The latest alphabet of terms to infiltrate IT is BYOD (Bring Your Own Device) along with its relatives CoIT (Consumerization of IT), MDM (Mobile Device Management), and MAM (Mobile Application Management). As the industry scrambles to define each of these terms relative to each other, users are cheerfully coming to work with smartphones, tablets, laptops, etc., irrespective of company policies.
What’s driving this trend? The question is not, “Why are employees bringing their own devices?” The question is, “Why is BYOD a problem?”
The most visible concern is Data Leakage. Most businesses run on files, therefore most devices must store a copy of those files locally to be able to read, edited, etc. Unfortunately, BYOD devices tend to be highly mobile, which infuses them with a high chance of getting lost. A recent survey by McAfee estimated that 5% of smartphones are lost. While losing a smartphone or an iPad is a hardship for a user, the business faces to lose even more if the device is found – found by the wrong person. Confidential company information used to be the primary concern, but recent legislation has shifted the pain to exposure of Personally Identifiable Information (PII). Breach disclosure laws ensure that a company must not only be publically shamed, but must individually contact every person whose data may have been exposed and potentially pay for identity theft protection or a similar measure. The penalties become steeper if the company deals with health care, covered by HIPAA regulation, or credit card processing, covered by the PCI standards. The ultimate threat for PCI violations is loss of ability to accept credit card payments.
The historical method of coping with a lost smartphone is mobile wiping – sending a signal to the device to erase itself. BYOD brings a complication: a company may not have the legal right to wipe an employee’s personal device. Forrester Research covered the legal complications in their report dated April 13, 2011, “Managing the Security and Risk Challenges of Personal Devices in the Workplace.” Many of these challenges can be mitigated if employees agree in advance to corporate policies and controls on their devices, if you can figure out which users are bringing in their devices.
Network Resource Consumption
BYOD devices are designed to be highly connected with minimal user effort, which they technically accomplish by greatly increasing their load on the network. Consider the discovery process for Windows Workgroups versus Domains: in a Workgroup, multiple copies of each advertisement are broadcast to all other nodes. Each PC sending such a broadcast is, for the duration of those packets, consuming all available network bandwidth by using a technique which requires every switch to deliver the packet to every node in the IP subnet. Domains greatly reduce the broadcast problem by using the Domain Controller(s) as a clearinghouse for device advertisement and discovery. Traffic is point-to-point, which limits the scope of packet transmission to the PC and the PDC. The Domain discovery process allows for much larger network scalability than the Workgroup method.
The canonical BYOD devices are made by Apple: MacBooks, iPhones, and iPads. Local network resource discovery is based around their Bonjour protocol (formerly called Rendezvous), which uses a multicast DNS lookup mechanism. There are rumors that even Apple had problems with multicast storms on their wireless networks, leading to their partnership with Aerohive on the Bonjour Gateway feature.
Finding the scope of the problem
The good news about BYOD is that the devices are noisy – OmniPeek will show them to you.
For Windows PCs, from your capture, apply a filter for “broadcast”, then copy to a new window. In that new window, look at “Statistics”, then “Protocols”. Anything using “IP:UDP:NetBIOS:Name Svc” deserves a second look. Be careful: Domain members use the PDC for name resolution first, but will fall back to broadcast if the name isn’t found. Also look at SSDP, which is the protocol used by UPnP.
An alternate method would be to capture NetBIOS Name Service packets to and from the PDC, either by using a span or tap. Clients which use the PDC for service resolution are Domain members so you can quickly cross them off your list.
For Macs and iPads, from your capture, apply a filter for “multicast”, then copy to a new window. In that new window, look at “Statistics”, then “Protocols”. Bonjour will show up as “DNS”. (Note that there is also a mDNS filter you can use, which looks at the well-known IP destination.)
Identifying the devices is useful for tracking down the owners, or for banning the MAC addresses from associating, or anything in between.
The hidden cost of embracing BYOD
Eventually, companies will be forced to embrace BYOD. At that point, the next hidden cost becomes apparent. Uncontrolled BYOD causes network exhaustion: controlled BYOD causes IT engineer exhaustion. Devices created for consumer use don’t usually take business resources into account, e.g. the iPad does not ship with a PowerPoint viewer. BYOD users will therefore ask IT to solve their problems, since the new corporate policy implies that the devices are “supported” – even if the policy explicitly states that IT will not provide support.
BYOD mobility devices embrace a new paradigm of UI, where user interaction is driven entirely by apps, not by files. The answer to any problem is usually addressed by a visit to the device’s app store, where there may be dozens of different apps all purporting to address the issue with different degrees of success, and completely different layouts. The difficulty of supporting applications on corporate-standard OS images is now trivial compared to being asked to support dozens of applications for each new device.
Packets never lie
Network analysis is once again a useful tool. For example, if a BYOD tablet can’t associate with the corporate WiFi, OmniPeek can capture the WiFi control packets to demonstrate that the device security settings don’t match with the ESS. Consumer equipment is often designed to hide complexity, and the manufacturer may not have included differentiation between AES and TKIP on WPA2 Personal or WPA2 Enterprise. Maybe a user is having difficulty authenticating to an internal web server – OmniPeek could show that the certificate signed by the corporate CA is silently being rejected by the device.
If there aren’t tools in place yet to provide control or insight into the BYOD issues, remember that the network protocols are standardized. IP and TCP will behave the same on every platform. Server logins will use the same PDUs on laptops running Windows, MacOS, or Linux. Even in the worst case, network packet analysis provides evidence to show why the BYOD smartphone can’t connect, which is infinitely better than the alternative of “I don’t know, try it again.”