Do you need a network expert?

Android OS Enterprise Security Considerations - Are you at risk?

Sunday, December 18, 2011 by Mario McGuire
Is having an Android phone on your corporate network going to cause any substantial security risks? Well let me give you some information that can calm the waters a bit.

Spike in Malware -

A recent report showed a 400% annual growth in Android malware. This stat is a bit misleading though considering that it started from near zero. A group of anti-malware vendors have reported a rapid rise in Android malware a fast moving upward trend is clear. What most people don't know is that the hundreds of Android apps infected by malware is dwarfed by the millions of PC infections.

Upon doing some research of my own I noticed that the reports I was reading pointed out that most of the Android malware being downloaded was actually coming form third party markets rather than Googles Android Market. Most people in the industry know that Apples market is much more stringent on the applications that are published. Users that download from a reputable source are far less likely to download infected applications.

Making Mountains out of Mole Hills?

To put this all into perspective let me start with the fact that Enterprises have used Anti-malware for years because of the immense number of worm, trojans, and other viruses threatening PC's. These PC malwares were pervasive and damaging enough that risk management was warranted. The time has come for to take these Android threats seriously, but remember the focus should be on the biggest business risk.

Malware seems to make juicy headlines and the reports identify other aspects of android security that pose a more significant threat. McAfee's report notes that " Android provides a small set of API's to administer the device; the OS controls the password/PIN policies and can remote wipe the phone. This is fairly limited and not much help when performing network security assessments building a security product. This is exactly why IT departments are resorting to encrypted containers and third party MDM agents to protect corporate data and asserting more extensive policies.

One other important issue is to note that when Google fixes vulnerabilities within days of discovery, it's up to the manufacturers to produce the firmware updates applying the fixes. This process has been complicated by the fact that a single device model may have many updates to support carrier specific customizations. Once the manufacturer produces an update its up to each carrier to test it and deploy it to the users. This all means time to patch can be very lengthy and enterprises have no way to control or speed up vulnerability management.

What does all this mean?

Market fragmentation makes it difficult for enterprises and vendors to apply consistently-strong controls.
  • Android 3.0 (Honeycomb) made hardware encryption possible for manufacturers.
  • Android 4.0 (Ice Cream Sandwich) will further raise that bar.
Enterprises will still have to deal with many different devices, each with different security capabilities and vulnerabilities. MDMs can help by enabling IT visibility and control, but IT must then shoulder the burden of deciding which devices are "Secure Enough" while limiting or banning business use of the rest. These problems should be at the forefront of enterprises network security policy considerations when deciding how to mitigate Android threats. Don't ignore the Android malware, just battle it as a part of broader Android device management and security policies.
0 Comments »

Enterprise Wireless Network Infrastructure Guide

Thursday, December 30, 2010 by Mario McGuire
Wireless networks are omnipresent, but an enterprise environment demands much more than a simple wireless router that you would use on a SOHO network. An enterprise-class router needs better security, better performance, and more features than basic routers. Most importantly, however, an enterprise wireless router needs to be able to manage the keys used to access it.

 

Standards-

Wireless standards have stabilized substantially in recent years. The older 802.11a, 802.11b, 802.11g, and 802.11N standards are well accepted. While you still need to make sure that the hardware in your network will support whichever standard you decide to use, the odds are good that if you're OK with the speeds the standard provides, you're not going to have to worry about what will and won't work on your network.

802.11a – Up to 54Mb/s 75’-100’ Indoor range 5Ghz

Least used technology due to the cost when it was initially adopted. Now it’s cost is not much more than b or g. Since the 2.4 GHz band is heavily used to the point of being crowded, using the relatively unused 5 GHz band gives 802.11a a significant advantage. However, this high carrier frequency also brings a disadvantage: the effective overall range of 802.11a is less than that of 802.11b/g.

802.11b – Up to 11Mb/s 125’-150’Indoor Range 2.4Ghz

The dramatic increase in throughput of 802.11b (compared to the original standard) along with simultaneous substantial price reductions led to the rapid acceptance of 802.11b as the definitive wireless LAN technology.

802.11b devices suffer interference from other products operating in the 2.4 GHz band. Devices operating in the 2.4 GHz range include: microwave ovens, Bluetooth devices, and cordless telephones.

