Network engineers spend the majority of our day thinking about packets, devices, routing and security. Our networks connect users to services and because users are for the most part more engaging and adaptable than any given network box, we don't think about those users all that much.
Sure, we catch echoes of their identities in traffic flows or greet the occasional sad face at the hardware service desk, but it's easy to forget that users are also components of our network. Their devices are absolutely part of our network. Ensuring efficient enterprise mobile device management means you can monitor and manage users and devices just like any other element across your network. It can deliver great benefits, and it doesn't require expensive hardware. The secret is to create a single view of the fingerprints users and their devices leave behind.
Little sticky gecko fingers
It's a hack standup bit, but as parents, you soon discover that little kids really do have hands like geckos, and even when you think their fingers are clean they leave little grimy fingerprints all over the house. Accordingly, your users leave little activity fingerprints all over your network. You know they were there; you see things like an Active Directory (AD) authentication at an IP address in a log or trap a media access control address (MAC) from an address resolution protocol (ARP) table. And like little kids, they never seem to be around when you're examining the evidence. You know in general what they're up to, but you can't untangle the multiple overlapped smudges on a hallway corner to identify the one who needs to work on washing up after a spaghetti dinner.
Accordingly, your users leave little activity fingerprints all over your network.
Fortunately, the user equivalent of overlapped fingerprints often includes additional elements that allow us to apply context to residual events and then roll multiple elements with similar contexts to enable dependable user and device awareness. The trick is to create an integrated view across context and service boundaries. Once upon a time this required specialized hardware and more than a little time to set up and manage, but now user and device tracking systems can do the heavy lifting for you, generally without requiring new hardware.
Users and devices: Meet Layers 2 and 3
The challenge to untangle user activity and gain real insight for devices is to combine two different types of data. The first is tracking interactive events that log to a known collection point. The second is polling and discovery.
AD is a great example. Logins leave useable data in the AD event log and you can positively attach a user to an IP at a specific time. In many cases, you also get information about the hardware. What you don't get is a record of the switch port that IP was connected to. Polling for devices is like getting the status on anything else, and it's only as good as the frequency and completeness of your scan. But seen together in your network management system (NMS) you can track them both, even in hindsight.
For example, consider a wireless network that supports highly transient BYOD or internal mobile devices. In addition to the challenge of tracking data from short-period dynamic host configuration protocol (DHCP) leases, the devices aren't reliably available for polling either. You can set five-minute on-battery suspend policies that stretch mobility and decrease user hardware grumbling. Yet those policies also mean even corporate PCs on internal wide area networks with weeklong DHCP leases will basically disappear for a decent portion of the day, with no control over schedule.
Integration solves this. Your IPAM management software can already access IP and MAC details from your DHCP servers' lease cache. Your NMS or user device tracking system, meanwhile, is tracking MACs on ports. When this data is integrated, admins can tie a user to a device to a port to an address -- not just immediately but historically as well. Integrated user and device data creates a searchable database of physical and IP connection history, and in some product user interfaces, admins can easily follow from one context to the next. Integration also enables such features as device whitelists, watch lists, connection alerting and more.
Don't forget topology
Other functions like port shutdown are even easier in integrated user and device views when topology is included. Have you ever paused before killing a port to stop worm propagation because you weren't entirely sure about the scope? Administratively disabling "0/3 Campus East" to isolate an unknown BYOD device may not make you popular in the lunchroom. Quickly identifying the port of an infected machine by walking topology can ensure you don't eat alone.
Network management systems include a number of great technologies for collecting user and device fingerprints on your network. With integrated views, admins can turn disconnected data into true awareness and ensure users and networks coexist happily. Though I have to admit, I've occasionally hovered over the shutdown button on a core interface and lingered with an evil grin.
About the author:
Patrick Hubbard is a head geek and senior technical product marketing manager at SolarWinds. With 20 years of technical expertise and IT customer perspective, his networking management experience includes work with campus, data center, storage networks, VoIP and virtualization with a focus on application and service delivery in both Fortune 500 companies and startups in high tech, transportation, financial services and telecom industries. He can be reached at Patrick.Hubbard@solarwinds.com.
This was first published in May 2013