’s a VPN that is always on, or the same principle through SDP, when your employees use the Internet, protection should follow them wherever they go.

Virtual private network (VPN) is a concept, a best practice, not a now-obsolete product term as some would play you a fool for in telling you to strike from your vocabulary. Virtual private networks still provide us with structure, an easy-to-grasp overall term meaning extended private network security and protection across a constantly flexing network perimeter.

Our world feels less physical… Even venerable virtual private networks are getting more virtual, more seamless and less overtly intrusive for end users. VPNs help to defend us, and in instances where they require interaction with us for additional verification, we tolerate the balance between our productivity, privacy, and enterprise security.

Cyber Risk Management: Avoiding Business Disruption as You Digitally Transform

What is cyber risk management? For too many budget-restricted small-to-midsize enterprises, cyber risk management means trying to protect the network and datacenter by establishing antivirus and firewall security safeguards against known attack vectors and across known parts of the network. But cyberattacks are getting more technologically advanced, and malware and social engineering ploys regularly slip past these basic perimeter defenses, regardless of an organization’s size or brand.

Industry surveys estimate that between 43% and 58% of cyber-attacks worldwide target small businesses. Cisco found that 53% of SMBs have reported a breach, while, according to the Better Business Bureau, about 36% of small businesses that reported being a target of a cyberattack ended up losing money.

The attacks often start by popping an end user – a digital mobile warrior or someone in a remote office – taking advantage of human error, under-inspected email links and attachments, or the Internet access points these employees use to consume or share data. These vulnerable network endpoints and access points can represent dark holes in your network visibility, i.e., blind spots outside your private network. Your network can then get infected without you even knowing about it, with industry breach detection medians and averages ranging between 70 and 200 days. The existing level of defense is just not enough anymore.

Are you able to protect computing devices that are communicating in public places where airwaves are shared, where login redirects are easy for hackers to host, and where open ports back into your network can jeopardize the sanctity of your network and data? Are you able to detect and stop the intrusion once it breaches your perimeter and attempts to spread laterally?

The use of digital computing, social networking and ‘app sharing’ for business agility brings a new and widening set of challenges and evolving types of cyber-attacks… attack vectors that are different than the ones we may have heard about last week. It’s difficult to keep up.

The malicious code itself is being recompiled and is getting better at penetrating networks and fooling static defenses and human judgment. Digital and wireless points of transaction left unattended or poorly protected against compromise allow your user’s credentials to be stolen and then used in attacks on your network, data, partners, finances, and the future of your enterprise. Don’t be the low-hanging fruit due to a static level of defense.

Continuously evolving advanced security is needed to protect you, your users, and data. However, keeping security strong traditionally involves costly rollouts and updates at the physical equipment level. Exacerbating the challenge is that there are other parts of the business that need the investment more and you just can’t afford additional cyber risk management practices. Or you’re uncertain what to do about the risk, business disruption, or potential (or yet-to-be-detected) damage to your organization. For example, as your business grows, you may not be sure what to do about regional privacy law violations if you discover that the data of your employees or customers has been hacked…

Advanced Cybersecurity and Risk Management

Cyber risk management is a discipline practiced by organizations to protect themselves from cybercrime and digital threats that can disrupt business. Cyber risk management typically consists of threat assessment, cyber protection tools, and security controls and guidance, with advanced security and cyber insurance often being the missing components. Only between 15% and 38% of small to midsize businesses have cyber insurance coverage. Seek out cyber insurance partners with programs designed to suit the needs of small-to-midsize businesses (SMBs). Policies should be transparent about the details of coverage and be flexible and affordably priced to help SMBs to incorporate cyber insurance into their risk management programs.

Modern, holistic cyber risk management is hard. It can be difficult to manage and afford by yourself, which is why too many SMBs fall back on the most rudimentary cyber defenses. It doesn’t have to be that difficult or costly anymore.

Digital business transformation is about adopting new technological competitive advantages and efficiencies, and adapting process for opportunities and risks. This can be harnessed from the cloud, giving small and midsize enterprises a more level playing field on which to compete.

