Detecting the rogues
While the BYOD DMZ incentive solution works for those that have not accessed the network before, there may be users that have already illicitly accessed the network. If they refuse or are otherwise unlikely to change their system setting to use the new “official” method, you’ll have to find these rogue devices and individually ask users to comply or lose access.
One method is to use network access control (NAC) to validate devices before the network will let them communicate. There are a number of solutions both commercial and open source. NAC is designed to perform a variety of checks, from simple username/password to OS fingerprinting and even policy compliance checking such as verifying that antivirus is installed.
More in-depth checking may require installing an agent on the device, which presents two challenges. First, technologically, what if the agent isn’t available for the device? Second, legally, local laws may prohibit your company from asking users to install software.
NAC is a great tool to use if it’s already deployed, but it’s arguably overkill if the goal is simply to control BYOD. Even free software can be expensive if it takes too much time for an already overworked IT team. While the security posture of the entire network can be improved with a proper NAC deployment, the process deserves some planning, and should probably not be tied just to BYOD.
An alternate method that doesn’t require large-scale deployment is packet-level analysis. BYOD-type devices are built to be highly connected: they perform active discovery of the network, which in turn makes them easy to find. Apple products (and some Linux products) use multicast DNS to advertise themselves and find network resources.
While switches usually limit visibility when doing packet capture, that’s not a problem here, because multicast packets will be forwarded to every node in the VLAN, and even potentially across VLANs depending on the configuration of the routers (or routing modules on the switches). The concept is similar to how Windows works in a workgroup, rather than a domain. Sadly, the method is fairly chatty, and doesn’t scale well for large enterprises, which is one reason to get them off the production network.
It’s about the business …
The BYOD issue is, at its core, not a technology decision, but a business decision. If employees own laptops or other devices that they prefer to the equipment the company could provide them, it may make financial sense for the company to encourage employees to opt in to an approved BYOD system, and opt out of having a company-provided PC.
If the company does save money, the cost savings could be allocated to a future network security upgrade. Even if you do not have the budget now, you might therefore have it later. Remember, if the workforce is mobile, their devices are mobile, so BYOD is inevitable. If you don’t have a solution in place now, your BYOD policy will be dictated by the individual actions of your users, not what’s best for them and you.
Jim MacLeod is a Product Manager at WildPackets, which develops hardware and software solutions that drive network performance, enabling organizations of all sizes to analyze, troubleshoot, optimize, and secure their wired and wireless networks. He has been in the networking industry since 1994 and started doing protocol analysis in 1996. His experience includes positions in firewall and VPN setup and policy analysis, log management, Internet filtering, anti-spam, intrusion detection, network monitoring and control, and of course packet sniffing.