11-17-2011 09:23 PM
This is a common question faced by network engineers today as the explosion of employee purchased devices are being brought into the office. Modern operating systems make it so easy for staff to connect their smart phone or tablet to an existing SSID. Lets take a common WLAN enabled with 802.1x Enterprise WPA2. Typically this SSID will be enabled to support basic username and password authentication using PEAP so armed just with their user credentials they can connect these devices to your network. This will all happen under the radar of network engineers unless we start building some smarts into the access networks that our staff are using everyday.
So how do we get some visibility into what these users are connecting to our network and allow the network administrators to take back some control? This is where the use of device fingerprinting or profiling is becoming an essential part of building a secure mobility. All devices send identifiable sequences of packets whilst connecting to a Wi-Fi network and these packets can be used to differentiate between all these smartphones and tablets and the regular IT issued laptops. Using these smarts, network administrators can then make policy decisions about how to handle each class of device.
Allow access but maybe reduce the bandwidth available, quarantine certain devices and redirect them to a policy reminder page or block access to all internal applications and resources. These are just some sample policies that could be implemented.
If your network allowed you to differentiate between these different classes of devices, what policy would you implement? Do I let iPad's access corporate applications? Should you allow Android's on the network at all?
Let us know what your policy would be and what type of organisation you represent (enterprise, retail, education, etc).
11-18-2011 05:42 AM
In my world ( k-12 ), forbidding access to the network is generally frowned upon. One of my main goals in switching to Aruba is to be able to segment school owned devices from student devices. We have limited bandwidth here, only 10/10 fiber for a student base of over 900. Which is much better then when I started, we had 4/4 then.
But due to the costs of upgrading and the lack of fiber competition in the area - we are likely stuck with 10/10 for the foreseeable future, even with more handheld devices popping up each day.
So my plan/hope/desire is to setup trusted and non-trusted devices, and limit bandwidth. I might even take it one step farther and put teachers and student devices in seperate groups so I can more preciselly control bandwidth when needed - during testing time normally.
We haven't received our aruba gear yet, so i'm not 100% sure what I can and can't do with it yet. But I also hope to be able to restrict iCloud, which with as many non-trusted iOS devices we have floating around could potentially negatively impact our network - with limited bandwidth.
I'm extremally jealous of the schools who managed to get extremally discounted gigabit internet into their buildings :)
11-18-2011 05:23 PM
Sounds a bit tough managing that limited bandwidth for so many students.
I would be interested to understand how you are going to track the trusted vs un-trusted devices in your network. Are you planning on managing some form of asset register where you are tracking details like serial number, MAC Address etc?
There are a bunch of technologies you should be able to leverge in terms of device fingerprinting (trusted device type), user authentication for role derivation (student vs faculty) and MAC address based role derivation (trusted devices available in asset register) to achieve your results.
Keep in touch with how your testing goes and let us know if we can help out with any suggestions.
11-21-2011 08:15 AM
I represent a UK University, and we're generally in the business on enabling anything onto the WLAN. The ideal position is for us to be able to cater for regular and occasional visitors, using any 802.11 device, with minimum hassle.
We are considering looking at some kind of posture checking, alongside a NAC solution on our LAN, but don't have any concrete plans or policies yet.
Getting good concrete data on usage patterns will be useful in forward planning, but as we are discouraged (by our customers) from limiting access for any particular device or class, it may not actually make any difference. Access is more likely to be limited by who any particular user is, rather than what they're using. (Although I would have my worries about accessing key business systems from a personal laptop ridddled with spyware and The Unknown).
11-26-2011 06:18 PM - edited 11-26-2011 06:18 PM
eljay, not sure if you have seen the news about Arubas aquisition of Avenda Systems
This will give you many more capabilities to help with BYOD, health/posture assessment and generally much more fine grained access control for wired, wireless or VPN users.
I am sure the local Aruba account team will be happy to help you with planning to support some of the challenges you describe
11-26-2011 06:55 PM
Haven't thought that far ahead :)
I figured the easiest way to manage trusted/non-trusted is to blast out a locked down wireless network to our devices, then let the "untrusted" just connect to a guest network.
11-29-2011 08:40 AM
Absolutely that is a good way to go and leverage your existing guest network.
What we have been seeing from customers however is that their locked down WLAN is based on 802.1x PEAP authentication which only requires a valid username / password combination to access the network. The modern operating system support for WiFi networks in smartphones and tablets these days will automatically detect PEAP being used and prompt the user to enter their credentials.
What this is leading to is a flood of these untrusted devices on the corporate locked down WLAN and often the administrator may not have the right tools to differentiate their users logging in on a corproate issued latop or smartphone.
This is where some of the device fingerprinting and profiling capabiliies mentioned in the original post can help take back a bit of control and visibility as to what devices are being used on your network.
12-06-2011 06:54 AM
I like the device fingerprinting, but it doesn't seem to always work. About 1/3 of the devices connecting never show up, just show --- instead. Most likely these devices are Mac's - but some show up, some don't. Some of them also show up as a mac address for the client instead of an IP address.
Right now i'm planning on creating a trusted SSID, and pushing out a WPA2-PSK to at least our teacher computers. I don't really care too much if the student data is unencrypted, but the teacher data at least should be. Might bring the school owned computers in at some point - but the vast majority are wired anyways.
12-07-2011 07:48 AM
Just remember that the Device Type field in the user table of the Aruba controller is actually just an informational field that is derived from inspecting the HTTP User-Agent strings in web browsing traffic coming from your Wi-Fi device. This information is only used to device visibility and reporting.
The DHCP fingerprinting is the technique used for role derivation in the controller and is configured as a User Derivation Rule.