BYOD - what to know, and what to do

Discussion in 'Networking' started by spidey07, Aug 7, 2012.

  1. spidey07

    spidey07 No Lifer

    Joined:
    Aug 4, 2000
    Messages:
    65,476
    Likes Received:
    0
    An open discussion on "Bring your own device" to corporate networks, specifically wireless but the concepts can be applied to wired if you want to go that route. It IS coming if not already on your network and you just don't know it.

    The thing to keep in mind is it touches all aspects of the business and IT - client management, security, network, support, etc. So I'll start off with a few easily deployable models that can be tailored to your environment.

    1) Stick them on the guest wireless. That's usually the first step - let them on, but ONLY to access the internet, nothing internal. It sounds good at first but then the questions come from the business "what good is my smart phone/tablet if I can't access internal systems?" You WILL get that. But this is a good first step. Along with this you should start putting services on the public Internet to support these devices.

    2) Guest+ network. Allows access to Internet and only specific internal hosts/services/applications - drop them off in a DMZ and let a few things in.

    3) Put them on production internal/secure wireless network. This is ideal, but security concerns come into play. But it is the end goal.

    So that takes care of access and some security/firewall control. The next BIG question - do you want these devices to be controlled by IS or are you OK with somebody and their personal, true "bring your own" device being on your net? There are many MDM (mobile device managers) out their with AirWatch currently the leader of the pack. You can use this to truly provision and control devices.

    The holy grail of real BYOD is the concept of "self provisioning and profile/posturing". This is where more advanced authentication methods and intelligence come into play. I'm most familiar with Cisco's ISE platform, it can pretty much do anything you want, all on one box/platform.

    Right now, the direction for BYOD is self provisioning using EAP-TLS as the wireless authentication protocol. This means the device must request and get a certificate = you MUST have a solid certificate infrastructure already in place, most of you likely do or at the least it's not too difficult (depending on size) to get it going if you're an MS AD shop. If it's a large 1000+ server network, some real planning and design will have to be done.

    Lastly, these devices have VERY poor radios meaning they'll connect at much lower data rates than laptops with high power, high quality radios in them. Plan and design the wireless aspect of it accordingly.
     
    #1 spidey07, Aug 7, 2012
    Last edited: Aug 7, 2012
  2. mammador

    mammador Platinum Member

    Joined:
    Dec 9, 2010
    Messages:
    2,128
    Likes Received:
    0
    Whilst obviously smartphone/tablet ownership is high, i have reservations about this.

    For one, it would cut down on workstation costs. No spending hundreds of dollars each for a laptop or desktop. But what if an employee resigns or is fired? IT departments need to ensure that all critical information is removed from his or her device.

    IMO, the major issues are security-wise. Router/AP configuration is easy enough, as the subnet size is obviously dependent on employee numbers/scalability needs.
     
  3. spidey07

    spidey07 No Lifer

    Joined:
    Aug 4, 2000
    Messages:
    65,476
    Likes Received:
    0
    That's where the MDM/remote wipe and cert revokation come into play. All depends on how much you want to control. Even with device certs, you'll need some way to internally tie the cert to a person and device.

    And IMHO, a tablet will never be a replacement for a laptop in terms of productivity and work. The tablet enhances, but not replaces, a real work machine. But the days of the tablet being docked the same as a laptop are here, just lighter and better battery life.

    Seminars/working groups I've been to show folks now have 2-3, if not 4, different devices, all to do different things/needs.
     
    #3 spidey07, Aug 7, 2012
    Last edited: Aug 7, 2012
  4. mammador

    mammador Platinum Member

    Joined:
    Dec 9, 2010
    Messages:
    2,128
    Likes Received:
    0
    I can see some benefits, such as Word editing, softphone use anywhere on site, etc.

    As said, I think the major issue is security.
     
  5. Ghiedo27

    Ghiedo27 Senior member

    Joined:
    Mar 9, 2011
    Messages:
    403
    Likes Received:
    0
    Maybe this is a bad question, but I wonder if it's possible to secure things with a sandbox browser app. Allow internet traffic through with the mobile user's standard browser, but build your certificate around the browser so that while using it you can access company resources.

