Go Back   AnandTech Forums > Hardware and Technology > Networking

Forums
· Hardware and Technology
· CPUs and Overclocking
· Motherboards
· Video Cards and Graphics
· Memory and Storage
· Power Supplies
· Cases & Cooling
· SFF, Notebooks, Pre-Built/Barebones PCs
· Networking
· Peripherals
· General Hardware
· Highly Technical
· Computer Help
· Home Theater PCs
· Consumer Electronics
· Digital and Video Cameras
· Mobile Devices & Gadgets
· Audio/Video & Home Theater
· Software
· Software for Windows
· All Things Apple
· *nix Software
· Operating Systems
· Programming
· PC Gaming
· Console Gaming
· Distributed Computing
· Security
· Social
· Off Topic
· Politics and News
· Discussion Club
· Love and Relationships
· The Garage
· Health and Fitness
· Home and Garden
· Merchandise and Shopping
· For Sale/Trade
· Hot Deals with Free Stuff/Contests
· Black Friday 2014
· Forum Issues
· Technical Forum Issues
· Personal Forum Issues
· Suggestion Box
· Moderator Resources
· Moderator Discussions
   

Reply
 
Thread Tools
Old 08-07-2012, 08:47 PM   #1
spidey07
No Lifer
 
spidey07's Avatar
 
Join Date: Aug 2000
Posts: 65,476
Default BYOD - what to know, and what to do

An open discussion on "Bring your own device" to corporate networks, specifically wireless but the concepts can be applied to wired if you want to go that route. It IS coming if not already on your network and you just don't know it.

The thing to keep in mind is it touches all aspects of the business and IT - client management, security, network, support, etc. So I'll start off with a few easily deployable models that can be tailored to your environment.

1) Stick them on the guest wireless. That's usually the first step - let them on, but ONLY to access the internet, nothing internal. It sounds good at first but then the questions come from the business "what good is my smart phone/tablet if I can't access internal systems?" You WILL get that. But this is a good first step. Along with this you should start putting services on the public Internet to support these devices.

2) Guest+ network. Allows access to Internet and only specific internal hosts/services/applications - drop them off in a DMZ and let a few things in.

3) Put them on production internal/secure wireless network. This is ideal, but security concerns come into play. But it is the end goal.

So that takes care of access and some security/firewall control. The next BIG question - do you want these devices to be controlled by IS or are you OK with somebody and their personal, true "bring your own" device being on your net? There are many MDM (mobile device managers) out their with AirWatch currently the leader of the pack. You can use this to truly provision and control devices.

The holy grail of real BYOD is the concept of "self provisioning and profile/posturing". This is where more advanced authentication methods and intelligence come into play. I'm most familiar with Cisco's ISE platform, it can pretty much do anything you want, all on one box/platform.

Right now, the direction for BYOD is self provisioning using EAP-TLS as the wireless authentication protocol. This means the device must request and get a certificate = you MUST have a solid certificate infrastructure already in place, most of you likely do or at the least it's not too difficult (depending on size) to get it going if you're an MS AD shop. If it's a large 1000+ server network, some real planning and design will have to be done.

Lastly, these devices have VERY poor radios meaning they'll connect at much lower data rates than laptops with high power, high quality radios in them. Plan and design the wireless aspect of it accordingly.
__________________
___
(\__/)
(='.'=)
(")_(")

Last edited by spidey07; 08-07-2012 at 08:52 PM.
spidey07 is offline   Reply With Quote
Old 08-07-2012, 09:07 PM   #2
mammador
Golden Member
 
Join Date: Dec 2010
Posts: 1,983
Default

Whilst obviously smartphone/tablet ownership is high, i have reservations about this.

For one, it would cut down on workstation costs. No spending hundreds of dollars each for a laptop or desktop. But what if an employee resigns or is fired? IT departments need to ensure that all critical information is removed from his or her device.

IMO, the major issues are security-wise. Router/AP configuration is easy enough, as the subnet size is obviously dependent on employee numbers/scalability needs.
__________________
me - i want standard knowledge....

them - :thumbsdown:

me - eh? everybody else got it...tough
mammador is offline   Reply With Quote
Old 08-07-2012, 09:10 PM   #3
spidey07
No Lifer
 
spidey07's Avatar
 
Join Date: Aug 2000
Posts: 65,476
Default

Quote:
Originally Posted by mammador View Post
Whilst obviously smartphone/tablet ownership is high, i have reservations about this.