802.11g – Up to 54Mb/s 125’-150’ Indoor Range 2.4Ghz

This works in the 2.4 GHz band (like 802.11b), and was rapidly adopted by consumers when it was released in 2003. It shares the same bandwidth as the 802.11b standard, and also most standard wireless adapters support b/g. 80211.g still suffers like 802.11b in that even devices like wireless keyboards can affect its signal.

802.11n – Up to 300Mb/s 200’-230’ Indoor Range 2.4/5Ghz

802.11n is a recent amendment which improves upon the previous 802.11 standards by adding multiple-input multiple-output antennas (MIMO). 802.11n operates on both the 2.4GHz and the lesser used 5 GHz bands. It has the longest range and also the least interference of all of the standards.

 Note that in some cases, using different standards at the same time can hurt your network's performance. If blazing-fast performance is your number one priority for your wireless network, only allow 802.11n connections.

 

Security-

A wireless network creates security problems that wired networks don't have to face. Potential attackers can sit outside of your building, point an antenna, and potentially access everything you've got. It's well known in security circles that some attempts at wireless security are virtually pointless—it's said that the Wired Equivalent Privacy (WEP) standard has been completely cracked and a determined attacker can get through WEP protection in under a minute.

An enterprise environment should definitely support the Wi-Fi Protected Access 2 (WPA2) encryption standard. You might have older wireless equipment that isn't compatible with WPA2, but the risk of leaving your network exposed isn't worth taking for old equipment. Keep the older, pre-WPA2 equipment in mind, however—if you have older laptops or expect on-site guests with them, you'll need to provide an alternative, like a wired network.

Encryption isn't the only defense for your wireless network. Most enterprise-class wireless routers support VPN tunnels, and other features such as integration with a security suite are common. Remember that you have to protect your network, but also remember that advanced security features often carry a performance cost, so carefully balance your networks.

 

Performance-

Modern wireless routers can handle many simultaneous connections and lots of bandwidth, a major difference from less expensive SOHO routers. Plan ahead and know how much bandwidth and how many connections you'll need, though, because high-bandwidth applications and reliable connections are more vital as laptops and netbooks become more popular than desktops, even in enterprise settings.

An important consideration for wireless performance is range, but unfortunately your building, not your router, is probably going to be the biggest factor in range. It's probably not feasible to change your building's layout and construction materials for the sake of a wireless network, so plan to install repeaters for your wireless signal.

 

What Are Your Needs-

Wireless technology has advanced quickly in the last few years, so if you need a wireless network to perform certain task, chances are the equipment you need is available. The prices for wireless equipment vary by huge amounts, however, so take a thorough inventory of what you want to connect to your wireless network now and what you'll want to connect in the future.

What is your companies Network Security Policy? If you don't have one I suggest your perform Network Security Assessments and make sure that your putting the best effort you can into maintaing your data's safety.

Remember that you'll probably be connecting much more than laptops to your wireless network. Wi-Fi enabled smart phones are the norm now, and even devices such as media players and video game consoles have wireless access. There's no telling how people will want to use your wireless network in the next few years. SkyByte Consulting can assist with any of your companies network security projects from Cisco ASA firewalls, to Checkpoint support, VPN installations, and even performing network security assessments. 


0 Comments »

Active Directory Upgrade: Upgrading SBS 2000 AD to 2008R2 AD

Tuesday, December 14, 2010 by Darren Sieck
Recently SkyByte won a project to install a new VMware Vsphere 4.1 Virtualized server cluster utilizing a NetApp SAN. An important prerequisite to the VMware project was an active directory upgrade from the client's current single server SBS 2000 domain controller to the latest Server 2008 R2 Active Directory.  Our new client had grown out of it's single DC SBS many years ago but they never found a consulting company that was confident enough to tackle a production upgrade to 2003 Active Directory much less to 2008 R2 Active Directory.

SkyByte designed an Active Directory Upgrade plan to solve their network growth problems. The company had 100+ desktops authenticating logins, running login scripts, and serving DNS, WINS,  and multiple DHCP scopes. SkyByte used VMware virtualization technologies to spin up multiple servers on new Dell physical server equipment. We first upgraded the domain to 2003 levels and after successful replications we upgraded the new 2003 domain to 2008 R2 levels. Ultimately the upgrade was a complete success and was done during business hours with NO company downtime. SkyByte also architected new levels of redundancy into the clients network by putting the main 2008 R2 DC on a physical server and two others on the VMware cluster. This choice assures that the domain would not be lost in the event of a VMware cluster or SAN failure. The customer now has multiple 2008 R2 domain controller servers for DNS, DHCP, login authentication. These upgrades have paved to way to other network enhancements coming soon. Namely SharePoint 2010 and Exchange 2010.