Make sure a hack doesn’t disrupt your business. Check out this turnkey cyber risk management solution that’s purpose-built for SMBs.

More information:

Why Firewall-as-a-Service Makes Sense for Your Growing, Distributed Network

It’s true that cloud adoption won’t eliminate all your IT infrastructure equipment at every office. But this doesn’t mean you have to stock up on big-ticket items such as servers, single-purpose routers, switches, security appliances, datacenter square footage, power and cooling, plus manpower, at every new site your organization operates.

Enterprises have traditionally established IT infrastructure within each branch office for the purpose of connecting remote workers with the headquarters, branch offices, and the Internet. This approach typically requires the procurement of an assortment of network, server and security equipment, which is expensive to acquire, manage, maintain and store.

Your branch offices don’t have to be so equipment-intensive and space-eating anymore. Cloud infrastructure is a viable way to grow and secure your network rapidly and efficiently, without having to build out and maintain the infrastructure yourself. You see, cloud infrastructure can flex to the needs of organizations large and small, thanks to a dozen or more years of investment, innovation and proven value. The cloud has led to shared efficiencies, where even the smallest of businesses can tap into and harness the pre-built infrastructure for networking, software, web presence, billing, and more, via providers such as Amazon, Microsoft, Salesforce, Shopify, and countless others.

Similarly, security services can be hosted in the cloud, where smart traffic orchestration and advanced protection capabilities can be deployed instantly across your distributed network, without complex and costly onsite maintenance.

Firewall in the Cloud: Why Firewall-as-a-Service?

Bolting security into your existing network infrastructure can be a massive, complex and costly task that never ends, including for organizations already doing business in the cloud or those grappling with multicloud environments where the juxtaposing concepts of a tight perimeter and accessibility can foil one another. A firewall can solve some of these tradeoffs through packet filtering, TCP/IP monitoring, and advanced traffic inspection, but the traditional equipment-centric approach hinders the ability and agility of companies to keep ahead of fast-evolving security threats that can cross Internet gateways and gain access to the private network.

Firewall-as-a-service (FWaaS) is a digitally transformative alternative that dispenses the need for physical firewalls at every remote site and enables an organization or managed service provider to simplify security operations in the cloud, where cost and efficiency advantages such as shared economy of scale (multitenancy) and rapid service delivery reside.

Additional advantages of FWaaS include centralized control, easy and consistent distribution of the latest generation of security capabilities, scalability beyond on-site hardware limits, and more-predictable cost and budgeting.

Reduction of security hardware management and maintenance – By supporting multiple branch offices and remote workers through a flexible cloud-based firewall approach, IT management teams are likely to see hardware acquisition and recurring maintenance costs go down. OPAQ Firewall-as-a-Service empowers organizations to reduce the amount of network edge devices they procure, support and replace, and instead realize a predictable security investment that is right-sized for them. OPAQ clients have reduced costs by as much as 40%, and are better able to leverage their limited security personnel for essential security priorities.

Central management and consistency – Through a single cloud console, FWaaS offers consistent security policy management across multiple offices/locations and remote users. Network and IT security managers can route traffic through policy enforcement checkpoints in the cloud to ensure protection and performance of communications and attachments between your offices, ISPs, the public Internet and more.

Faster deployment and ongoing updates of advanced security – OPAQ Firewall-as-a-Service is next-generation protection powered by Palo Alto Networks, a leader in Gartner’s Magic Quadrant for Enterprise Firewalls for seven consecutive years. The OPAQ Firewall-as-a-Service model enables organizations and managed service providers to deploy advanced security capabilities across the network without the need for time-consuming onsite device reconfiguration. Initial deployment, timely security updates and customized subscriptions become less time-consuming and less costly. Once deployed, the addition of new features — such as moving from antivirus inspection to file sandboxing or decrypting SSL —no longer relies on the size and capacity of the firewall appliance at a specific site.

