Today's networks are increasingly heterogeneous, containing different types of hardware and software and running multiple operating systems that all need to be able to communicate with one another. There are fewer and fewer pure Windows (or pure UNIX) shops, with many companies running Windows domains side-by-side with UNIX web servers, accessed by client computers running Windows, Linux and Mac. Add to the mix a variety of smart phones (Windows Mobile, iPhone, Android, Symbian and more) that need to download mail and possibly access other network resources, and you have a real challenge. This article will address how to develop a viable strategy for securing such a multi-platform network.
Security challenges in a multi-platform network
Getting systems running diverse operating systems to interoperate can be a daunting task. Because of that, the focus in a multi-platform network shifts away from security and more toward how to make things work. The ability to share across platforms becomes the goal, and restrictions on that sharing may be forgotten or deemphasized.
Most IT personnel are trained on a particular type of system (Windows, UNIX, Mainframe or others). Often management personnel do not understand technology, and make assumptions that if a person "knows computers," he/she is just as adept at one type of system as another. Even if a person has general knowledge of how to administer different platforms, that does not mean the person understands all the security aspects. Security is a specialized area, so you not only need IT personnel that are able to configure and manage the different types of systems on your network, you need people who have training in securing those different types of systems. That includes both a good foundation in general IT security concepts and vendor-specific training. This allows you to use the built-in security mechanisms of the particular operating system to your advantage, and to know when it's necessary to turn to third party solutions.
Competence is based in part on habitual behaviors. If a person must remember different steps and procedures for different types of devices, the risk of confusion and misconfiguration - which could leave the network vulnerable - goes up. That is why it is best, with a heterogeneous network, to have different staff members who specialize in different types of systems. Unfortunately, in an economy where the mantra is to "do more with less," many companies do not have the luxury of hiring multiple specialists.
Inventory the network
In many IT environments, there was no real plan; instead, the network just sort of "grew that way" as new needs resulted in purchase and deployment of new systems in a hodge-podge fashion. The first step to securing the network is to know exactly what you have, so a network hardware and software inventory is in order. There are a myriad of tools that can be used to discover and document the components that make up your network. The key is to use a tool that supports all of the operating systems that exist on your network.
The platforms that are most often overlooked (and thus left unsecured or poorly secured) include those running on users' laptops and phones that are not permanently connected to the network, as well as those running in virtual machines. Computer A might be running Windows as its primary OS, but if that computer is also hosting a VM running Linux, you have to treat the virtual OS as another machine on the network and secure it accordingly. Likewise, remember that many Linux and Mac users also run Windows in a virtualized environment because they need certain Windows applications that they can not run any other way. You may also have machines, especially in development or testing situations, which multi-boot different operating systems.
A thorough inventory must include all of the hardware and all of the software that runs on your network, even if it's not on the network full-time.
Update and/or upgrade
I ran across this line in a novel that I was reading recently (The Doomsday Key by James Rollins): "No castle is impenetrable." It was a good reminder that regardless of the platform, any system that can connect to the Internet also provides a channel through which a clever attacker can breach the network.
A common mistake, based on inaccurate reporting and advertising, is to assume that non-Windows systems are always "safe." That's just not the case. For example, last summer a serious kernel vulnerability was found in most versions of Linux that could allow a complete takeover of the computer by an attacker. See the full article here.
And despite the common belief that Macs are not vulnerable, last May Apple released a patch that addressed 67 (that's right, sixty-seven) security flaws in OS X and the Safari browser - and still missed an important Java vulnerability. See the full article here.
In fact, Mac security expert Dai Zovi (author of The Mac Hacker's Handbook) says that when hackers start putting their time and efforts into targeting OS X - which they will do as the operating system becomes more mainstream - it will prove just as vulnerable as Windows. And co-author Charlie Miller says the Mac will be easier to exploit. See the full article here.
The point is not to bash non-Windows operating systems, but to disabuse IT personnel of the notion that only Windows machines need to be regularly updated. It is just as important to apply updates to UNIX/Linux and Mac machines when they're released.
Another important factor to consider is that in most cases, new versions of an OS are more secure than even fully patched older versions. For example, Windows 7 and Vista include numerous security mechanisms, such as UAC, protected mode IE, BitLocker drive encryption, etc. that XP doesn't have. The latest version of OS X, Snow Leopard - unlike its predecessors - comes with built-in malware detection (although it is admittedly not very sophisticated). It also uses stronger checksums to protect against memory corruption attacks. The latest release of OpenSUSE supports TPM (Trusted Platform Module) technology. In many cases, upgrading to the newest versions of whatever OS(es) you are using can significantly enhance security.
The same holds true for cell phone operating systems. For example, the new iPhones include better security features, such as support for complex passwords that use alpha, numeric and symbol characters and the ability to remotely wipe data, which the original iPhone did not have.
The iPhone still presents security issues for the corporate environment, as it can implement only a handful of available Exchange security policies, and iTunes- which is installed on all iPhones - can pose security risks, as well.
Cover the basics
The same basic security concepts apply to both heterogeneous and homogeneous networks, so it goes without saying that, regardless of the platform(s), you should:
- Secure the edge with a good firewall/threat management gateway and intrusion detection/prevention system
- Use anti-virus and anti-malware software (including on non-Windows systems) and keep definitions updated
- Implement security auditing/monitoring to detect attempted breaches
- Harden systems by turning off unnecessary services
- Close unused ports
- Restrict physical access to the systems
- Restrict administrative/root access to those who really need it; on UNIX systems, restrict root access to secure terminals
- Implement file level permissions; on UNIX systems, partition the file system and use read-only partitions for storing files that don't change often, and use ACLs (Access Control Lists) for complex permissions management
- On UNIX systems, limit the access processes have on the file system by using the chroot and ulimit interfaces
- Enforce strong password policies
- In high security environments, require two-factor authentication
- On UNIX systems, use SSH (Secure Shell) for remote command line access
- Use encryption: to protect files on the drive, to protect data crossing the network, to protect the operating system from unauthorized access
- Implement a public key infrastructure to issue digital certificates
Hire an outside security auditor
A third party security audit can be useful to evaluate and advise on the security implementation in any complex network, but that goes double for a heterogeneous network. A company that does security audits for a living will have personnel experienced in reviewing many different types of systems and will be current on new vulnerabilities and new solutions that your IT personnel may not have the time to keep up with. They can perform penetration testing for a real-world assessment of where the vulnerabilities lie, and they can advise you on the most effective and most cost-effective ways to close the gaps.
Multi-platform networks present some special security challenges, but IT administrators must learn to meet those challenges because such networks are becoming more common, not less. The most important thing to remember is that security is a process, not a product. The same basic concepts apply regardless of platform, but they will be carried out differently on different operating systems. If the size of your IT department permits, a division of responsibility that allows different people to focus on and master different systems can make for a more secure network overall. Failing that, bringing in a set (or ideally, several sets) of "outside eyes" can help you identify security holes that you're too close to see, and give you fresh ideas for how to address them.