SkyByte has over 16 years of experience in advanced IT system design and architecture. We have implemented many complex active directory upgrades over the years. We apply a strong emphasis on network security for all our projects. SkyByte has performed business continuity risk assessments and DR planning for many businesses around the US.
0 Comments »

How safe is your network infrastructure from a virus outbreak?

Thursday, December 9, 2010 by Mario McGuire
A few months back corporate America was hit by a new virus based in emails with the subject line "Here You have" which seemed to spread like wild fire.

Sources said that companies like ABC/Disney, Google, Coca Cola and NASA were among the companies hit.

Comcast was forced to shut down its email servers entirely after being hit, a spokesperson said on Twitter. "Apparently, this virus (if you click on it) will pooch your PC if you shut it off if you're infected," she added.

"Good Morning America" weatherman Sam Champion was among those affected at ABC. He posted a message on Twitter that said a "huge email-spam-virus" was "filling up" his ABC News email account.

The prevalence of the virus was dramatically demonstrated on Google through a dramatic spike in Internet searches about the outbreak. Throughout the afternoon, "Here You Have" ranked as the number two search on Google behind "Terry Jones pastor." 

Emails that carry the virus contain a link that encourages readers to click on a PDF document file. But rather than a PDF, the file contains a Windows script that transmits a virus and spams the entire contact list of the person who opened the file.

Origins of Massive 'Here You Have' Virus Still a Mystery
ABC/Disney at Center of 'Here You Have' Virus Outbreak The Internet Storm Center, at the SANS Technology Institute, an organization dedicated to tracking malicious Internet activity, reported receiving "tons of emails" about malware spreading through emails with the phrase "Here You Have" in the subject line.

Due to the network security policies that Skybyte Consulting implements, I can say that none of our clients were compromised by this virus. This is largly due to the email security solution we provide to our clients. These emails were caught before they ever made it to any of our protected clients mail domains. IT professionals know that you can't put a price on good corporate antivirus or email filtering solution. Skybyte Consulting can provide network security assessments for your company and provide you with antivirus and email security solutions.

0 Comments »

Planning an Exchange 2007 to Exchange 2010 - Microsoft Exchange Upgrade

Friday, November 19, 2010 by Mario McGuire
Recently Ive been working on some Exchange 2007 to 2010 upgrades and I would like to share some of my experiences. It is no easy task to upgrade a companies email system. Planning is key to making a successful migration. Here are some key things to help plan your Microsoft Exchange Upgrade to 2010 or 2010 SP1.
  • Assess your network infrastructure and decide if you need to acquire a new server or just require some server upgrades. Remember Exchange 2010 only runs on 64-bit versions of Server 2008 and R2. This also means you will need a 64-bit processor in your server.
  • Do you currently use virtualization in your network infrastructure? If so you can virtualize your exchange server or servers using Microsoft Hyper V Server 2008,  Vmware Vsphere Installation, and other server virtualization systems.
  • Download and read the Planning for Exchange 2010 and also the Deploying Exchange 2010 information on Microsoft's Technet site.
  • Does your current network infrastructure design support an edge configuration, or will you be just installing a single server setup?
  • If you are upgrading you can only upgrade from Exchange 2007 R2. This may require you to upgrade your exchange 2007 server to R2. If your running Exchange 2003 you will have to perform a migration.
  • If your running an older network infrastructure like Server 2000 and earlier, it will require an Active Directory upgrade.
  • Do your current email security solutions support Exchange 2010?
  • When you finalize your plan also perform a business continuity risk assessment focusing on electronic communications for your business, and update your information Technology disaster recovery plan to include the new Exchange 2010 mail server or cluster. These are very important parts of the process that many neglect to do.
Hopefully these tips and suggestions will make your transition to Exchange 2010 a little easier. SkyByte Consulting has significant experience with Microsoft Exchange upgrades and Exchange migrations. We can also assist with Blackberry Enterprise Server migrations and upgrades or secure connectivity with Droid or iPhones.

SkyByte is a security based service and solution provider dedicated to the delivery of secure data communications, risk management, data integrity and corporate privacy. SkyByte offers a wide array of IT consulting services such as the design and maintenance of firewalls, VPNs, LANs, WANs, VMware server virtualization, messaging systems and secure wireless networks.
 
0 Comments »