Firewall-as-a-service represents a smart, fast and efficient way to fluidly administer the latest, most comprehensive protection across your network and vulnerable points of ingress and egress.

To find out more, read the Firewall-as-a-Service solution brief in our resources section.

 

Why Wireless Security Protocols Won’t Protect Your Roaming Remote Workers

Whether it’s in a coffee shop, airport or crowded mall, wireless networks present a range of security risks not inherent in wired networks. Wireless access points (WAPs) and wireless routers broadcast data over the air in every direction. In hotspot environments where this traffic is unencrypted, any eavesdropping device within a limited range can easily pick off the signals and steal information.

The threat, while diminished, isn’t eliminated when WEP, WPA or WPA2 wireless encryption standards are employed to protect the data. WEP encryption can be cracked in minutes, and hackers have also compromised modern routers utilizing WPA and WPA2. Organizations can patch the vulnerabilities in their WPA and WPA2 protection, but the threat doesn’t end there.

Using readily available wireless sniffing devices such as the popular WiFi Pineapple, determined hackers can spoof the WiFi network as part of a man-in-the-middle attack to steal user credentials, insert malware, and compromise machines, whether the user is still in the café or has returned home or to a nearby office.

Outside the enterprise firewall, VPNs help with these mobile worker scenarios, but remote endpoint security relies heavily on the human element: What people do, what they don’t do. Even the best employee will temporarily disconnect from the corporate VPN to access the Internet directly, exacerbating the risk of infection from spyware, malicious sites or embedded files. Users go into coffee shops and airports and board trains and then bang away on their keyboards and do work. They make sustenance purchases. With the right level of caffeination, they can be rather productive in their contributions of digital and perhaps even audio- or video-delivered work. They’re focused on the job at hand, and they don’t want to be hassled by too many security steps in order to maintain a productive pace. You know the drill: Log into the VPN, complete two-factor authentication, and then, due to any extended human pause such as deep thought or bathroom break, you have to do it all over again just to resume your work.

In addition, wireless data encryption and VPNs, even when used, can’t stop shoulder surfing, and unattended machines are a big no-no since thumb-drive malware insertions can successfully be executed in seconds.

According to IDC research, more than 70% of breaches start at the endpoint. From there, a hacked employee, or a hacker or malware piloting the compromised device, might then use a “secure” tunnel to access your organization’s active directory, or a customer communication tool. Here, the compromised endpoint can lead to widescale network infection including the loss of data, network control, reputation and business.

Distributed Network Security Requires Endpoint Visibility

Do you know all the assets connecting to your network? The pathways they’re taking, the payload or suspicious behavioral tics or storms they’re carrying? Can you recognize immediately who is trying to connect to your network, using which app, on which device, and quickly authenticate identity, monitor and control for appropriate network usage?

Traditionally, on-device endpoint protection is managed sporadically and inconsistently, which is not an effective way to maintain a shrewd Zero Trust approach across your network. Ransomware, bots and malware have a way of morphing to get past static, outdated antivirus protection at the endpoints. In the majority of cases, especially when involving BYOD, the hardware drive isn’t encrypted and the VPN isn’t used. Exposure to ransomware threats increase outside the private network – for example, a largely unprotected mobile employee opening email or entering data into your network from a crowded restaurant or a public hotel. Intrusions such as spyware, password theft, and open-port assaults can all result from a malicious presence lurking, listening and entering from a nearby or remote location.

Do you really want an employee plugging his laptop into a public charging station at an airport and then reconnecting directly to your live conference, private network or datacenter without first orchestrating detection and authentication? Do you want to leave network pathways open so new worms, viruses, malware and other hacker schemes can spread? Firewall and VPN defenses are vulnerable to this lateral exploitation. Workers, whether mobile or in the office, as well as certain types of computing architectures, can inadvertently leave open windows for malware and file-less malware schemes such as social engineering ploys to spread deeper into the network. As if that’s not enough, denial-of-service (DoS) attacks are increasingly targeting prone remote users for an easy entry point (sometimes via another protocol known as Remote Desktop Protocol, or RDP) and they can then flood your network.

