If Skynet takes over tomorrow I fear for all those who have not made their wireless networks hospitable to their user’s mobile devices. These devices are going to turn on you and will probably be holding a grudge for being denied access.
To help you avoid being enslaved first and used as an organic battery, oops… sorry, wrong movie franchise… or give you a chance to join the John Connor led resistance force I am going to point out 5 components to providing a BYOD solution for your WLAN.
Before you begin any BYOD implementation have a clear understanding of what your BYOD policy is. This means deciding who you will allow access, what they will have access to and what device or devices they will use for access.
Once you have this outlined you can begin putting together your BYOD solution with my five suggested components.
1. First implement an authentication and encryption scheme that is easy to deploy, easy for your users to use and is plenty secure for your network. I highly recommend using 802.1x authentication with WPA2-AES encryption. This is the most secure method of authentication and encryption to date and can be set to use machine authentication and/or user authentication to deliver specific levels of access to the network. MAC authentication and certificates can also be added to the mix for differing levels of security.
2. Second I suggest implementing or deploying a WLAN solution that allows you to do Role Based Access Control (RBAC). RBAC allows you to assign a role to the device based on how it authenticated. If the device authenticated with machine and user information it is assigned one role, employee for instance. If the device only authenticated with user credentials then it is assigned another role, student for example. Once the role of the device is defined access control rules can be applied to it.
3. This brings me to my third suggestion for a proper BYOD solution for your WLAN which is to use a solution with an integrated firewall. The integration of a firewall into your WLAN solution will allow you to define access control lists for devices on your network. In the second suggestion I point out how an employee can be defined versus a student.
When the user or device role is defined you will be able to apply a set of rules to the role. For instance an employee can be granted allow-all access to the network because you know they are using a corporate laptop (machine authentication) and you also know who they are (user authentication).
Students however, because they only passed user authentication would be given a different access policy that may only allow HTTP/HTTPS access to the internet and denies access to the campus subnets.
4. My fourth recommendation for a successful BYOD roll out is to knowing what types of devices are accessing your network. Device profiling or fingerprinting are functions that will allow you to see the different devices; iPad, Android phone, Kindle Fire, etc… that are on the network as well as the types of OS’es being used; Win7, MacOS. AOS, etc… If you want to block all devices except for iOS devices (iPads, iPods, iPhones) then you are going to want to have device profiling or fingerprinting.
5. Finally I suggest as my fifth recommendation to implement some type of auto-enrollment for the devices and their users. The auto enrollment component will keep your IT department from being overwhelmed with requests to configure user’s devices. The end user will connect to the corporate or campus SSID with their device and log on with their user credentials.
The system will configure the device, register the device to the user and will then move it into an appropriate role based on your BYOD policy.There are many considerations to make when deciding to let your users access your network with their personal devices.
The components I have detailed here will help you make your enforcement of those decisions successful and keep you from being property of Skynet Inc.
If BYOD is something you’re considering, SecurEdge specializes in the design, implementation, and support of today’s mobile network infrastructure. If you need to talk to someone about how to handle these issues, you can contact us here.