New Guide: Securing IGEL OS Endpoints
Ransomware, data theft, industrial espionage – rarely a week goes by without another scary IT security story. Unsurprisingly, there are many security vendors that seem to say: ‘Buy our range of products, and your worries will be over’. At IGEL we know that real-world IT is not as simple as that. While IGEL OS is built on a secure Linux foundation, we understand that securing your production environment is a process individual to your organization. This is why we have published a document that will guide you through how to best secure devices running the IGEL OS. Download it here, meanwhile here are some important pieces of advice from it:
A locked screen, protected by a password, is often the first line of defense for a workstation when its user is absent. IGEL lets you configure local passwords, a hotkey for locking the screen and a grace period after which the screen is locked automatically. Together with our technology partners we can even lock the screen when the user removes their proximity card.
Passwords usually also protect the desktop services that are used on endpoints. Make this protection much stronger by using two-factor authorization (2FA): Combining a password with a second factor such as a smartcard, e-token or RFID card. IGEL OS offers many options for this.
Less is More
The most secure code is code that isn’t there at all. In other words: Remove all software components that you do not use. IGEL OS with its modular system of partitions is ideal for this. Don’t need a local web browser? Just uncheck it in the feature list in IGEL Setup, reboot the device, and it’s not only hidden, but actually removed from the OS! Likewise, run only a minimum of network services on the endpoint — e.g. create a profile that disables everything but SSH.
Use Encrypted Network Protocols
When IGEL’s Universal Management Suite transfers settings to endpoints over the network, it uses TLS/SSL to encrypt the traffic. Most desktop services can do the same, so enable the encrypted version of the protocol wherever possible. Apart from that, you can even make your endpoint devices part of a virtual private network (VPN) that also is encrypted.
New vulnerabilities are being discovered in almost all kinds software all the time. That means a secure system can only be one that is kept up-to-date. IGEL fixes security issues in each update of its OS and publishes special builds to fix high-risk vulnerabilities when these are discovered, such as Heartbleed and Shellshock. On top of that, IGEL is in for the long haul: We provide security fixes for IGEL OS releases for three more years after their end of life.
As you have seen there are many knobs to turn in securing IGEL OS. Why don’t we turn them all on by default in the factory settings? We turn on a lot of them, but in some respects our customers’ needs differ: Some may use Wi-Fi, some not, some may need USB peripherals to do their work, others will want to lock down USB completely. But IGEL is going to make things simpler: We are working on a new feature for Universal Management Suite that will let you turn on a baseline of secure settings for any number of endpoint devices easily. Stay tuned.