Frequently Asked Questions

Overview

What is the Byos Endpoint Micro-Segmentation Solution?


The Byos Endpoint Micro-Segmentation Solution was built to improve security posture and management of remote devices. It gives IT security teams control over remote workers connecting to uncontrolled, untrusted Wi-Fi networks, like those found in employees homes, hotels, coffee shops, and airports.


It has two parts:

1. the Byos µGateway

2. Byos Management Console


What is the Byos Secure Endpoint Edge?

A hardened security stack on a simple plug-and-play USB device, the Byos Secure Endpoint Edge provides protection from OSI layers 1 to 5 through hardware-enforced isolation. Each Byos Secure Endpoint Edge isolates the connected endpoint onto its own micro-segment of one that protects it from compromised networks and other compromised endpoints on the network.


What is the Byos Management Console?

The Byos Management Console is the command-and-control SaaS-based console where IT teams to deploy and manage Byos µGateways at scale.

All security policy administration is handled centrally through the Management Console. With the ability to be self-hosted, cloud-based, or multi-tenanted, the Byos Management Console can be integrated with existing security environments and customized to meet specific business needs.

Using the Secure Endpoint Edge

How do I install and use the Secure Endpoint Edge?

The Secure Endpoint Edge is installed by simply plugging it in and setting up the login credentials.

There is no installation needed because it is plug-and-play; it does not need drivers, software, or agents to run.The Secure Endpoint Edge identifies itself as a USB-ethernet gadget.

After logging in, using the Secure Endpoint Edge involves selecting the desired Wi-Fi network, connecting, and setting your desired security policies. If you're an enterprise user, your security policies have already been pre configured by your administrator.


Is the Secure Endpoint Edge compatible with different operating systems? Does it work on any computer?

The Secure Endpoint Edge is operating system-agnostic, having no OS requirements. It works with any OS of any age, including unsupported versions.


Will it affect my connection speed or device performance?

No, the Secure Endpoint Edge does not share computing resources with the endpoint, meaning it doesn't affect performance. It also does not increase connection latency; the bottleneck in connection speed will always be the network it connects to, meaning it provides a seamless user experience.


Why do I need hardware? Why can’t it be software?

Conventional security software cannot protect a computer from threats on dirty Wi-Fi networks.

VPNs can only protect data in transit. EDRs and antivirus products protect the operating system and applications on the device. They have no way of isolating the device from the network. This is because security software resides in the operating system’s stack.

The Secure Endpoint Edge provides hardware-enforced isolation of computer endpoints. It provides an additional layer of security, independent of what's running on the device.

For more technical information, read our blog post: The 10 Commandments of Hardware-Enforced Isolation


Does the Secure Endpoint Edge run some sort of customized operating system?

Yes, Byos µGateway hardware runs a proprietary, hardened and customized Unix-based OS that has customized network services, signed hardware drivers, and a recompiled kernel to change its fingerprint.


Does the Secure Endpoint Edge automatically tunnel the incoming/outgoing traffic?

The Secure Endpoint Edge does not establish a VPN tunnel by default and does not require such a tunnel to function. The outgoing traffic is clean.

The Secure Endpoint Edge isolates the endpoint from the local network, protecting the endpoint across OSI layers 1-5, while maintaining the same public IP address as the local network. The endpoint still has the ability to use all available networked resources (e.g. networked printer or outgoing airplay), but be invisible to incoming network scans

The Secure Endpoint Edge does however allow a VPN tunnel to be layered on top of the already established Wi-Fi connection. The user can use their host VPN client or can take advantage of the Secure Endpoint Edge's in-device VPN client to reduce the computing resource load on the host endpoint.

Security

What attacks and threat vectors does the Secure Endpoint Edge protect against?

The Secure Endpoint Edge protects against:


  • Man-in-the-Middle
  • DNS Hijacking
  • Wi-Fi Cloning
  • Network Identity Alteration
  • Packet Rerouting
  • Eavesdropping
  • Scanning and Enumeration
  • Fingerprinting and Exploiting
  • Spikes in Bandwidth Usage

For more information on how the Secure Endpoint Edge protects the endpoint, read our Technical Datasheet or our Blog post:The 10 Commandments of Hardware-Enforced Isolation


So it’s just a personal firewall?


The bidirectional firewall is just one of the protection features of the μGateway. It also provides:

  • Intrusion Detection and Prevention (IPS/IDS)
  • Encrypted DNS Traffic
  • Wi-Fi Protection
  • Eavesdropping Protection
  • Infiltration Prevention
  • Traffic Volume Control
  • Attack Detection
  • Tracking and Ad Blocking

Can it stop/prevent phishing attacks?