Advanced Always-On Endpoint Protection

You can’t rely on wireless security protocols, disciplined VPN use, and static antivirus protection to secure your remote workers as they run the gauntlet of cybersecurity threats outside your firewall. Your endpoint protection must be always-on, even when your people aren’t.

Through efficiencies in the cloud, OPAQ enables organizations of all sizes to bolster and continuously refresh remote security with:

  • Always-on end-user protection and advanced malware detection and prevention.
  • Strong authentication, including multi-factor and/or directory-based.
  • Encrypted communication over SSL or VPN, as well as on-device hard-drive encryption.
  • Suspicious activity alerts about what a company device has connected to.
  • Smart processes and safeguards before the device connects to your organization’s private networks, including a sensible screensaver timeout policy.
  • Microsegmentation, which provides additional layers of security against the spread of malware or unauthorized network control. Microsegmentation works by isolating workloads from one another and creating secure network zones that prevent infected hosts from connecting to each other or to the core network. It produces separate secure tunnels for users who are roaming and those who have been authenticated for more private network and data access. In the past, the cost and effort of network segmentation versus the risk of lateral infection was too much for many organizations to bear, but the cloud has enabled organizations to implement such advanced security controls more efficiently and cost-effectively.

Reinforce your security at the endpoints and reduce your attack surface with just a push. Apply smart, on-device security-as-a-service at the endpoint without compromising user experience or performance.

Learn more
Read the OPAQ Securing Remote Workers report.

Why Endpoint Security Is Crucial in Our ‘WAN Without Boundaries’ World

Networking: It’s not just about the physical communication structure you have to maintain. Networking is a way to grow your business, your brand, your market potential.

Leveraging the open Internet and social apps in the cloud can be more cost-effective than travel, face to face, and complete reliance on communication and collaboration over expensive private networks. However, employees are not always within the secure enterprise firewall/private WAN as they perform the functions of their jobs. Think electronic payment systems, for example, or public hot spots where the employee doesn’t first connect to your VPN. This venturing outside the perimeter leaves them – and potentially your entire company – exposed to hostile elements. Bad actors, someone or something that tries to deceive, steal or destroy, are lurking out there and trying to break in through the same Internet we’re using.

Your customers’ privacy, data, and finances are at risk, too. Data hosters and managed service providers are targeted regularly. When cracked, they lose their customers’ information and trust. The pilfered private information can be sold on the Dark Web, which is an anonymous realm where more than half of the web domains practice illicit activities.

A stateful firewall, one that inspects network traffic and packets, is not enough. Hackers, cybercriminals and AIs can successfully attack through deeply embedded, well concealed, or file-less schemes. In addition, firewalls are not good at stopping infections once a breach has occurred. You have to also be able to inspect credentials and network behavior so intruders are not able to cover their tracks, control your systems, and ruin your business and reputation.

Unfortunate Security Scenarios for Your Distributed Network and Workforce

So, realizing the threat, do you send teams out to all your branch offices for equipment reconfiguration? Maybe … But what do you do the next time, when the hackers start to exploit vulnerabilities in your soon-to-be legacy protection system? A lot can go wrong during this catch-up period.

  • Hackers, targeting easy prey, get in due to delays in applying a patch for remote access protocol. They borrow administrator privileges and create new phony accounts. It’s a deep hack. Your data, your customers’ data, has become theirs.
  • An employee in a small remote office, prone to email-driven social engineering ploys, gets infected. Any peer to peer communications from the employee’s machine can spread malware or misleading information to other users and systems.
  • Joe plugs his phone into a public charging station … or maybe he’s using a wireless network at a subway coffee shop where a sneaky neighboring device is monitoring traffic on the shared network. Oops. He forgot to log into the encrypted VPN before enjoying his espresso drink and clicking a digital link. Joe’s phone (the endpoint) thereafter starts acting suspiciously inside your own network, whether you can see this happening or not.
  • Poor Joe. In another scenario, he’s at an all-week conference and in the habit of leaving his laptop open and “on” in the hotel room when he’s not there. His system’s apps are still on, and the room’s visitor doesn’t even have to know Joe’s screensaver password. Just a little plug-in and the unauthorized person can fool your network into believing phony instructions from the endpoint are authentic.

