Keeping your eye on BYODs and more

[LPhifer]

Many of us tend to focus on endpoint settings and MDM to mitigate enterprise security risks associated with new mobile devices - especially BYODs. But these tactics address only part of the problem. Used alone, they're like applying brake/throttle without being able to eyeball your speedometer.

It's never been more important to detect and monitor devices operating within your airspace, used by your workforce and others. For a succinct explanation of why wireless visibility is critical and how WIPS can help, read this HelpNetSecurity interview with Jesse Frankel:

http://www.net-security.org/article.php?id=1671&p=1

[LPhifer]

An essential first step in dealing with bring-your-own-devices is spotting and identifying them. I've been thinking about this challenge and the myriad of solutions that are trying to tackle it.

First, we have Network Access Control (NAC) solutions that intercept login requests and scan or probe unrecognized devices to fingerprint them. Fingerprinting wasn't the original purpose of NAC - many NAC solutions were initially geared to spot malware or policy non-compliance or enable safe guest access. But NAC is well-positioned to fingerprint BYODs - so long as those BYODs actually try to connect to your network.

Next, we have Wireless LANs products that keep tabs on client associations and participate in client/user authentication. Increasingly, these products are venturing beyond guest management into BYOD on-boarding - in effect, leveraging guest WLANs to redirect unrecognized devices to an activation portal, where they can be provisioned for secure connectivity to the corporate WLAN. These products are also well-positioned to fingerprint BYODs - so long as those BYODs actually try to associate to your WLAN.

But what about BYODs that never connect, never associate - what's the best way to fingerprint those puppies? You might argue they don't matter, but increasingly they do. These BYODs can be Wi-Fi Direct peers, personal hotspots, or just noisy clients that constantly probe for APs without ever trying to connect to yours. These may have security impact on your business - and they certainly have performance impact on your WLAN. Fingerprinting these BYODs can help you determine risk and impact and whether any action is warranted.

This is where I think that full-time Wireless IPS is in a unique position to help. WIPS doesn't wait until association or network connection time to monitor and track BYODs. With a WIPS, it's pretty easy to look back and see when the first time a given BYOD appeared, where it went in your facility, and whether it ever associated to anyone (or tried to).

A WIPS that really fingerprints devices - doesn't just tell you a device is manufactured by Cisco or Apple or <insert your OUI here> - can be a huge help in evaluating the "what" and "why" and "where" questions that BYODs raise. Given the ever-escalating number of BYODs that probably visit your office each day, a WIPS that can automatically DO something when it spots a specific kind of device engaged in a suspicious kind of activity is even better.

But that's just my opinion and experience. How about you? How many of you are using WIPS as part of a BYOD management or security initiative? What capabilities and tools do you find more effective for this purpose? What tools do you wish you had that you don't today?