    I imagine it would be a nightmare to make a broadly compatible browser app that controls the data you access through it well enough to be secure and displays it efficiently enough to be useful, though.
     
  6. spidey07

    spidey07 No Lifer

    Joined:
    Aug 4, 2000
    Messages:
    65,476
    Likes Received:
    0
    Split tunneling per tcp session VPN does what you're talking about.
     
  7. ScottMac

    ScottMac Moderator<br>Networking<br>Elite member

    Joined:
    Mar 19, 2001
    Messages:
    5,471
    Likes Received:
    0
    Great post & discussion Spidey, thanks! I made it a sticky, at least for a while, so we can see how it develops.

    Thanks again

    ScottMac
    Anandtech Network Forum Moderator
     
  8. seepy83

    seepy83 Platinum Member

    Joined:
    Nov 12, 2003
    Messages:
    2,132
    Likes Received:
    0
    Spidey (and, everyone else)...I'm curious about any first-hand experience you've had with MDM products. We've been BES/Blackberry-Only at work since we first started getting smartphones 6-7 years ago, but people have been wanting iPhones and/or Androids for at least a couple of years now, and we've had no time to do real evaluation of our options (the most that has happened is I've looked at Garter's magic quadrant and the marketing materials from a handful of vendors).

    Due to the culture here, I couldn't imagine us going truly BYOD even in the next 10-15 years, but we need to ditch Blackberry/BES for a new MDM solution in the near future.
     
  9. spidey07

    spidey07 No Lifer

    Joined:
    Aug 4, 2000
    Messages:
    65,476
    Likes Received:
    0
    The client group loves AirWatch. You can bring up AirWatch servers in your DMZ to get them on The Internet. The software will check in constantly for settings/changes so remote wiping a device or rendering it useless is easy and secure.

    Right now everybody wants to use a tablet so businesses have a tool (tablet) and they're trying to find a use for it. Rather than having a specific problem they're trying to solve or opportunity to gain.
     
  10. O9O9O9

    O9O9O9 Junior Member

    Joined:
    Sep 17, 2012
    Messages:
    10
    Likes Received:
    0
    Do any of you have BYOD policies in your place of work?
     
  11. alkemyst

    alkemyst No Lifer

    Joined:
    Feb 13, 2001
    Messages:
    83,988
    Likes Received:
    0
  12. m1ldslide1

    m1ldslide1 Platinum Member

    Joined:
    Feb 20, 2006
    Messages:
    2,322
    Likes Received:
    0
    ^^
    What he said.
     
  13. Railgun

    Railgun Golden Member

    Joined:
    Mar 27, 2010
    Messages:
    1,269
    Likes Received:
    0

    Yep.

    We have two flavors at the moment, both of which are restricted to internet only traffic, cannot talk to each other, and can only have certain devices utilize them.

    For external guests, we offer both a wired and wireless solution, both of which utilize a gateway for authentication. We create users ad hoc and for certain periods of time. No staff can use this solution.

    For staff, we have a wireless solution that authenticates via LDAP. We too have started to look into what internal resources we would make available. The environment in which they would use is already setup. It`s simply a matter of letting whatever we need through the FW. We`re looking at hooks into VoIP for example. It`s possible our IT staff would be able to have SSH/SSL access into our gear. We`ve also created separate networks to separate "privileged" staff (IT, InfoSec, etc) from your regular staff, the finance folks for example, to better control that traffic.

    .1x will be soon implemented as well which will greatly expand the abillity to control and restrict access in this regard.
     
  14. pub1279

    pub1279 Junior Member

    Joined:
    Nov 10, 2012
    Messages:
    5
    Likes Received:
    0
    we are also implementing byod using airwatch as an enabler. The technology is only a small part of this - the bigger challenge really is the change management that is associated with implementing these policies.

    Even with their endorsement from the most senior management there was still a huge amount of noise from staff as they were unhappy with security policies such as complex passcodes and requirements to change passwords every 90 days.