Do you want to wait for the next truck roll to bolt on security against these very possible scenarios?

Why Remote Security Is Vital for Your Growth Strategy

Endpoint security is not just about token antivirus protection on mobile devices and a reliance on the user to log into your VPN. It’s about always-on protection wherever your employees go to do business, hence helping your organization to win in the aforementioned scenarios. You have to be able to inventory and secure all corporate-issued mobile computers and bring your own devices (BYODs) to ensure network performance and security. Doing this only at the network equipment level makes for a porous net in fighting crime at a wider network level. Instead, counterattack at the device level (phones, laptops, tablets), for these are the touchpoints roaming into the sometimes-hostile outside world.

Read the OPAQ report that stresses the criticality to:

  • Centralize team security by automatically inventorying remote and mobile endpoints inside a security-conscious dashboard.
  • Apply next-generation endpoint protection including strong authentication, encrypted communication, anti-virus management, anti-spyware, advanced malware filtering and protection, and microsegmentation.
  • Protect users with an always-on VPN that secures them while on the public Internet as well as while accessing private enterprise data, with separate clean corridors for each.

Read the Securing Remote Workers report.

 

Network Modernization and SD-WAN: How to Deepen Security as Your Network Goes Wider

So you want to modernize your organization to capitalize on all the leading-edge advantages of the digital era, big data, cloud efficiencies, AI, leading business apps, and partner and customer relationship opportunities? Achieving this business IT transformation requires a strong dose of change management including a willingness to transition on-premises servers to the cloud and switching from Web browser-only services to mobile-friendly apps and sites that facilitate new and more distributed connections. However, these promising modern system architectures won’t pay off without high-performance, highly scalable yet affordable networks to support them. Hence, a move to modernize networks and utilize the cloud is under way.

Why is the cloud so important in network modernization and wide area network (WAN) optimization? The biggest advantage is it enables organizations to leverage what’s already out there (namely, flexible networks, high-value application infrastructures, multitenant shared services, and outsourcing opportunities) so you don’t have to build or invest in the WAN infrastructure yourself.

But the underlying technologies in today’s network infrastructure consist of a hodgepodge of components such as traditional IP routers, multiprotocol label switching (MPLS), and software-defined networking, all of which offer differing ways of transporting data, creating a massive amount of complexity for organizations and managed service providers alike.

MPLS is a network technique that directs data from one node to the next based on the quickest path instead of relying on referencing IP routing tables. But when it comes to security and traffic orchestration in the cloud, MPLS is not fast, flexible or straightforward, requiring branch office-to-Internet service requests to pass through a core network before being delivered. This creates additional traffic over expensive MPLS lines, a utilization that doesn’t take advantage of the whole agile and ubiquitous nature of today’s cloud-centric business model.

A different networking approach drawing attention is software defined wide-area network (SD-WAN). SD-WAN is a transport-agnostic overlay that can route any type of traffic (LTE, 3G and broadband, as well as traffic over private MPLS circuits). The SD-WAN approach provides a network management and control layer to orchestrate ‘backhaul offload’ and WAN optimization. It should figure in enterprise considerations when trying to achieve faster deployment timetables for branch enablement and realizing cloud benefits such as availability and cost. But, as SD-WAN starts to complement today’s private MPLS networks and traditional IP routing, organizations should also consider a number of security questions.


Don’t Forget to Modernize Security as You Modernize Your Network Strategy

Just as there are compelling reasons to modernize your system architecture, business computing methods and networks, there are also compelling reasons for modernizing network security.

