On Fri, 24 Feb 2012, Ryan Frantz wrote:
List,
My company is expanding fast and the more employees we bring on, the more
requests I field for folks to bring in their own devices (laptops, tablets,
etc.) to be used on our network. We have conference rooms with wide open
network jacks accessible to anyone. I am looking for solutions that will allow
me to secure my network and enforce policies (i.e. installed, approved
anti-virus and firewall software) and/or limit access to certain parts of the
network (i.e. for Wifi-enabled devices). I am aware of certain vendors'
offerings such as Cloudpath, Bradford Networks, and Aruba Networks, but I've
only scratched the surface.
I'm looking for feedback from the list on what solutions you have implemented
to enable BYOD while enforcing appropriate security policies to protect the
soft, squishy innards of your network. For guidance, my goals are as follows:
1. Preventing unauthorized devices from directly accessing the network.
2. Allowing for redirection of unauthorized devices to either a captive
portal for registration or limited/throttled Internet access (i.e. via a
separate VLAN).
3. Supporting Wi-Fi.
4. Reporting on BYOD utilization including the number and types of devices.
Thanks in advance for anything you can offer,
It seems to me that the discussion on this is splitting into two topics
First provide guest access that lets a person use your Internet
connection, but not access your company resources.
For this, PacketFence is a good, free tool. It also includes the ability
to have snort watch the traffic and say "this system looks like it's
infected with something, isolate it until it's fixed"
The second, and harder part of the discussion is "How can you have
personally owned equipment access your company resources without danger"
I think the answer to that is "you can't"
now, the discussions starts getting more complicated.
What is it that you want them to access, and what danger are you trying to
protect yourself against?
Remember that even if you can make sure the system has current antivirus
on it (and what does that mean for and Android or Linux device??), there
is still the possibility that the device is giving other people access to
whatever you give the device access to. If you don't own the device, how
much control can you really have over what it's running?
If you want to put a firewall on a device, what happens when that firewall
breaks some game or application that the owner of that device wants to
run?
To some extent, these issues apply to portable devices, now matter who
owns them, but if they are company owned you have a much better standing
when you try to forbid the devices from doing specific things.
But also don't focus too much on the portable devices, webex, gotomypc,
etc can allow outside people to control machines on your network. Are you
blocking these things?
If not, why not? is it that your policy is "We trust our employees to not
abouse this sort of capaibility"? If so, why don't you trust those same
employees with portable devices?
when thinking about what you are trying to protect yourself against,
possible answers are:
1. leakage of your company documents
2. tampering with your company documents
3. inappropriate access to your internal servers
4. automated malware eating up your company resources? (note that there
are other reasons for being worries about malware, as malware can be used
as a way to perform these other attacks)
and there are others.
David Lang
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
