Intermediate Stuff: Wireless, Remote Access, One-Time Passwords
Many sites rely on integrated wireless in the firewall, while some use the firewall to manage distributed access points. Just about any modern firewall can competently deliver and manage an effective wireless solution, and often provide more comprehensive security monitoring and reporting solutions than basic, discrete wireless options.
Whether wireless is delivered this way or with an additional solution, you’ll need to carefully evaluate your client’s wireless requirements. Some clients that want to provide wireless merely as a convenience for their customers need an access point that sends traffic right to the internet and nothing more. Others need more sophisticated wireless guest services, including bandwidth throttling, time limits, and more. Larger sites with multiple access points will probably want seamless roaming or to segment their wireless environment. Whatever your client wants, you’re in charge of securing the delivery of this service.
You must also take the time to learn how your customers plan to connect remotely—from home, from a roaming machine, from any machine, anywhere? What will they do with that connection? Access files, run client-server applications, launch an RDS or Citrix session, RDP into a desktop? You may end up provisioning an SSL VPN portal or sticking with client-based access. A great step you can take here is to enable one-time passwords, aka the “poor man’s two-factor authentication.” That feature is included free in many firewalls.
Advanced Stuff: Heuristics, Tunneling
An additional defense we enable for our clients is heuristic traffic analysis. Unlike every other firewall traffic scanning service, heuristic analysis doesn’t rely on a signature set. With millions of new attacks monthly, signature-based scanning is struggling to keep up. Heuristic analysis uses cloud-based “sandboxing” technology that detonates files in a safely contained space and inspects their behavior. Traffic flows only after they’re verified as benign. This is an invaluable extra layer of protection that’s easy to configure and reasonably simple to manage.
Another easily configured benefit for your users is protection when connecting to open access points by using the “tunnel all” option in their SSL VPN client. To employ this protection, all you have to do is configure the VPN client to tunnel all traffic (or prevent split VPN tunnels) once the VPN is established. This will send all of the customer’s traffic back through their office, which protects it to and from the access point.