Trying to keep smartphones off your network? Forget it. They're here. Trying to avoid having to manage consumer mobile devices? You're wasting your time. Better to accept the inevitable - you're going to have to do it. At 3pm on 18 October 2010 latest Regcast deals head-on with a problem that every sysadmin is going to have …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Tuesday 12th October 2010 09:24 GMT Nya

What's the problem?

What's wrong with a white list of MAC addresses? if it's a supplied laptop by the company, you have the MAC address and allow it on. If not, it ain't getting on no matter what shiny device they have. Keep the buggers off the network, and keep it locked down. Don't really see an issue here, we've been using it for the last five years and it nicely keeps phone, tablets, or anyone else out.

0 0
1. Tuesday 12th October 2010 10:58 GMT Anonymous Coward
  
  Maybe you still don't know who's using your network
  
  yum install macchanger
  
  or
  
  apt-get install macchanger on the n900.
  
  0 0
Tuesday 12th October 2010 09:39 GMT adnim

My oh my, is access control so difficult?

"It is not a question of whether you let users access their data"

Yes it is, at least as far as user owned devices are concerned. It's not their data, it is company data. If a company cannot restrict who, how and when company data is accessed, then any data exposure or theft is a problem of their own making.

Filter access to IT resources by MAC address. Only company owned devices allowed access.

Yes a MAC address can be spoofed. But that should be considered a breach of computer usage/security policy and dealt with accordingly.

Locking down networks and resource to casual connections from what I would consider rogue devices... Wifi enabled phones, USB devices, etc. In fact any unauthorised hardware of any type not under control of the business is easy. Although this might incur additional investment in competent IT security staff and hardware.

A personal device under the control of the user should be considered insecure and never allowed to connect to a business network. If a user needs a mobile device to perform their duties, the business should provide them with one that is under control of the business and locked down.

I certainly wouldn't allow a device that is open to browse any site on the Internet to connect to a company network.

2 0
1. Tuesday 12th October 2010 12:24 GMT Anonymous Coward
  
  Exactly what I was thinking!
  
  Serious companies have rules and while there are always technical ways to get around things, the company rules cover the company in the event you break them.
  
  If you live in this always-on connected, mythical wonder-world where everyone is dressed in Khakis and lives with their design student girlfriend, wonderful. However most of us work in big faceless corps and they have rules, nasty rules, like, "If you connect your kit to our network even accidentally, you will be up to HR so fast your feet won't touch. In fact so fast they will not touch while we fire your arse and throw you out for even thinking about it. Tell you what, leave your toys at home and make sure you disable your Wifi on your phone at the door, just to be safe. eh?"
  
  You spoof a MAC and get caught in my shop, you'd better like watching daytime TV as you'll be doing a lot during your suspension by security. We have VLANS and hard coded MAC whitelists in network segments, we only have two Wifi spots total and they are locked tighter than a duck's wotnot. We never, ever allow external consultants to attach any laptops to the network, ever. That simple. No ifs or buts, not allowed.
  
  0 0
Tuesday 12th October 2010 12:24 GMT Mountford D

Shouldn't the title be "Their wireless devices are on your network"?

Have I missed the point of the article completely? Isn't this the same scenario as laptops equiped with wireless facilities? Sysadmins have been dealing with these for the past who-knows-how-many years so what's so special about smartphones?

2 0
Tuesday 12th October 2010 13:39 GMT taxman

Certification?

Why go through whitelists? ALL devices that can be attached to your network should be certificated. That way you don't have to even consider MAC spoofing.

But then allowing smartphones on does open another door of data leakage. Oh er!

0 0
Tuesday 12th October 2010 22:30 GMT Trevor_Pott

It's not about unauthenticated devices.

I have just finished writing the last article on my on sysadmin blog contract here for El Reg. Oddly enough, I seem to have glommed on completely independently to the same theme as is going through the recent spate of Freeform dynamics articles. (I wasn’t directed to write about mobile devices, I swear!)

