Security

Curious to know what people are doing to ensure their lan is secure when allowing personal devices onto the network for work based activities, not just internet access or email, but using internal applications. 

Im aware of workspoace, which seems a great comcept, but appears very limited in its application, especially if your organisation develops its own apps.  Unlessyou can make use of a workspace app, then its not going to deliver what you need it to do.  If even most are browser based, im not too sure how they would work within the workspace browswer. 

I suppose the only other way is to delvier a terminal services style session which will typically have a desltop that users are familiar with, but this typically doesnt transfer onto tablets very well. 

Hi $,

I've implemented a couple of solutions that utilize 802.1x across the LAN. The good thing about this design, especially paired with Clearpass, is that individual users must authenticate to the network in order to gain access. Here's the part I'm spit ballin' and currently testing in a lab. If someone can not authenticate, there are ways on most switches to pass people to a failback VLAN, guest VLAN, or something similar. This VLAN could have ACL / firewall rules that allow access to the Internet, email, and maybe access to a Citrix / VDI environment. 

Not sure if this is what you were talking about - but hope it helps!

-Mike

I was more concerned about users simply wanting to bring their own devices and connect them to the wlan to access interneal systems, and the potential damage that could be done with infected machines. 

The only way I could think of is either using somehting like workspace (which I cant really see working in our environment), or as you mention a citrix/terminal server style conneciton, where this is ontly system their devices can connect to.  I suppose onguard is another option, but this is limited to windows/mac/linux based systems, and even then, I dont think Id want them having the same access as a corporate device. 

I dont think you would want to treat any persnal device in the same way you do a coporate.

Hi $,

I thought you were talking about on the wired LAN only. Do you have Clearpass? If so, here's something that I did recently. First, all BYOD devices would have to go through the OnBoarding process in Clearpass. This would put a TLS cert on those devices and would be assigned a role in Clearpass. Next, all OnBoarded devices would pass an enforcement profile to the Aruba controller giving them a redacted role, similar to what I described in the previous post.

Another thing that you could look at is implementing the Anchor configuration with an additional Aruba controller. This type of configuration allows one controller to form a GRE tunnel to second controller. I have customers using this type of configuration to tunnel all of their guest traffic across their LAN to a DMZ, where they are effectively removed from the internal network - that's another thought.

-Mike

We are in process of having clearpass installed.. I understand about reduced roles etc, but if you are still allowing personal devices onto the network, theres still potential for infected devices to cause problems, if permitting them to connect to systems directly.  This is why I wondered if workspoace or a terminal server style conneciton was preferred to simply allowing personal devices to connect to systems.  However, I cant really see how workspace would fit in within our organisation.   

Guest users are currently isolated from the corp network and routed towards a dmz and out of a secondary internet link, so this isnt of any concern. 

your idea of an RDP (or vmware view / citrix) kinda solution is a good one which i encountered before. BYOD is all nice but to allow systems which have been everywhere on the internal network is kinda scary. so put them together and only allow access to somewhere which protects your infra better like a VDI solution.

there have been several threads on BYOD the last few months, THE solution is available (yet), so until then just make something which works for your company / customer.