As you shift from backhauling all or most of your traffic through the core network in favor of more direct branch to cloud pathways, you are potentially losing some elements of centralized network and security policy.

SD-WAN – as a central enterprise WAN-traffic controller from which to easily apply policies across all devices – is not a security technology, per se. It allows you to avoid the cost of backhauling traffic through the core network, but with that comes the challenge of implementing enterprise-grade security policy across a distributed network.

So what do you do? Do you trade off some security at the branches by plugging in an SD-WAN device that offers only basic protection? Or do you pay for truck rolls (i.e., technicians to install and configure edge devices at every office) and then bear with lengthy deployment cycles? Do you team up with a managed security provider?

This is where the notion of security as a service (SECaaS) and network service insertion from the cloud can come in handy. With a single network and security cloud, you or your managed service provider can simply throw the switch to deploy smart centralized network policy and security at the branch level, extended VPNs, and mobile outliers. This cloud-based security approach, while reducing vulnerabilities at the branches and among mobile/remote users, can also reduce deployment times by up to 91 percent.


Five Key Security Considerations for SD-WAN and Hybrid Cloud Networks

A new white paper from OPAQ discusses five security imperatives companies should keep in mind as they modernize their network infrastructure. A few of these important considerations are to:

  • Modernize security as you modernize your network. SD-WAN is a modern transport system, but isn’t necessarily an advanced security system. Protect your digital assets and your information with security solutions such as next-generation firewalls and leading-edge endpoint protection.
  • Secure your branches as you enable them. As you fortify distributed users with direct access to Internet information and apps, the implementation of advanced security doesn’t have to create long delays and siphon from productivity.
  • Ensure that backhaul offload doesn’t open Pandora’s Box. Mitigate the risks of infection, costly viral lateralization attacks, and the compromising of sensitive data by passing any direct branch office-to-cloud traffic through an agile and virtual firewall and fully encrypted network. Easily segment your network to limit the spread of a cyberattack.

As you modernize your networks, make sure you protect your data, users and business reputation with a fully integrated solution that incorporates an encrypted software-defined network, next-generation firewall and endpoint protection capabilities that can be applied in a matter of minutes, long before that next truck roll.

Watch the Webinar.

Read the white paper.

 

 

Avoiding the Security Pitfalls of SD-WAN and Network Modernization

Network modernization, like any wave of innovation, is multifaceted in its good intentions. It’s about rearchitecting your network so it is better able to handle increasing traffic and high-bandwidth-consuming apps such as video, ensure availability and quality of experience, flex for the delivery of new revenue-generating service offerings, and reduce network and application maintenance and overall costs.

The much ballyhooed yet still somewhat enigmatic cloud, with its highly virtualized and outsourced infrastructure, has already delivered some of this modernization by enabling organizations to offload some traffic from today’s predominantly hair-pinned and expensive MPLS-based WANs in favor of direct user access to Internet services. The cloud ecosystem offers other network modernization enablers such as shared service economies of scale, ready-to-leverage network capabilities such as automation, and transport independence (i.e., the ability to use broadband, LTE, Carrier Ethernet and MPLS “lines”).

Software-defined WANs (SD-WANs) could occupy a complementary network management and orchestration role to relieve some of the cost of (and dependence on) today’s rigid and expensive private networks. However, the path to network modernization is not all neatly wrapped and tied in pink ribbons, and uncertainty exists from a security perspective as well. Every time a user, whether stationed at one of your branch offices or remote, accesses the Internet directly he or she is potentially opening Pandora’s Box or letting sensitive data out. MPLS schemes require this sort of risky traffic to first pass through the core network for networking protocol and security application, which is a good thing, but at what cost? Traffic over MPLS lines can be dozens of times the Mbps/month cost versus broadband and the public Internet, so you want to orchestrate traffic in a way that reserves private lines for high-priority traffic and utilizes the public Internet for lower-priority interactions. Although SD-WAN may be ideal for this role and faster enablement of branch office and mobile workers through software-as-a-service, it is not an advanced security solution.

