071
ENTERPRISE SECURITY BLUEPRINT
APPENDIX
A
Protections
The following protections are typical for the Mobile design pattern:
Inbound Access Control
Firewall restricts authorized network traffic on mobile devices to outbound
interactions tunneled to mobile access server
Multi-factor user authentication is used prior to granting access to enterprise assets
Outbound Access Control
Firewall allows authorized outbound interactions. Application control prevents access to
known malicious sites and applications associated with malware and data loss
Network Address Translation (NAT) provides information hiding
Pre-infection Threat Prevention
IPS blocks exploitation of known mobile application vulnerabilities
Anti-malware blocks exploitation of data-driven application vulnerabilities
Cloud-based sandboxing is used to emulate application behavior in order to identify
and block malicious active content
Post-infection Threat Prevention
Mobile device is scanned for malware
Mobile access server detects attempted connections to bot C&C servers
Containment policies are enforced if indicators of compromise are found
Data Protection
VPN establishes trusted channels between mobile device and Mobile Access server
Enterprise data stored or cached on the device is encrypted
Remnant information is deleted on the mobile device upon termination of the
user’s session with the Mobile Access server
Design Pattern
Network Infrastructure
Network Infrastructure is composed of complex hardware and software components that run
network traffic forwarding applications to support inter-host communications. These components
are managed and monitored using network management applications.
Protection of the Network Infrastructure should be based on the following principles:
Each network element is considered to be an atomic segment in the network
segmentation model, responsible for self-protection against external attacks. The
generic security policy to be enforced by network elements consists of:
1.
Physical separation between control plane and data plane: ports used for
forwarding traffic are not used for control and monitoring information and
vice versa. Control plane ports are connected to an out-of-band management
network implemented using networking or virtual (e.g., VPN-based) separation
from the production network
