The perils of blocking BYOD
Though most industry analysts seem to praise bring-your-own-device (BYOD) as a phenomenon that will ultimately reduce IT costs and increase corporate productivity, many analysts and corporate IT experts question this logic. But what is an IT leader to do if they don't want personal devices on their network? Can the BYOD phenomena be ignored?
Unfortunately, the answer is no, and if you try to block BYOD anyway it introduces other risks. In enterprises across the country, employees with no legitimate way to connect their personal devices to the corporate network are looking for workarounds or non-legitimate access. These employees are not classical hackers; they are not looking to steal corporate data or take your servers down. In their eyes, they are only looking to get internet access for their smartphone or email to their tablet. And, like hackers, they tend to keep looking for access or a loophole until they find one. The result can sometimes cause outages and the failure of network segments.
IT departments with a block BYOD policy should be wary of these common workaround attempts or hacks.
The first thing end-users will try is to use the credentials they received for their corporate devices and computers with their personal devices such as iOS or Android smartphones or tablets or even personal laptops. For all the work that organizations have put into identity management, it has mostly been centered on specific users. BYOD adds new challenges around user credentials and authentication since users are attempting to authenticate multiple devices to the network. Enterprises need to have mechanisms that not only offer control by user roles but also by device type. Is the user signing in with a PC or an iPad? If you can't tell the difference, you can't enforce specific corporate policies. One solution is to issue machine certificates. An alternative that avoids the certificate hassle is to continue with a user/password authentication and to have a tool that will correlate the device information like the MAC address with the user and possibly the endpoint behavior and OS fingerprinting.
Rogue wireless isn't necessarily a new issue, but it has resurged as an issue with new significance in the BYOD era. When users want to connect devices that don't have a LAN connection such as iPads and smartphones, they're motivated more than before to try and connect their home wireless access point (AP) to the network. These users are essentially opening up the network to anyone who wishes to access it from the parking lot or wherever the signal can be found.
In addition, the uneducated end-user may connect to the port marked LAN on the wireless AP instead of WAN. This is a common mistake as many think they are connecting to a LAN port. In such a case, the AP effectively becomes a rogue DHCP server to the rest of its broadcast domain, spreading out addresses that are not routable to anywhere. Because the rogue DHCP leases happen gradually, it is often hard for networking teams to figure out why from the same VLAN certain devices can access the network while others can't. Even when they understand the issue, without the right visibility tools, it takes time to figure out the exact switch port the rogue AP is connected to so that it can be shut off. A good step forward would be a tool that provides visibility to all DHCP servers and the switch port to which they are connected. For an automated solution, a tool that identifies and automatically shuts down rogue DHCP servers or rogue wireless access points should be put in place.As these examples demonstrate, ignoring BYOD is not a good practice for keeping your network up and healthy. If your BYOD policy is to block access, it is best to be prepared for workarounds that employees may attempt and to make sure you are equipped with the right solutions to protect your network from those rogue access attempts.