The Security Zone
In my initial article, I introduced the idea of four zones of a mobile enterprise network: Enterprise, Security, Internet, and User zones. All four areas contribute to the success or failure of a mobile enterprise, and all must be working properly in order to ensure success. In the first post we discussed the enterprise zone, consisting of the enterprise back end—mail, messaging solution (example) and directory services as points of success or failure in mobility. In this second post of the series, we’ll talk about security.
The enterprise security zone is the next zone of focus; it is still within the control of the enterprise but not of the typical mobility service team. The security zone is typically set up and managed by the enterprise networking team.
The enterprise security zone’s intent is that networking, server and application access behind the firewall is “Private”. However, since is Internet connected for employees and customers “Privacy” is “Virtual” and the zones purpose is create a secure “Gateway” to ensure corporate network access to is only done by those allowed. The Security Zone is typically made up of routers, switches, proxy’s, anti-spam or virus and other networking devices to create an enterprise network security firewall directly in front of the back-end enterprise infrastructure or network. The zone often includes a second firewall directly attached and facing the Internet. If you have dual firewalls in the zone it is called a demilitarized zone (DMZ). BlueCoat Products is a major supplier of such devices and appliances.
Depending on the mobility solution, there may be other servers sandwiched between the two firewalls. This diagram simply shows a Virtual Private Network (VPN) and a reverse proxy server. The VPN allows secure administration, browsing and mobile application access. The reverse proxy can broker requests so that outside entities only talk to the proxy and never actually have access to an infrastructure server.
Often existing servers are used for mobility solutions by updating the settings, ports and rules based on the inputs of the mobility team specific to the solution selected.
The enterprise security zone is a key, complex area. Typically the internal firewall is set up only to allow traffic from the IP addresses of the proxy and VPN to access the specific IP of back-end servers such as messaging, and only over specific ports. Messaging and back-end servers communicate over specific port numbers that vary from application to application. Similarly, the front-end firewall is the initial filter restricting all traffic to the enterprise, including to mobile devices and applications.
This can be difficult and confusing to get correct initially. Many applications use and require ports not documented in materials or not easily identified. It is typically a “set and forget” procedure to establish but still requires diligence as new network, server infrastructure or other changes requiring updates to the firewall may affect existing ports and rules.
If there is a mistake in updating ports and rules it can create a point of failure in the communication path. The user perception will be that the mobile device or application is at fault. The firewalls and security zone are normally managed by Enterprise Networking team. Separated from Mobility the only the Networking team has access to security dashboards, tools, controls and ability to update setting. Obscured from this data mobility teams to isolate messaging issues due to an issue within the security zone. Some monitoring and mobile device management (MDM) solutions provide tools to help determine a firewall issue.
I’m not really a firewall and security guy, My experience was more at the Physical layer network in my early career with IBM. Such as, which pins on the connectors perform which functions and how data packets flow across the network. But Feel free to share your thoughts or questions. A good deal of network and security information can be found at Infrastructure Security Services .
In the first two zones discussed the Enterprise has complete control on what and how much to implement to ensure Success or Failure, load balancers, fail-over or cluster servers. In Security, firewalls, proxy’s, devices and network appliances.
In my next next post of the “four zones” series, I’ll begin to discuss the last two zones where the enterprise has “no direct control”, starting with the Internet zone.