 

Advanced Security for SD-WAN and Cloud Networks

SD-WAN, which can empower organizations to exercise centralized SaaS control over traffic to and from the cloud and the WAN as a whole, poses some vulnerability issues. Centralized security is more difficult to administer when traffic isn’t backhauled to the data center or network hub, and malicious code and hacker schemes can more easily pass through to your distributed users undetected (north-south traffic).

What’s more, without the intervention of advanced security mechanisms, infections can more easily spread laterally – from user to user, system to system, and office to office (east-west traffic).

If you’re going to capitalize on the potential efficiencies of the cloud and SD-WAN controllers, you must first secure the egressing of traffic directly between the Internet and remote sites as well as protect against lateralization attacks. This can be accomplished through an advanced security solution designed for the cloud, which includes fully integrated next-generation firewall and endpoint protection as-a-service.

 

Secure Network Modernization Webinar

These and other topics will be explored during a webinar titled, “Avoiding the Security Pitfalls of SD-WAN and Network Modernization,” moderated by Security Now, and presented by Rik Turner, Principal Analyst, Ovum, and Ken Ammon, Chief Strategy Officer, OPAQ.

By attending this webcast, you will:

  • Understand the top security vulnerabilities plaguing companies as they modernize their networks
  • Learn how critical security vulnerabilities can be easily addressed with security-as-a-service
  • Discover how cloud and automation are enabling companies to simplify their ability to modernize their networks and security

Register for the webinar.

Download the white paper.

Adopting SD-WAN Shouldn’t Mean Compromising Your Security

Here at OPAQ we believe that SD-WAN technologies hold great promise as a toolset for making more efficient use of high performance Internet connectivity. However, like many new technologies, SD-WAN solutions are being adopted by organizations and put into production before they’ve learned how to navigate the security pitfalls associated with them. We’re seeing these solutions get deployed in the field ways that compromise information security or introduce new vulnerabilities. It’s important that organizations approach SD-WAN armed with an understanding of how to do it right.

 

SD-WAN Solutions Can Introduce Vulnerabilities

Last month at the 35th annual Chaos Communication Congress, Sergey Gordeychik gave an excellent presentation covering attack surface areas and vulnerabilities in a variety of SD-WAN products. A number of these products have shipped with default passwords, cross site scripting and command injection vulnerabilities in their management interfaces, as well as vulnerable versions of cryptography protocols such as SSL. Gordeychik and his research collaborators published a set of tools and resources including a tool called SD-WAN Harvester that can automatically enumerate SD-WAN nodes on the Internet. Using this tool, they discovered thousands of SD-WAN systems with known vulnerabilities exposed to the open internet.

 

SD-WAN Solutions Can Route Around Security Controls

Many organizations are using high-performance MPLS links to backhaul Internet bound traffic from satellite offices to security centers where next-generation firewalls can inspect that traffic for threats. SD-WAN solutions are often introduced for the express purpose of reducing load on MPLS links. The introduction of SD-WAN can result in some internet bound traffic leaving directly from satellite offices without being inspected. Sometimes this occurs because users don’t understand how their SD-WAN has been configured. In other cases, this is done intentionally in order to reduce MPLS backhaul, with the problem being that the kind of security inspection that can be performed by the SD-WAN devices themselves usually doesn’t measure up to the capabilities of a full next-generation firewall, with important capabilities such as SSL decryption, application awareness, and dynamic threat intelligence missing. Regardless of the reason, the result is that important security controls are bypassed, opening up an avenue for malware to reach inside the organization.

 

Asking the Right Questions

OPAQ recommends that organizations which have adopted or are considering the adoption of SD-WAN ask themselves a set of questions about their approach:

  • Assess Your Vendors: How security savvy are they? Do they have a good track record of responding to security vulnerability disclosures?
  • Assess Your Deployments: Do your SD-WAN nodes have services listening on the open Internet? Have you changed the default passwords? How is access controlled?
  • Assess Your Usage: Are you sending traffic from your users directly to the Internet in a way that bypasses your security controls? Do you have a way to monitor for changes that might introduce that sort of condition in the future?

