Devising a bring-your-own-device (BYOD) security plan would be simple if it merely involved granting network access based on user identity, device or location. But a solid BYOD network security application would consider all of these factors -- and that’s a tall order.
At this point, since there is no proven singular solution, IT shops are instead patching together various tools that range from mobile device management (MDM) to network access control (NAC) and even out-of-band management systems.
Executives at four educational institutions we interviewed for this piece would all like to control hundreds or even thousands of personal devices in an automated way so they aren’t burdened by installing software on each client. From there, they’d like to granularly control access depending on a combination of identity and device factors. But each executive is taking a different path to reach that goal.
MDM Tools Are Promising, But Not A Total Solution
All four executives interviewed were already using or evaluating MDM tools. These tools vary by feature depending on the vendor, but generally they track mobile devices on the network and can limit which users get access to specific applications or areas of the network based on company policy.
In general, enterprises are flocking to MDM tools. In 2010-11, 21.2% of companies surveyed by Nemertes Research were using MDM, and the firm predicts this will grow to 84% by the end of 2014, according to analyst Philip Clarke.
Yet MDM alone usually can’t manage users that have multiple devices and attach them all to the wireless LAN (WLAN) using the same identity-based log-in credentials. If the WLAN can’t natively differentiate between vetted and potentially infected devices, the network is at risk.
IT shops must be able to identify multiple devices per user and grant role-based access based on varied user/device pairs. This generally requires integration with other tools, including Identity Management (IDM) and NAC products.
Using Out Of-Band Management For BYOD Security
The Rowan-Salisbury School System in North Carolina needed to control mobile device network access based on a range of variables including device type, location and application, explains Philip Hardin, executive director for technology, at the school system. Yet Hardin’s team needed to support software installations and enforce policies across numerous devices in an automated way.
So the organization implemented a combination of Aerohive’s HiveManager, an out-of-band network management system, with JAMF Software’s iOS MDM suite.
Aerohive’s HiveManager lets organizations configure customized policies for each user identity and device type combination. Policies govern network access, firewalling, the time of day that certain access rights are available and tunneling policies for secure VPN access.
More on BYOD network security
Mobile device security: Best practices for BYOD
Virtual Desktop Infrastructure vs. data containers for BYOD management
BYOD management: Using a device catalog to control users
Assessing the WLAN for the mobile workforce
“The HiveManager provides for central data collection and alerts us about rogue clients. It uses device fingerprints to apply specific security based on policy, and monitors device health for individual and collective devices, displaying numerical device health scores visually in a graphical manner,” Hardin says.
Meanwhile, the JAMF Software tests Apple devices to be sure they have the Apple MDM client installed. Then the software directs new devices to a portal to receive device profiles that determine their access rights and privileges. “The integrated solution enables the school to manage application access, [as well as] installation and software updates on devices,” Hardin added. The solution can accomplish profile management and access control without requiring personal devices to hold a NAC client.
Identity Management Central To BYOD Security
Hartwick College, in Oneonta, N.Y., uses an IDM tool alongside next-generation firewalls to handle device management and access.
The Meru Identity Manager controls access for both guest and employee devices through Smart Connect and Guest Connect modules. When a new employee at Hartwick College first attempts to open a Web page, they are redirected to a captive portal page on the Meru IDM appliance.
“Our IDM appliance has a 2048-bit VeriSign certificate, which is used to encrypt the captive portal Web page, which the employee then uses to download SmartConnect as an applet or network profile,” says Davis Conley, executive director of IT at Hartwick College.
SmartConnect configures the device to use the encrypted network, automatically authenticates the user, makes that a preferred network on the device, and then removes the open network from the device’s list of SSIDs, Conley explains.
Guest users, on the other hand, register on the Guest SSID in Guest Connect. Both Smart Connect and Guest Connect have automated role- and policy-based BYOD provisioning. “Guest Connect asks for the user’s real name, phone number and the name of the person on campus they are visiting. ″We can shut them off if there is an issue,” Conley says. Then the Meru IDM uses a mechanism to collect device MAC addresses for future device recognition.
Hartwick College does not, however, use the activity monitoring, policy management and policy enforcement piece of the Meru solution. “We already had policy management in shape. We use Bluecoat packet shaper, a Palo Alto next-generation firewall and a Tipping Point device to see what devices are trading virus-laden content. Then we call in the user to address [the problem],” says Conley.
WLAN Analysis Tools With NAC For BYOD Management
Central Michigan University in Mount Pleasant, Mich. uses Lancope’s StealthWatch network analyzer to monitor behavior on the WLAN and track user activity.
“We use StealthWatch to look for anomalies in behavior and to figure out what the user was trying to do. Then we use a NAC appliance (from Bradford Networks) to identify the user. This is a manual process,” says Ryan Laus, Network Manager, Central Michigan University.
With StealthWatch, Central Michigan University uncovers externally-launched botnet attacks, worms and APTs, as well as internal misuse, policy violations and data leakage, regardless of the device. NetFlow supplies the data that StealthWatch analyzes.
Now the university is testing MDM tools from different providers to enforce policy.
MDM will control what individuals can do on a device using policy, similar to how Active Directory uses group policy controls. It would block unauthorized software installs and enable administrators to set configuration and permission settings for BYOD deployment.
Central Michigan University anticipates using StealthWatch in support of a new MDM package. “If a user figures out how to bypass MDM to install an unapproved application, StealthWatch can look for flows that are out of the policy scope and send an alert to the NAC appliance, which could then move the user/device to a quarantined network,” Laus says.
Integrating IDM With NAC For BYOD Security
The Regional Medical Center at Memphis in Tennessee is using Aruba Networks’ ClearPass integrated mobility management and NAC software to create a self-provisioning system for BYOD.
Users at the medical center will sign in with a standard log-in name and password, and ClearPass will provision based on pre-determined policy. “We won’t have to have them bring their device in and install a security/network profile manually,” says Tony Alphier, Director of IT at The Regional Medical Center at Memphis.
With this process, a NAC controller will prevent devices from getting on the network until they are registered and cleaned.
“[Currently] we are not allowing employees BYOD [internal access] unless they are physicians and bring a laptop. Then we put a profile on their device manually,” says Alphier. “When we add the NAC module from Aruba, we will be able to allow all employees BYOD [access].”
The medical center also uses Aruba’s AirWave to log and monitor device activity and Aruba technology allows Alphier to provide a guest network. “We had Aruba’s Amigopod guest solution. Aruba is combining that with Clear Pass. We can have family and patients and friends access our network and keep our security at the same time,” says Alphier. Guests can self-provision now, receiving a code to connect to the Internet while staying off the internal network.
About the author:
David Geer writes about security and enterprise technology for international trade and business publications.