If you are only involved in granting network access based on user identity, device, or location, it is easy to develop a BYOD security plan. But comprehensive BYOD network security applications will need to consider all of these factors, which is a daunting task.
From this point of view, because there is currently no single effective solution, the IT department is mixing tools from mobile device Management (MDM) to Network access control (NAC) and even out-of-band management systems.
To that end, we interviewed four educational institutions who wanted to control hundreds of or even thousands of personal devices in an automated way so they didn't have to work hard to install software on each client. They want to have fine-grained control over access based on the combination of identity and equipment, and each executive has a different approach to achieving that goal.
The MDM tool has potential but is not a comprehensive solution The four senior executives interviewed have already used or evaluated the MDM tools. Different vendors offer different MDM tools, but typically these tools track mobile devices in the network and can limit which users can access specific applications or network areas according to the policies of the enterprise. Overall, companies are flocking to the MDM tool. In 2010-2011, 21.2% of companies surveyed by Nemertes Research used MDM. According to analyst Philip Clarke, the company expects the figure to increase to 84% by the end of 2014.
However, MDM alone cannot manage users who have multiple devices and use the same identity logon information to connect all devices to a wireless local area network (WLAN). If the WLAN itself does not differentiate between the examined equipment and the potentially infected devices, the network will be at risk. IT departments must be able to identify multiple devices for a user and grant role-based access to different users and their devices. This often requires consolidation with other tools, including identity Management (IDM) and NAC products.
BYOD Security: The technical executive director of the Rowan-salisbury school system in North Carolina State, who uses Out-of-band management, said that the school system needed to control mobile device network access based on a range of variables, including device type, location, and application. However, the Hardin team needs to automate the support of software installation and policy implementation across multiple devices.
As a result, the school uses the aerohive hivemanager-Out-of-band network Management system, as well as the JAMF software iOS MDM suite. Aerohive's Hivemanager enables organizations to configure personalized policies for each user identity and device type combination-policy Management network access, firewalls, time to allow specific access, and channel policies for secure VPN access.
"Hivemanager provides central data collection and alerts us to the existence of rogue clients," Hardin said. It uses device fingerprinting to apply specific security features based on policies and monitors the health of devices for individual and group devices, visually and graphically. ”
Meanwhile, JAMF software will test Apple devices to make sure they have Apple MDM clients installed. The software directs the new device to a port to accept the device's configuration file, thereby determining its access rights and privileges. Hardin added: "This integrated solution enables schools to manage application access, as well as installation and software updates on devices." "This solution completes profile management and access control without requiring the NAC client to be installed on a personal device."
Identity management: BYOD Security's core New York State's Hartwick College uses the IdM tool and next-generation firewalls to handle its device management and access. The Meru Identity Manager controls network access to both guest and employee devices through the Smart Connect and guest connect modules. When the new employee of the college tries to open a Web page for the first time, he will be redirected to the mandatory portal page on the Meru IDM device.
"Our IDM device has 2048 VeriSign certificates that encrypt the Web page of the mandatory portal site, and then employees download Smartconnect as an applet or network profile," said Davis Conley, it executive director at Hartwick College. ”
Smartconnect configures the device to use an encrypted network, automatically authenticates the user, makes the device the preferred network, and then removes the open network from the device's SSID list. Visitors can register the guest SSID at guest Connect. Both Smart Connect and Guest Connect have automated BYOD configuration based on roles and policies. "Guest connect requires users to fill in real names, phone numbers and the people on the campus they want to visit, and if there is a problem, we can turn off their network access," Conley said. "Then, Meru IDM uses a mechanism to collect device MAC addresses for future device identification."
However, the Hartwick Institute does not use the Meru solution's activity monitoring, policy management and policy implementation components. Conley said: "We have our own policy management, we use Bluecoat Data packet shaper, Palo Alto Next generation firewall and tipping point device to see which devices are transmitting virus-containing content, and then we will ask users to solve this problem." ”
BYOD Management: WLAN analysis tools with NAC the Michigan University in Michigan uses the Lancope Stealthwatch Network Analyzer to detect behavior on the WLAN and track user activity. "We use Stealthwatch to look up abnormal behavior and find out what users are looking at," says Ryan Laus, the university's network manager. Then we use the NAC device (from Bradford Networks) to identify the user, which is a manual process. ”
The Stealthwatch,central Michigan University is able to detect externally launched botnet attacks, worms and advanced ongoing attacks, as well as internal abuse, policy violations and data disclosure, regardless of device type. NetFlow provides data for the analysis of Stealthwatch.
The university is now testing MDM tools from different vendors to implement policies. MDM will be able to use policies to control the behavior of the user on the device, which is somewhat similar to the use of Group Policy by Active Directory. It will block unauthorized software installation and enable administrators to set configuration and permissions for BYOD deployments.
The Michigan University is expected to use Stealthwatch to support the new MDM Toolkit. "If users know how to bypass MDM to install unapproved applications, Stealthwatch can look for traffic that is out of policy and alert NAC devices, which will move users/devices to an isolated network," says Laus. ”
BYOD Security: The Regional Medical Center that consolidates IDM and NAC Tennessee State is using Aruba Networks's Clearpass Integrated mobile management and NAC software to create a self configuring system for BYOD. Users of the medical center will be logged in using a standard login name and password, and Clearpass will be configured based on predetermined policies. "We don't need to have them bring their equipment and install security/network profiles manually," says Tony Alphier, it director at the Medical Center. "After this process, the NAC controller will be able to prevent the device from being unregistered and secure to log on to the network."
"At the moment we don't allow employees to BYOD (internal access) unless they are doctors and bring a laptop so we will manually configure the file on its device," Alphier said, "When we add the Aruba NAC module, we will be able to allow BYOD access for all employees." ”
The medical Center also uses Aruba Airwave to record and monitor equipment activities, and Aruba technology allows Alphier to provide a network of visitors. "We used Aruba's Amogopod visitor solution and Aruba now combines airwave with clear pass," says Alphier. We can allow family, patients and friends to visit our network while maintaining security. "Visitors can now configure themselves to receive code to connect to the Internet while maintaining isolation from the internal network."