OPAQ believes that our ability to provide next-generation firewall services from the cloud can help customers who adopt SD-WAN avoid making security compromises. OPAQ’s Security-as-a-Service can be deployed in conjunction with SD-WAN, enabling customers to bypass MPLS backhaul for Internet-bound traffic by sending that traffic to the OPAQ Cloud instead. Our network of regional Pods and peering relationships enable us to deliver that traffic to its destination with minimal latency while providing the full protection of our cloud hosted next-generation firewalls provided by Palo Alto Networks. This architecture provides a best-of-both-worlds WAN optimization solution in which high performance MPLS links are reserved for the most latency sensitive voice and video traffic while the whole organization remains protected behind the best security infrastructure available.

Read the white paper.

SMS Hijacking: What do Midsize Enterprises Need to Know?

The security world has been buzzing recently about attacks that target text message-based multi-factor authentication (MFA) systems. In mid-July an article in Motherboard detailed the criminal underworld that has formed around the lucrative practice, which can be used to compromise consumers’ online banking accounts, steal bitcoins, and hijack popular social media accounts. On August 1st Reddit announced that an attacker exploited SMS-based MFA to compromise several employee accounts at its cloud and source code hosting providers. This is a security issue that deserves some focus because of the fact that criminals have operationalized the attack techniques involved.

How do these attacks work?

The attacks target multi-factor authentication systems that work by sending a text message to the user with a code in it that they must enter in order to access their account. The attack works by taking over the victim’s phone number, so that the attackers receive the access code instead. The most common techniques for hijacking a mobile phone number are a “SIM-swap” and a “port-out scam.” In a SIM swap, the attacker convinces the phone company to associate the phone number with a different SIM card. On a “port-out” the attacker convinces the phone company to transfer the number to a different phone company. These attacks can be performed by social engineering phone company employees, but may also involve corrupt insiders at the phone company who take a cut of the proceeds from the scam.

In both cases, when the attack takes place, the victim’s phone will lose service, and may receive text messages from the phone company indicating that the SIM or phone number has been moved.

What should enterprises do?

First, consider educating end users about the issue. If they receive unexpected messages indicating that their SIM has been moved and their phone won’t connect to the cellular network, they may be the target of an attack in progress, and they should contact their phone company immediately. In some cases it may be possible to dial 611 to reach the phone company even if service is not active. Some phone companies offer additional security features such as PIN codes and Port Validation that can be enabled at no additional charge.

Second, review the multifactor authentication systems that you have in use. Systems that rely on pushes to a mobile app or a hardware token aren’t vulnerable to this attack, but some MFA systems support multiple modes and allow the end user to decide which authentication mode to use. Consider deactivating modes that rely on text messages and phone calls. However, it is also important to keep perspective. Mobile phone based MFA is better than not having MFA at all. It’s vulnerable, but it’s another hurdle that an attacker would have to cross, and it should be adopted in places where it’s not possible to use more secure systems.

Third, consider your network architecture. Organizations increasingly rely on cloud hosted systems that may be exposed to the entire Internet, whereas in the past internal corporate applications were usually hosted behind firewalls. The ‘de-perimeterized’ network requires more care regarding what services are exposed and how/where they can be accessed.

One strategy that can be effective is to lock down remote administration services in the cloud so they will only accept traffic from the egress IP address of your organization’s firewall. Administrators will then have to access your corporate VPN before they can administer your cloud, where you can enforce strong multi-factor authentication.

A more secure approach is to place internal applications hosted in the cloud within your VPN. OPAQ’s unique Firewall-as-a-Service approach can connect far-flung corporate offices with data centers and clouds without the expensive overhead of deploying individual firewalls to each location or backhauling traffic to and from a corporate headquarters. We can work with you to build a network that enables your organization to efficiently adopt cloud services without losing the security capabilities of your traditional VPN.