Campus Networks

Prasida Menon

Sidestepping Security Woes of BYOD

by Prasida Menon on ‎09-04-2014 09:06 PM (1,481 Views)

My previous blog detailed how organizations worldwide can adopt BYOD programs seamlessly using innovative stackable switch solutions. While a solid network infrastructure and enhanced capacity form the backbone of any BYOD program, security is one of the overarching issues faced by many organizations today. With over 23% of US based employees experiencing some form of security compromise on their personal devices in any single year, it’s not surprising that a recent Gartner study shows over 75% of organizations cite security issues as their biggest concern for adopting BYOD programs.

 

With a plethora of mobile devices on the network, mobile device management is becoming an increasingly essential element along with enhanced security protection. With BYOD, the network perimeter is continuing to blur and invariably, traditional security controls applying to a single device type will no longer hold well in a typical BYOD deployment. Forrester Research cites that the top four concerns for BYOD programs are related to security namely, mobile device protection, data breach, mobile data and mobile application security concerns.

 

Security breaches could occur in simple ways such as an employee losing his mobile device in a taxicab or in much more complex ways such as a sophisticated malware designed to snoop into an employee’s browsing activity on his mobile device. Jailbroken mobile devices often complicate the security risks since the inbuilt security measures imposed by the device manufacturer are eliminated. Another scenario could be typical man-in-the-middle attacks at open WiFi hotspots on employee mobile devices.

 

How do we address a security breach such as an employee working in the finance department reporting a stolen laptop containing sensitive information regarding the organization’s financial outlook? What about a security intrusion into social security and payroll information stored in payroll servers, because an employee was using an open local WiFi hotspot to access her payroll details? Obviously, prevention is better than any sort of workaround regarding any security incident. but other pre-cautions can also be added to your network.

 

With BYOD risks being both simple and complex and security being only as strong as the weakest link in the network, an ideal approach to mitigate this overwhelming problem would be to secure all the layers of the network. Specifically to secure the data link layer, deploying IEEE 802.1X in conjunction with IEEE802.1AE or MACsec, would be ideal. While IEEE 802.1X provides port based network access control, which is an authentication mechanism wherein an employee provides credentials such as username/password or digital certificate to the switch which then forwards it to the authentication server for verification, IEEE802.1AE or Media Access Control Security (MACsec), is an industry standard point to point security technology aiding secure communication for authorized endpoints, by preserving the confidentiality and data integrity on the LAN. MACsec is equipped to identify and prevent most security threats such as man-in-the-middle attacks, denial of service attacks, spoofing and intrusion.

 

With the introduction of IEEE 802.1AE or MACsec, on Brocade’s ICX 6610, Brocade’s stackable switches help mitigate BYOD security risks within the data link layer. MACsec provides security on an Ethernet frame by frame basis without introducing any additional frame. A typical MACsec deployment scenario, wherein all Ethernet frames traversing on the link between the two switches is encrypted, is as shown below –

 

MACsec.jpg

FIGURE 1: MACsec typical deployment scenario

 

Broadly MACsec provides three key benefits namely,

  • Encryption - MACsec encrypts the complete payload of an Ethernet Frame.
  • Integrity protection – MACsec uses a shared key, to compute an Integrity Check Value (ICV). Since this process is undertaken by source and destination on the entire Ethernet Frame, any modifications to the frame is immediately flagged.
  • Replay protection – MACsec flags out of sequence packets by associating a counter with each frame.

 

For more details or queries on Brocade Campus MACsec Solutions and use cases read this paper or comment here on this blog to further the discussion.