Unless the freeform guys are on a completely different track than I am, this isn’t about devices being on your network without corporate authorisation. The point of the discussion is that Mobile Internet Devices (MIDs), be they smartphones, tablets or what-have-you are here to stay. As systems administrators, we might build up the sandbags for a while…but we can’t hold back the mobile computing tide forever. These devices will eventually be part of the corporate computing landscape and no amount of handwringing or whinging on our parts will change this. Eventually, we will be directed to allow thier use and even to support them in an official capacity.

1 0
1. Wednesday 13th October 2010 09:23 GMT Goat Jam
  
  Indeed
  
  We are at this very moment trying to figure out how to manage a fleet of iphones. I have been looking at Mobile Iron, had not heard of Zenprize until this article. Not sure how they compare.
  
  If anybody has any actual in the trenches experience with either Zenprize or Mobile Iron I'd love to hear about it!
  
  0 0
  1. Wednesday 13th October 2010 15:08 GMT Trevor_Pott
    
    @Goat Jam
    
    I have recently done an absolutely unreal amount of research into this subject. I had about two hours worth of product demos/interviews with two companies, MobileIron and FancyFon. E-mail me and I will tell you anything you want to know! Either find one of my articles and use "e-mail the author," or use the widget in the about section of my website: http://www.trevorpott.com
    
    0 0
Wednesday 13th October 2010 09:35 GMT Danny 14

not just MAC

we dont only use MAC we also use MAC -> DHCP assigned too. We only have 250 devices on our network so after the initial hoohar its just routine remove and add once a new or replacement arrives.

There are local DHCP allowed by 2 access points (with a range of 2 devices each) there are in the presentations areas for guests. Outside that the whole network is domain based so they wont have domain resources anyway. They can only get the maximum filtered internet (default squid pass through) people on the domain get their own WPAD supplied proxy that is filtered depending on their OU.

Fairly locked down here.

0 0
Wednesday 13th October 2010 09:37 GMT Peter Gathercole

For bog's sake. It's easy (although costly).

Zone your network using firewalls. Wireless access appears in one zone, which does NOT have any critical servers in it. Employ a capable network engineer or two, and let them achieve a working relationship to the security people.

Control the keys using the strongest authentication all your official devices can use, preferably based on something like RADIUS. Change any PSK keys that you have to have regularly, only circulate these changed keys to people with registered devices.

Query all devices using a device checker probe (something as simple as nmap or wireshark should be able to get most devices) and track down any unauthorized devices. Scan for unauthorized wireless networks in the vicinity, and attempt to identify whether it is the coffee shop downstairs, or a rogue access-point in the building (I'm serious, it happened somewhere I worked!). Make sure that all laptops physically attached to the wired network have wireless services turned off (including 3G 'dongles' and Bluetooth). Run regular security scans on laptops to check that this is the case.

Put simple services (like printing and possibly mail access) within the DMZ. Allow devices on the DMZ controlled access the Internet and then back in to your corporate gateways exactly the same as if they were coming in from the Internet. Knock specific holes controlled by the strongest access control you have in the inward looking firewall for any apps that absolutely have to be accessed from mobile devices. Argue the case for blocking every singe one, until you have been convinced that it is necessary and appropriate controls are in place.

Review these holes regularly, and have a strong procedures to track leavers and joiners. Ban, with the strongest penalties, sharing of ID's and revealing PSK's to non-authorized users. Lock services to specific ID's using strong authentication, preferably using one-shot password devices.

Be prepared to use VPN for any really critical services, especially those containing private or critical data. Select your approved devices carefully, to make sure that they meet all the security requirements. If there are vulnerabilities known on your mobile device of choice, make sure you have appropriate AV software deployed and updated.

If you are paranoid, consider using glass coatings on the windows to control the leakage of the WiFi signal out of the building, but if you are that worried, you should probably not use wireless services at all. Work out how far your wireless networks spread outside of your controlled space, using normal devices and focused antenna as well. Show the controlling managers this, and demonstrate it as well.

And above all, if you value your business, JUST DON'T USE WIRELESS SERVICES. This should include wireless keyboards, and any future wireless USB technology. If the MD objects, put a reasoned argument that the very business itself is at risk if the network is compromised. And if you are over-ruled, either be prepared to give in, lodging an "I Told You So" letter somewhere in the business, or to resign on principal.

It is clear that the "Block everything, then allow only what's essential" principal operates here.

0 0