For one, it would cut down on workstation costs. No spending hundreds of dollars each for a laptop or desktop. But what if an employee resigns or is fired? IT departments need to ensure that all critical information is removed from his or her device.

IMO, the major issues are security-wise. Router/AP configuration is easy enough, as the subnet size is obviously dependent on employee numbers/scalability needs.
That's where the MDM/remote wipe and cert revokation come into play. All depends on how much you want to control. Even with device certs, you'll need some way to internally tie the cert to a person and device.

And IMHO, a tablet will never be a replacement for a laptop in terms of productivity and work. The tablet enhances, but not replaces, a real work machine. But the days of the tablet being docked the same as a laptop are here, just lighter and better battery life.

Seminars/working groups I've been to show folks now have 2-3, if not 4, different devices, all to do different things/needs.
__________________
___
(\__/)
(='.'=)
(")_(")

Last edited by spidey07; 08-07-2012 at 09:14 PM.
spidey07 is offline   Reply With Quote
Old 08-07-2012, 09:18 PM   #4
mammador
Golden Member
 
Join Date: Dec 2010
Posts: 1,983
Default

I can see some benefits, such as Word editing, softphone use anywhere on site, etc.

As said, I think the major issue is security.
__________________
me - i want standard knowledge....

them - :thumbsdown:

me - eh? everybody else got it...tough
mammador is offline   Reply With Quote
Old 08-07-2012, 10:08 PM   #5
Ghiedo27
Senior Member
 
Ghiedo27's Avatar
 
Join Date: Mar 2011
Posts: 403
Default

Maybe this is a bad question, but I wonder if it's possible to secure things with a sandbox browser app. Allow internet traffic through with the mobile user's standard browser, but build your certificate around the browser so that while using it you can access company resources.

I imagine it would be a nightmare to make a broadly compatible browser app that controls the data you access through it well enough to be secure and displays it efficiently enough to be useful, though.
Ghiedo27 is offline   Reply With Quote
Old 08-07-2012, 10:29 PM   #6
spidey07
No Lifer
 
spidey07's Avatar
 
Join Date: Aug 2000
Posts: 65,476
Default

Split tunneling per tcp session VPN does what you're talking about.
__________________
___
(\__/)
(='.'=)
(")_(")
spidey07 is offline   Reply With Quote
Old 08-07-2012, 11:57 PM   #7
ScottMac
Moderator
Networking
Elite member
 
Join Date: Mar 2001
Posts: 5,471
Default

Great post & discussion Spidey, thanks! I made it a sticky, at least for a while, so we can see how it develops.

Thanks again

ScottMac
Anandtech Network Forum Moderator
__________________
Eschew Obfuscation! Espouse Elucidation!

Optimists are never pleasantly surprised.

Nov 4th, 2008: History is made: - Richie Daley becomes the first Mayor in history with his own pet President.
ScottMac is offline   Reply With Quote
Old 08-09-2012, 03:25 PM   #8
seepy83
Platinum Member
 
seepy83's Avatar
 
Join Date: Nov 2003
Posts: 2,064
Default

Spidey (and, everyone else)...I'm curious about any first-hand experience you've had with MDM products. We've been BES/Blackberry-Only at work since we first started getting smartphones 6-7 years ago, but people have been wanting iPhones and/or Androids for at least a couple of years now, and we've had no time to do real evaluation of our options (the most that has happened is I've looked at Garter's magic quadrant and the marketing materials from a handful of vendors).

Due to the culture here, I couldn't imagine us going truly BYOD even in the next 10-15 years, but we need to ditch Blackberry/BES for a new MDM solution in the near future.
seepy83 is offline   Reply With Quote
Old 08-09-2012, 03:30 PM   #9
spidey07
No Lifer
 
spidey07's Avatar
 
Join Date: Aug 2000
Posts: 65,476
Default

The client group loves AirWatch. You can bring up AirWatch servers in your DMZ to get them on The Internet. The software will check in constantly for settings/changes so remote wiping a device or rendering it useless is easy and secure.

