by Toby Makepeace, Technical Director, Netutils
This post contains original thoughts posted by Toby Makepeace, Technical Director, Network (Utilities) Systems Ltd. These views are his own.
There are plenty of blogs out there discussing the perfect party guest and there are definite similarities between them and the contractors and guests accessing your network. In short, we want to avoid the gate crashers! So just like any event we need to manage entry and identify who’s on the guest list, so you’ll get the right visitors and they’ll leave your house (or in this case your network) as they found it!
So with reference to my original blog post (Developing a BYOD Strategy – Where do you start?) the starting point for your BYOD strategy overall should be to provide simple wireless guest access. Many organisations believe they already have a guest-access system in place however a few important aspects need to be considered and in my view are often over-looked.
Look at it this way, as an organisation providing guest access to the internet you are acting like an ISP. And as an ISP you have responsibilities. Your responsibilities are to not only provide your guests with a suitable level of service, but you also have regulatory obligations to provide information about who is using your organisation’s connection to the internet. In short anything that happens on the internet from one of your corporate public IP-Addresses is your corporate responsibility.
Worryingly I have seen a number of organisations simply put up a separate DSL line and plug in a cheap access point / router as a guest solution. Occasionally they implement some level of security via a WPA-PSK handed out to guests, but in general the internet access is simply ‘open’. The assumption is that only the guests to their organisation will access the internet via this DSL Line. The real problem here is the lack of ability to track who is on the system and when. It’s too easy for an uninvited guest to crash the party.
Why is this important?
With security breaches at historically high levels and cybercrime spiralling, using an unprotected wireless network makes it all too easy for cyber criminals to access the internet via an access point that is not traceable back to them. The government take is that if you cannot provide information about who was using your internet connection and when, then the corporate responsibility lies with you.
Managing the guest list
Any guest access should only be approved guest access, the ability for guests to self-provision as much as it sounds quick & easy is a risk. A responsible member of your organisation should approve and create the guest account i.e. a member of staff provisions the guest account, and then the system records the guest’s ID and the approver’s ID. The guest system should have the ability to record when and for how long the guest account was used; radius accounting based records are ideal here as they provide the internal IP-address and the start and stop time of the session.
With all this information available at your fingertips, and by using the appropriate mandatory disclaimer on your guest access system, you transfer your responsibility to the guest users of the system. In short it’s better to be safe than sorry. You cannot be sure that your guest’s device has not been compromised by a virus or is being used as a botnet machine.
Additionally, if you start your company wide BYOD solution by ensuring that the staff who want to access the internet with personal devices use your guest access system, by virtue of the fact that these users must provide credentials and sign the disclaimer every time they use the system, these users are much more likely to consider which platforms they access on the internet and behave responsibly on your network.
I recognise that some people reading this will say I have not considered things like NAT, and the potential number of users of the guest system, but consider this: every ISP that runs a NAT based service to the internet manages it, and they might be dealing with 10’s of millions of users (in the case of a mobile operator with data services) so a corporate system to support say 1-1000 guests is easily scalable.
And yes, there are still other elements to consider, but in my view what you should avoid is deploying a quick and dirty solution based on a DSL line and cheap access-point/ router as your 1st stab at a guest access system. So just like that party I mentioned earlier manage the guest list and don’t let the crashers compromise your security.
Read our follow on article coming soon – Why access control is important in a BYOD Strategy.