Non-technical Answer:

The Byos Secure Endpoint Edge cannot prevent the user from clicking on links. However it will limit the lateral movement of the attacker or malware when it attempts to spread to other resources, like enterprise applications and servers inside of the corporate network.


Technical Answer:


The Secure Endpoint Edge operates transparently to the user, protecting the endpoint across OSI model Layers 1-5, without the use of a client or agent installed on the host computer. Because of this, there is no way for the Secure Endpoint Edge to determine whether or not a link or file is malicious upon execution.


However, what the µGateway does is attack containment. Because the μGateway is the ingress/egress point of all traffic, when the piece of malware or attacker attempts to move laterally to their command and control on an uncommon port, protocol, IP address, or country, the µGateway will flag this and block it.


Is the traffic still susceptible to attack at the router?

If the attacker owns the Wi-Fi router, the Secure Endpoint Edge will alert the user if there is any suspicious rerouting of packets, and prevent the connection from being intercepted, cloned, bypassed or hijacked.


What about DNS traffic?

The Secure Endpoint Edge has a self-hosted DNS server, connecting directly with the desired internet root servers. All DNS requests are encrypted, preventing DNS leakage and preserving privacy

Existing Solution Comparison

How does the Secure Endpoint Edge compare to a VPN?

VPNs only protect data in transit; they do not protect the endpoint from the local network, leaving VPN users vulnerable to attacks. In comparison, the Secure Endpoint Edge provides device protection by isolating it from the network and providing multiple protection services.


With the Secure Endpoint Edge users are not susceptible to the recent vulnerabilities found with VPNs like VPN pivoting, DNS leakage, improperly stored log files, etc. Check out our blog post - The Problem with VPNs to learn more about the shortcomings of VPNs.


In a maximum security environment, TheSecure Endpoint Edge complements an Enterprise VPN. However, in a small-medium business or Zero Trust security environment, the Byos Secure Endpoint Edge is a suitable option to replace existing VPNs.


The Secure Endpoint Edge extends a Zero Trust access to any Wi-Fi network.


If there is no VPN running, is the Secure Endpoint Edge susceptible to snooping or eavesdropping?

Without a VPN layer of encryption, normal HTTPS traffic is still encrypted by TLS. An attacker is not able to eavesdrop on the Secure Endpoint Edge device because the Secure Endpoint Edge has static ARP tables and performs constant checks for changes in the packet route or packet injection attempts.


How does the Secure Endpoint Edge compare to a Secure Web Gateway?

A Secure Web Gateway is a security stack in the cloud that sits between the user and the internet, filtering malicious internet traffic. It does higher layer, more intrusive security processing like Deep Packet Inspection, Antivirus, Data Loss Prevention, etc.


It does not provide any protection from the threats that exist in the Local Network. Devices using a SWG are still connected to the same Wi-Fi network as potential attackers and these devices are still exposed to these threats.


Does the Secure Endpoint Edge replace my antivirus?

The Secure Endpoint Edge does not provide the same protection as an antivirus.


An antivirus is software that exists within the operating system of your device, scanning files and downloads as they are clicked on, protecting the user from malicious execution. It cannot however isolate your device from the network and most pieces of malware are written to avoid common antivirus engines.


The Secure Endpoint Edge sits at the ingress and egress point of communication, protecting devices from the network, analyzing traffic patterns as it moves in and out of the device. The Byos Secure Endpoint Edge protects against man-in-the-middle, port scanning, enumeration, and DDoS attacks. It masks the device’s MAC address by continuously randomizing it, stopping eavesdropping attacks and attempts to reroute your traffic, and provides a bidirectional firewall.


The Secure Endpoint Edge also provides DNS-level ad and tracker blocking, detects hidden signs of cyberattacks such as changes in packet routing or network traffic volume. It also prevents the user’s network connection from being intercepted, cloned, bypassed, or hijacked.

Byos For the Enterprise

What are the benefits for an IT team with hundreds or thousand remote and traveling endpoints?


The Byos Management console provides IT managers with:


  • Centralized fleet management for efficient security policy definition and enforcement
  • Granular network access control and streamlined provisioning for all categories of endpoint devices
  • Reduced dependence on expensive mobile data packages for travelling and employees and elimination of loaner device programs
  • Full visibility and control over all remote device network connections

Can I create different security policies based on groups?