Right now everybody wants to use a tablet so businesses have a tool (tablet) and they're trying to find a use for it. Rather than having a specific problem they're trying to solve or opportunity to gain.
__________________
___
(\__/)
(='.'=)
(")_(")
spidey07 is offline   Reply With Quote
Old 09-19-2012, 06:06 PM   #10
O9O9O9
Junior Member
 
Join Date: Sep 2012
Posts: 10
Default

Do any of you have BYOD policies in your place of work?
O9O9O9 is offline   Reply With Quote
Old 10-15-2012, 12:36 PM   #11
alkemyst
No Lifer
 
alkemyst's Avatar
 
Join Date: Feb 2001
Location: Corner of EPIC and ┼WESOME ST.
Posts: 83,163
Default

Ise ftw
__________________
The Masamune blade would repel the leaves and let them flow safely down the stream, while the Murasame blade would attract and cut them up.
alkemyst is offline   Reply With Quote
Old 10-23-2012, 10:18 PM   #12
m1ldslide1
Platinum Member
 
m1ldslide1's Avatar
 
Join Date: Feb 2006
Location: PDX
Posts: 2,322
Default

Quote:
Originally Posted by alkemyst View Post
Ise ftw
^^
What he said.
__________________
One's mind, once stretched by a new idea, never regains its original dimensions.
--Oliver Wendell Holmes

Crunching for Team AnandTech!
m1ldslide1 is offline   Reply With Quote
Old 11-09-2012, 03:48 AM   #13
Railgun
Senior Member
 
Railgun's Avatar
 
Join Date: Mar 2010
Location: ORD-->LHR
Posts: 997
Default

Quote:
Originally Posted by O9O9O9 View Post
Do any of you have BYOD policies in your place of work?

Yep.

We have two flavors at the moment, both of which are restricted to internet only traffic, cannot talk to each other, and can only have certain devices utilize them.

For external guests, we offer both a wired and wireless solution, both of which utilize a gateway for authentication. We create users ad hoc and for certain periods of time. No staff can use this solution.

For staff, we have a wireless solution that authenticates via LDAP. We too have started to look into what internal resources we would make available. The environment in which they would use is already setup. It`s simply a matter of letting whatever we need through the FW. We`re looking at hooks into VoIP for example. It`s possible our IT staff would be able to have SSH/SSL access into our gear. We`ve also created separate networks to separate "privileged" staff (IT, InfoSec, etc) from your regular staff, the finance folks for example, to better control that traffic.

.1x will be soon implemented as well which will greatly expand the abillity to control and restrict access in this regard.
Railgun is offline   Reply With Quote
Old 11-10-2012, 11:30 AM   #14
pub1279
Junior Member
 
Join Date: Nov 2012
Posts: 5
Default

we are also implementing byod using airwatch as an enabler. The technology is only a small part of this - the bigger challenge really is the change management that is associated with implementing these policies.

Even with their endorsement from the most senior management there was still a huge amount of noise from staff as they were unhappy with security policies such as complex passcodes and requirements to change passwords every 90 days.

But anyway, it all worked out in the end. It's not a matter of if byod is brought into enterprises, it's a matter of when.
pub1279 is offline   Reply With Quote
Old 11-11-2012, 10:03 AM   #15
ScottMac
Moderator
Networking
Elite member
 
Join Date: Mar 2001
Posts: 5,471
Default

What kind of policy changes are y'all making to apply some control to the access system?
__________________
Eschew Obfuscation! Espouse Elucidation!

Optimists are never pleasantly surprised.

Nov 4th, 2008: History is made: - Richie Daley becomes the first Mayor in history with his own pet President.
ScottMac is offline   Reply With Quote
Old 11-12-2012, 06:06 AM   #16
Railgun
Senior Member
 
Railgun's Avatar
 
Join Date: Mar 2010
Location: ORD-->LHR
Posts: 997
Default

That's a pretty broad question. Depends on what's being accessed, what kind of access they need, and from where.
Railgun is offline   Reply With Quote
Old 11-12-2012, 10:15 AM   #17
ScottMac
Moderator
Networking
Elite member
 
Join Date: Mar 2001
Posts: 5,471
Default

I thought a pretty broad questions was something like "Did you see that blonde by the water cooler?" ...

Anyway, yeah, I know it's a huge generalization, but given the time it took for some organizations to decide they needed *any* kind of policy for wireless and, in some cases, the LAN in general, I was hoping to get responses for a variety of implementations.
__________________
Eschew Obfuscation! Espouse Elucidation!

Optimists are never pleasantly surprised.

