Today, smartphone usage is almost ubiquitous, which can make mobile device management on your corporate network much more challenging. With the rise of practices like BYOD, most employees are checking email and connecting to the network via mobile devices and tablets—even after working hours.
Below we will discuss how you can use the OmniPeek network analyzer to juggle these mobile devices and address key concerns like security, network performance and user satisfaction.
Today, on top of dealing with the authorized workstations, network admins must secure a variety of mobile devices that employees are bringing with them to the office. Keeping these additional devices in check requires a multi-tier approach to network security.
The first level of protection when dealing with mobile devices is to create a security plan. While the traditional approach is to provide awareness to users on best practices for keeping your network safe, a more effective method is to make it easier to comply with the policy than to circumvent it. Create a Wi-Fi SSID specifically for mobile devices, with a minimum barrier to connect. Let those devices connect to the Internet, but don’t let them connect to the internal network except through a VPN.
A question to consider about the mobile SSID is what level of encryption to use. Open access – no encryption – would be the easiest for users to connect, but would also allow access by unauthorized users from the parking lot, and would allow full packet sniffing. WPA2 Personal provides a significantly greater level of security by requiring a password and using a strong encryption algorithm, but it’s the same password for everyone: security depends on keeping the password secret, but access depends on making it publicly known. WPA2 Enterprise uses a separate password for each user as well as a back-end authentication server, so there’s a triple advantage: it’s impossible to sniff other users’ data, every device is implicitly identified by user, and it’s possible to revoke access to individual users without changing the password for everyone else. While it may seem difficult to coordinate and provision usernames and passwords for all users, if you’re already using RADIUS this just becomes part of the workflow. There is some added risk of potential password brute-forcing, but that risk is no greater than allowing remote email access.
One side-effect of WPA2 Enterprise is that a packet sniffer cannot read packet data. However, OmniPeek is still able to capture encrypted packets and provide information about signal strength and node association, which are sufficient for troubleshooting connection problems. Given that the majority of issues regarding Wi-Fi are based on connecting, OmniPeek provides everything necessary for IT to help users while maintaining both security and privacy.
Whatever encryption method you choose, also consider disabling client-client traffic. Most enterprise APs have the ability to block Wi-Fi-connected devices from connecting to each other. Given that mobile devices are not designed to be servers, there’s likely no business reason to allow that traffic, and since it reduces risk by blocking attacks and worms between devices, there’s a good business case to use that feature and disable that traffic.
Managing Productivity with OmniPeek
While your company has decided to allow employees to use their mobile devices at work, the next hurdle is keeping the additional traffic from clogging the network. With OmniPeek you can analyze both wired and wireless networks simultaneously, making it easy to track mobile user data across the entire network.
OmniPeek can show you all of the devices on your network and pinpoint the mobile devices through applying different filters. The most useful filter that WildPackets has found is mDNS, the protocol base for Apple’s “Bonjour” service, since, let’s face it, the majority of user-based devices are iPhones. Bonjour uses a targeted multicast to discover printers, iTunes, Apple TVs, and other devices. While it’s a fundamental part of making those devices “just work,” it’s a solution that was designed for a home or small business, not an enterprise.
OmniPeek filters also help with security. Good network security usually calls for in-line traffic analysis and protection. For PCs, this would be network anti-virus, but the security profiles of BYOD and mobile devices are new enough that there’s not a lot of research into signatures for those operating systems and apps. Similarly, IDS is designed to monitor servers, with a secondary usage of detecting client malware by network activity, but the signatures for mobile device traffic are nowhere near as well-understood as for servers and PCs. OmniPeek and network recorders like OmniEngine or Omnipliance combine to provide a constant record of network traffic, so it’s possible to do a deep dive and inspect any anomalous behavior. That investigation leads to new filters, which can create alerts on real-time traffic, so it’s possible to test new potential IDS signatures while using a tool designed for network visibility.
Network packet analysis can show you who is attempting to access the network at any given time, how much bandwidth they are using, as well as their exact location, to pinpoint problem devices. The flexibility of the technique and tool makes it a perfect fit for the uncertainties of managing mobile devices.
Managing User Satisfaction
Now that users can perform business functions on their mobile devices, and you can monitor those devices to protect both your users and your network, the last step is to make sure that users are able to use the network effectively.
One of the main issues with monitoring and maintaining performance for mobile users is roaming. For the network administrator, troubleshooting roaming issues can be very complex being that a roaming user will typically move from one AP to another as well as from one channel to another. OmniPeek provides the solution with true multi-channel aggregated capture, tracking the movement from one channel to another and reporting the time it takes the user to make the transition. Roaming events can simply be logged, or tracked by AP or station, simplifying roaming analysis and quickly identifying problem areas. Additionally, OmniPeek automates the entire task and produces a report with all of the necessary data for troubleshooting. It even does this when using strong encryption like WPA2 Enterprise.
Employees using consumer devices at the office is inevitable – even if it is not a top down initiative. Thus these devices must be managed appropriately as they can pose security risk and are oftentimes used for business. Employing smart techniques and using tools like OmniPeek can keep mobile devices in check and make the network admins life a lot easier.
For more information on managing mobile devices and troubleshooting wireless networks check out our blogs, “What’s the big deal with BYOD?” and “Five ways that OmniPeek can help manage and troubleshoot WLANS.”