    But anyway, it all worked out in the end. It's not a matter of if byod is brought into enterprises, it's a matter of when.
     
  15. ScottMac

    ScottMac Moderator<br>Networking<br>Elite member

    Joined:
    Mar 19, 2001
    Messages:
    5,471
    Likes Received:
    0
    What kind of policy changes are y'all making to apply some control to the access system?
     
  16. Railgun

    Railgun Golden Member

    Joined:
    Mar 27, 2010
    Messages:
    1,269
    Likes Received:
    0
    That's a pretty broad question. Depends on what's being accessed, what kind of access they need, and from where.
     
  17. ScottMac

    ScottMac Moderator<br>Networking<br>Elite member

    Joined:
    Mar 19, 2001
    Messages:
    5,471
    Likes Received:
    0
    I thought a pretty broad questions was something like "Did you see that blonde by the water cooler?" ...

    Anyway, yeah, I know it's a huge generalization, but given the time it took for some organizations to decide they needed *any* kind of policy for wireless and, in some cases, the LAN in general, I was hoping to get responses for a variety of implementations.
     
  18. cpals

    cpals Diamond Member

    Joined:
    Mar 5, 2001
    Messages:
    4,494
    Likes Received:
    0
    We don't allow personal devices yet, but we do utilize MobileIron for our issued devices (iPhones/iPads) so someday that will hopefully help us out when we get there. We also do not allow our own devices to connect to the work wireless. Only thing they get is their Exchange information.

    Due to some federal guidelines we're working on becoming compliant and figuring out some requirements before they get on our wireless.
     
  19. PragatiJain

    PragatiJain Junior Member

    Joined:
    Feb 15, 2013
    Messages:
    1
    Likes Received:
    0
    What are the other BYOD policies in place? Does your org also have BYOD policies for gaming applications and restricting phone features?
     
  20. spidey07

    spidey07 No Lifer

    Joined:
    Aug 4, 2000
    Messages:
    65,476
    Likes Received:
    0
    Depends on if you want people using personal devices or company locked down ones.

    I am REALLY impressed with Cisco latest ISE version. It's like BYOD in a box. It can provision end points, give them certs, push policies to iphones/android/windows, etc. Extremely powerful. Next version will offer AirWatch and other MDM integration.
     
  21. Nec_V20

    Nec_V20 Senior member

    Joined:
    May 7, 2013
    Messages:
    404
    Likes Received:
    0
    I was not popular, but when I was working as NetAdmin I introduced the policy of no changes allowed to company computer property and no private devices allowed to access the corporate network - no exceptions.

    The only person to whine was the head of HR. Luckily the CEO saw the sense in the policy I had implemented and she could go and take a flying one at a rolling doughnut.

    I am not going to spend money out of my budget to pander to employees false sense of entitlement - end of story.
     
  22. SecurityTheatre

    SecurityTheatre Senior member

    Joined:
    Aug 14, 2011
    Messages:
    672
    Likes Received:
    0
    deleted. wrong topic.
     
    #22 SecurityTheatre, Aug 21, 2013
    Last edited: Aug 21, 2013
  23. tech_head_wann

    tech_head_wann Junior Member

    Joined:
    Jun 1, 2014
    Messages:
    4
    Likes Received:
    0
    So what happens if there is a lawsuit and something is done illegally on a BYOD device. Who owns the asset/information? Who would get sued?
     
  24. alkemyst

    alkemyst No Lifer

    Joined:
    Feb 13, 2001
    Messages:
    83,988
    Likes Received:
    0
    Hard to say in the end.

    Most registration pages dictate you obey the rules of the company and hold them harmless.
     
  25. Tr4nd

    Tr4nd Member

    Joined:
    Oct 27, 2014
    Messages:
    40
    Likes Received:
    0
    Got a new task to secure my company's information after a number of our employees left, yeah it's a little too late I guess, but better late than never. Hmm MobileIron sounds like a pretty good solution. Thanks for the tip. :)
     
    #25 Tr4nd, Nov 9, 2014
    Last edited: Nov 15, 2014