Nov 4th, 2008: History is made: - Richie Daley becomes the first Mayor in history with his own pet President.
ScottMac is offline   Reply With Quote
Old 11-17-2012, 10:11 PM   #18
cpals
Diamond Member
 
cpals's Avatar
 
Join Date: Mar 2001
Posts: 4,494
Default

We don't allow personal devices yet, but we do utilize MobileIron for our issued devices (iPhones/iPads) so someday that will hopefully help us out when we get there. We also do not allow our own devices to connect to the work wireless. Only thing they get is their Exchange information.

Due to some federal guidelines we're working on becoming compliant and figuring out some requirements before they get on our wireless.
cpals is offline   Reply With Quote
Old 02-15-2013, 05:24 AM   #19
PragatiJain
Junior Member
 
Join Date: Feb 2013
Posts: 1
Default

What are the other BYOD policies in place? Does your org also have BYOD policies for gaming applications and restricting phone features?
PragatiJain is offline   Reply With Quote
Old 02-16-2013, 11:15 AM   #20
spidey07
No Lifer
 
spidey07's Avatar
 
Join Date: Aug 2000
Posts: 65,476
Default

Quote:
Originally Posted by PragatiJain View Post
What are the other BYOD policies in place? Does your org also have BYOD policies for gaming applications and restricting phone features?
Depends on if you want people using personal devices or company locked down ones.

I am REALLY impressed with Cisco latest ISE version. It's like BYOD in a box. It can provision end points, give them certs, push policies to iphones/android/windows, etc. Extremely powerful. Next version will offer AirWatch and other MDM integration.
__________________
___
(\__/)
(='.'=)
(")_(")
spidey07 is offline   Reply With Quote
Old 08-10-2013, 07:16 AM   #21
Nec_V20
Senior Member
 
Nec_V20's Avatar
 
Join Date: May 2013
Posts: 340
Default

I was not popular, but when I was working as NetAdmin I introduced the policy of no changes allowed to company computer property and no private devices allowed to access the corporate network - no exceptions.

The only person to whine was the head of HR. Luckily the CEO saw the sense in the policy I had implemented and she could go and take a flying one at a rolling doughnut.

I am not going to spend money out of my budget to pander to employees false sense of entitlement - end of story.
Nec_V20 is offline   Reply With Quote
Old 08-21-2013, 10:31 AM   #22
SecurityTheatre
Senior Member
 
Join Date: Aug 2011
Posts: 672
Default

deleted. wrong topic.

Last edited by SecurityTheatre; 08-21-2013 at 10:34 AM.
SecurityTheatre is offline   Reply With Quote
Old 06-01-2014, 12:53 PM   #23
tech_head_wann
Junior Member
 
Join Date: Jun 2014
Posts: 4
Default

So what happens if there is a lawsuit and something is done illegally on a BYOD device. Who owns the asset/information? Who would get sued?
tech_head_wann is offline   Reply With Quote
Old 06-01-2014, 07:00 PM   #24
alkemyst
No Lifer
 
alkemyst's Avatar
 
Join Date: Feb 2001
Location: Corner of EPIC and ┼WESOME ST.
Posts: 83,163
Default

Quote:
Originally Posted by tech_head_wann View Post
So what happens if there is a lawsuit and something is done illegally on a BYOD device. Who owns the asset/information? Who would get sued?
Hard to say in the end.

Most registration pages dictate you obey the rules of the company and hold them harmless.
__________________
The Masamune blade would repel the leaves and let them flow safely down the stream, while the Murasame blade would attract and cut them up.
alkemyst is offline   Reply With Quote
Old 11-09-2014, 10:14 AM   #25
Tr4nd
Member
 
Tr4nd's Avatar
 
Join Date: Oct 2014
Location: US
Posts: 40
Default

Quote:
Originally Posted by cpals View Post
We don't allow personal devices yet, but we do utilize MobileIron for our issued devices (iPhones/iPads) so someday that will hopefully help us out when we get there. We also do not allow our own devices to connect to the work wireless. Only thing they get is their Exchange information.

Due to some federal guidelines we're working on becoming compliant and figuring out some requirements before they get on our wireless.
Got a new task to secure my company's information after a number of our employees left, yeah it's a little too late I guess, but better late than never. Hmm MobileIron sounds like a pretty good solution. Thanks for the tip.
__________________
Radared

Last edited by Tr4nd; 11-15-2014 at 02:37 AM.
Tr4nd is offline   Reply With Quote
Reply

Tags
byod, eap, ise

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 09:04 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.