Securing your Network in an Era of Heterogeneity
Windowsecurity.com, as the name implies, was designed to provide information and instructional material for IT professionals involving in setting up, maintaining and administering networks based on the Windows operating systems. When I first started writing for the site in the early 2000s, it was a different networking world, in many cases a much more homogenous one. Many Windows shops tended to be all Windows; they ran Windows servers and Windows clients. Most didn't have tablets or smart phones connecting to their networks, other than maybe some company-issued Blackberries. They certainly didn't have to deal with a plethora of different devices that were personally owned by employees; "consumerization" wasn't yet a buzzword in the IT industry.
Today we have far more heterogeneous environments, from small businesses to the enterprise. Many companies have desktop computers running Windows, Mac and different iterations of Linux. They have Linux or UNIX based servers alongside their Windows servers. They have employees bringing in netbooks and tablets running Windows, Linux, Android, iOS, Chrome OS, maybe even webOS and Blackberry's QNX. They have employees connecting to the network via smart phones. With all these different types of devices to control, how do you set and implement policies that will keep your network secure? Until the Cloud takes over completely and takes you away from all this, it's up to you to balance users' needs for all these different systems with the necessity of protecting your network from attacks and intrusions. And because many organizations will choose to implement private cloud solutions (in which case, you will still be responsible for some or all of the security), you can't even count on cloud adoption to relieve you of the security burden.
In this article, we'll provide some security tips for different popular operating systems (other than Windows) as well as a set of best practices that should be applied to all.
Advantages and disadvantages of heterogeneity
Heterogeneity refers to an entity made up of diverse or dissimilar connected parts. In IT, it specifically references a network consisting of computers of different types or architectures. That describes the majority of today's networks - but many of today's IT admins weren't trained to work in that type of environment. If you're strictly a Windows guy (or girl) and now you find Ubuntu and OS X and a variety of tablet operating systems invading your territory, you might feel a bit out of your element. And you might be so busy trying to figure out how to give those users access to the resources they need that you let security fall by the wayside - or make assumptions about the default security on those systems that aren't accurate.
There are advantages to heterogeneity: Different platforms and operating systems have different characteristics and one may be better suited to a particular task. Having systems running many different operating systems gives users access to a wider range of application software. And in relation to security, since exploits and viruses are generally written to impact a particular OS, an attack or infestation may not affect all of your systems as it would if they all ran the same OS. Regardless of the particular OS, there are associated risks. When you "put all your eggs in one basket" by standardizing on a single OS or OS family, the impact of the risk becomes greater.
On the other hand, learning best practices for locking down one OS can be difficult enough, without having to learn what you need to do for several different operating systems. And because all those different systems need to communicate with one another, the security settings in a heterogeneous network can conflict, resulting in needed resources being rendered inaccessible.
Authentication in a heterogeneous environment
Identity management and authentication are basic to securing any network. Centralized authentication in a hybrid network can be a challenge, although there are a number of solutions on the market to allow you to manage authentication of computers running different operating systems. If you have Windows servers, you can use Active Directory as an LDAP server to authentication both Windows and Linux or OS X based machines. Solutions such as Quest Authentication Services work with AD to allow Unix, Linux and Mac clients to authenticate through Active Directory with the same security benefits as Windows clients. You can manage Unix account information for users and groups using the same tools that you're used to using in Active Directory, and your non-Windows clients can continue to work even if domain controllers aren't available.
Another solution for integrating *Nix based clients to Active Directory networks is PowerBroker Identity Services Open Edition (formerly known as Likewise Open), which is a free download and enables you to apply security policies through Active Directory to the non-Windows clients across your network using agent-based technology.
General security practices in a heterogeneous environment
Patch management is the foundation of operating system and application security, and that goes double in a heterogeneous environment. The problem here is that you'll have to keep up with the updates for multiple operating systems rather than being able to rely on one vendor's patch release program. This means you might need to deploy multiple patch management solutions and/or perform some patching manually, which increases administrative overhead.
As in an all-Windows network, a heterogeneous network should be protected by multiple layers of security. That starts at the edge, and should consist of more than a simple firewall - you want to stop most threats from the outside right then and there. Protecting the edge with a sophisticated solution such as Microsoft's Threat Management Gateway (TMG) is basic, but today's "networks without borders" require much more.
Today's heterogeneous, cloud-incorporated network environments demand that security policies relying primarily on edge protection be reevaluated. The traditional practice of putting up strong firewall and intrusion detection solutions on the network to keep outsiders out and granting a high level of trust to those on the inside can turn the internal network into a "soft target" that, if the hard shell is penetrated (or simply bypassed by malicious or careless insiders), results in gaping security holes that are easily exploited.
This means it's time to push security back, to the local machines and to the data that needs to be protected. One solution is a distributed firewall, that enforces a central security policy at each endpoint, to create an end-to-end security solution as compared to the old model edge-to-edge solution. Distributed firewalls can exist in conjunction with traditional edge protection; it doesn't have to be an "either/or" decision. In addition, host-based security mechanisms and encryption of data both on the hard drive and as it travels on the network are key to securing a fluid, flexible heterogeneous collection of computers and other devices. It's obviously important to seek out encryption mechanisms that will work across your different operating systems, such as IPsec and SSL.
Endpoint security enforcement - the requirement that each device that connects to the network meet minimal security or "health" requirements defined by company security policies - is more important than ever in today's environment, yet the enforcement solutions such as NAP and NAC haven't been nearly as widely adopted as expected. This may be due to the complexity of deploying such solutions. NAP is included free in Windows Server 2008, but a look at the deployment guide and the number of components that have to be configured can quickly discourage the average overworked IT administrator from even considering it. We need a simpler way to achieve the same objective.
Heterogeneous network environments have both advantages and disadvantages when it comes to security. While the diversity of device types, operating systems and applications lower the risk of all users being affected simultaneously by an attack or malware, it also increases the security overhead for administrators and complicates the process of applying standard security measures. Like it or not, however, the heterogeneous network is here to stay and will likely grow even more diversified as time goes on, so it's important for IT pros to familiarize themselves with the common security challenges created by this trend and with the solutions that are being developed to address those challenges.