Sniffing Out Your Network’s BYOD Problems

Bring Your Own Device (BYOD) is here to stay. Why do we say this? We’ve noticed it in our own customers’ habits, through surveys, and most importantly in our own behavior.

SC Magazine recently reported on a survey from Sophos Labs on the number of mobile devices per person per country. The US ranked second at 3.0 devices per person, with Germany taking the lead at 3.1. In another recent survey from OVUM, one third of employees reported that they are using their personal device to do work without informing their IT department. So, even if employers strictly forbid BYOD, employees are accessing data on their personal devices.

Whether you are actively trying to create a BYOD policy or trying to squash it altogether, you should have a plan in place to ensure that BYOD is not hogging bandwidth or introducing security risks on your network. Here are a few really easy steps to help sniff out BYOD problems that are, or could be, lingering on your network.

Create a Wi-Fi SSID specifically for mobile devices
This provides folks with an easy way to access the Internet, but not the internal network, which is what most users want anyway. Why do we like it? It’s a simple, proactive step that shows that IT is working with users and reacting to their needs. And if access to internal networks is necessary, it is quite easy to set up VPN access over this dedicated Wi-Fi network, giving employees the access they need for mobility while providing a single point of management for mobile users.

Manage access to the network
Once you’ve established a dedicated entry point for your mobile users, the next step is to manage their access. First, you can decide whether or not you want security on this network, whether for the users’ protection, the company’s protection, or both. We strongly recommend the use of strong wireless security, like WPA2, but issues like simplicity of guest access may factor into your decision. Perhaps you’ll want to offer several dedicated Wi-Fi networks, one for your trusted corporate users with WPA2 and one that’s open for guests?

Again, requiring VPN access for your corporate users is key if they are going to access company assets, whether data or applications. It’s best to set up a VPN structure that is separate from overall wireless security, since you can’t guarantee that users will always be using the dedicated corporate wireless network. When traveling, your mobile employees will still demand access, even over untrusted wireless networks like those in hotels and coffee shops. Your best defense is to always require a VPN connection to access corporate data.

Track Mobile Users
Once you’ve committed to working with your mobile employees you’ll want a way to track their access and usage so you can continue to respond to their network needs based on accurate data. The best way to do this is with a packet-based wireless network (WLAN) analysis solution. There are two main approaches when using such a system.

The first approach is by using portable analysis for troubleshooting and routine baseline measurements. With a portable solution you simply put the analyzer in the area to be monitored and let it run. Portable analysis can show you who is accessing your network, how much bandwidth they are using, as well as the applications they are running. The flexibility of this technique makes it perfect fit for the uncertainties of managing mobile devices.

The second approach is to use packet-based network recording. The software and analysis in this approach is similar to that for portable analysis, but in this case you record all wireless network traffic, at the packet level, for detailed analysis at a later time. Network recording allows you to be more flexible, and more responsive, to network problems, and it also allows for detailed usage-level analysis, including policy compliance. Network recording requires the deployment of dedicated probes that collect wireless network traffic 24×7.

Regardless of your approach, keep in mind that mobile access is quite different from wired access, so monitoring and troubleshooting techniques need to adapt to this new workflow. One key area to address is roaming. Given the limited range of a single access point, typically a few hundred feet within buildings, mobile users move from access point to access point as they move around the WLAN. This is called roaming. At the protocol level, a roam is a fairly complex transaction, and it exposes the users to short periods where no network is available. Typically these periods are no more than a few hundred milliseconds or less, and the users continue to work just as if nothing happened. But roaming is one of the key contributors to WLAN connectivity issues, so effective monitoring for roaming is very important.

As a network administrator, troubleshooting roaming issues can be complex because a roaming user moves from one AP to another as well as from one channel to another. To effectively analyze roaming events you need a WLAN analysis solution that monitors multiple channels simultaneously, and compiles the data into a single analysis session. This allows you to track the movement from one channel to another and report the time it takes for the user to make the transition. Roaming events can simply be logged, or tracked by AP or station, which greatly simplifies roaming analysis and quickly identifies problem areas.

Sniff out Rogue Users
Even with strong security and user access control in place you will still have rogue devices connecting to your network. These could be just new devices from trusted employees, or they could be true security threats from hackers. Packet-based wireless network analysis is also very helpful in identifying rogue users, regardless of their intentions. First, you can specify which devices are trusted based on previous network scans, making it very easy to isolate new users or devices on your WLAN. Also, common devices like iPads, iPhones, or MacBooks have a unique signature and are easy to identify within a network, making it easy to see not only who but what is accessing the WLAN. Once a rogue is identified, a few minutes of watching network behavior based on a filtered view of just that user will indicate the user’s overall intentions, allowing you to indicate friend or foe and guiding your next steps.

As the Borg says “Resistance is futile”, so embrace BYOD. Working with users and providing realistic solutions are much more effective and will provide the ongoing control you need to deal with this new form of network access.

Leave a Reply