Creating groups and establishing policies are handled in the same manner that Active Directory handles groups and policies. Every validated remote Secure Endpoint Edge device is automatically added to the default group and immediately receives the policies established for that default group. This makes deployment and provisioning a straightforward, plug-and-play process.


In addition to creating groups with varying access and management rules, administrators have the ability to establish more granular access policies, such as those for executives, security teams and others. Administrators can configure security policy profiles for groups of users or devices using different connection parameters: domain names, country-based servers, select IP addresses, ports and protocols, and time-based access.


How do I provision new users?


Provisioning users is simple, with no need to physically install software on users’ devices. The provisioning process is decentralized and Byos offers several delivery options based upon your organization’s needs.

Byos can drop ship Secure Endpoint Edges to:


  • A single office location for distribution to remote users
  • Multiple office locations for distribution to remote users
  • Individual remote users

The Master License Key, which holds the licensing structure, is emailed to the administrator. The individual device license keys can then be sent via email to remote Secure Endpoint Edge users. This is a secure process with no risk, as the license information is not contained in the key.



Once users have received both the Secure Endpoint Edge device and their license keys, they can activate the solution. First, the user plugs in the Secure Endpoint Edge and creates their local account login credentials. Once completed, the user simply logs into the locally running end-user dashboard where the license key is uploaded. Upon license key upload, the device receives and decrypts the license information and then communicates with the Byos license server, which validates the license. Once the license is validated, the user is automatically added to their organization’s Byos Management Console. The administrator is notified of the Secure Endpoint Edge activation and the Secure Endpoint Edge is now enrolled under the organization’s security policy program.


Can the use of the Secure Endpoint Edge be enforced by the IT department to restrict normal Wi-Fi connection?


There are two different ways enforcement can be managed.

In a managed device environment, the most strict enforcement method is for IT to disable the in-device Wi-Fi antennas of their company-issued devices through a GPO-like policy, only allowing incoming network connections from the Secure Endpoint Edge.

The less intrusive enforcement policy is to monitor Secure Endpoint Edge usage. The Management Console gives Secure Endpoint Edge usage statistics per user and per group; general usage patterns, last login time, last connected network are some of the statistics used to gauge usage and employee reception to Secure Endpoint Edge issuance.


Is this suitable for a BYOD program?


A BYOD program is a perfect use for the Byos Endpoint Micro-Segmentation Solution.

As a security administrator, you want a) visibility into network traffic patterns and b) control over what BYOD devices can access when the employee is using it for work purposes. When the employee is not working, you don’t care. However, you do care if they clicked some malicious link or contracted a malware virus from the public Wi-Fi when they weren’t working.

This is what the Secure Endpoint Edge facilitates: immediate security policy compliance and enforcement through a simple to use, plug-and-play USB device. All security policy administration is handled centrally through the Management Console.

If your remote developer only needs access to cloud-based applications located in Canada, USA, Japan, and Scandinavia, then why should they be able to access resources in Belarus if it is not critical to completing their job? This is the premise of the Byos platform: granular access control through one unified point - the Secure Endpoint Edge.


Does the Secure Endpoint Edge record logs?


The Secure Endpoint Edge does not keep logs of any user traffic, does not perform deep packet inspection on the internet traffic as it moves through, and does not break TLS encryption of the users' session.


What is Endpoint Microsegmentation?


TL;DR


When you connect to any public network, you are on the same network as all of the other devices. When you connect with the µGateway, you are on your own microsegment within that public Wi-Fi network.

Longer answer:

The best way to understand Endpoint Microsegmentation is to first understand what Network segmentation is. Within any corporate network, network segmentation strategies and principles create isolated network segments, each with a subset of devices and resources connected to them. All printers might be connected to one segment, all employee computers connected to another segment, and the guest network as another.

The problem with this strategy is that it doesn’t go deep enough. If there is an infected device within the company computer network segment, it is highly probable that all other devices on that segment will become compromised. The best way to think about a Public Wi-Fi network is as another segment of the corporate network. However this time, the public network is out of the control of the IT team.

When you connect with the Secure Endpoint Edge, you are on your own microsegment within that public Wi-Fi network. The Secure Endpoint Edge is a Network Gateway that has been shrunk to a portable USB-device and has its own Wi-Fi module. The communication between the Secure Endpoint Edge and the device is raw TCP/IP, which is a network in itself. There is no way for an attacker to access the users device from the network, completely eliminating the endpoint’s exposure.

Have more questions? Speak with one of our Sales Engineers.

Contact Us