Smart Phones on Network

victorsyrzysko · 2014-10-07T13:21:57.000Z

Good Day fellow Spiceworkers

We have quite a large amount of Android/IOS and blackberry phones on our network which they somehow got connected to the wifi (I know that a management person is giving the password to them if they ask)

My question is:

What is your “best practice” on this issue as I am highly against this but management does not see this as an issue (I feel it is a major security issue as there are apps that can easily mock about on the network)

I would like some thoughts on this so that I can take this to upper management and would be nice to demonstrate the impacts the phones can have on the network (and apps that can cause issues on the network)

It is easy to block all the phones as I have all the phones on a address list on my router already so it is as easy as just dropping all traffic going to them but without managements approval this will be an issue.

Thanks

chris0984 · 2014-10-07T13:24:53.000Z

Implement a guest network if you do not already have one, let them connect to it. Then change the password to your main network, no one needs it but IT. If someone has a need for a device on the main network, IT would be the ones setting it up anyways.

Carl-Holzhauer · 2014-10-07T13:24:57.000Z

Company owned or employee owned?

I allow the company owned phones on corporate WIFI because I can wipe them clean if there’s an issue. If it’s an employee-owned device, they’re allowed on the guest WIFI that has no access back to the data center

davidwilliams5928 · 2014-10-07T13:25:07.000Z

If you don’t already have one in place, it’s time to get a BYOD policy or at least a sub heading on BYOD within your IT policy stating that smart phones and other non-corporate provided devices are not permitted to connect to corporate Wifi.

Show your concerns to management (network congestion, app risk, data mining, etc).

scottalanmiller · 2014-10-07T13:27:46.000Z

You need:

A guest network for them
HR policy to know if people are allowed to compromise the network like this
Not a shared password so that people are not able to do this without knowing who did it

Robert5205 · 2014-10-07T13:34:57.000Z

You have to start at the top, not the bottom. Without management buy-in, everyone who complains about being cut off will have a valid argument. Present the security case and the guest wi-fi solution. If management doesn’t agree, there is nothing you can do. If the do agree, be prepared to implement it in a reasonable amount of time.

bear7079 · 2014-10-07T13:44:52.000Z

setup a guest network. this is for all phones and guest devices to use for internet access.

throttle plate the heck out of it. limit this to 2% of your bandwidth at most. this is an optional service, not a required service. and you don’t want someone on the guest chewing up your entire bandwidth.

The IT crew should be the one to configure the WiFi PW on peoples machines.

Company provided devices can generally go on the internal network as they are owned by the company. and you should have some sort of security oversight on these devices.

it depends on the type of WiFi devices you are running. I am running a Ubiquity AP. the UBNT software is super easy to go in and block all the phone devices. and most phones identify themselves to the AP device.

bsvec · 2014-10-07T13:46:28.000Z

Google “BYOD policy” to get some ideas of what you can and should do. Management and IT may not be on the same page about this, but as IT you should at least present a case and some options to management.

erik · 2014-10-07T13:47:01.000Z

I agree with all of these comments. However, when a company allows users to download and edit company files with their personal phones, what do you do? What’s the best practice for keeping BYOD off of the LAN but also giving them access to the files they need to work? 3rd party (cloud) file hosting?

alexakselrod · 2014-10-07T13:55:58.000Z

I’ll repeat what everyone else said.

If management wants mobile devices on wi-fi, they belong on segregated network, hopefully with domain credentials required to sign.

Your laptops should not be using username/password but rather certificate based authentication.

if access is required to files on LAN segment consider mobile VPN where you can limit destination and log activity.

Carl-Holzhauer · 2014-10-07T13:56:42.000Z

BYOD software can help with this. Mobile Iron has software that will let you control the types of file exchanges you describe.

lendeamer7575 · 2014-10-07T16:54:19.000Z

I don’t allow them on our network, period. Not because of security or anything like that, but because of bandwidth. We only have a 5Mb/5Mb Ethernet Over Copper internet connection. It’s the best we can get five miles away from Downtown in the sixth largest city in the United States. (sigh) It’s bad enough having 100 desktops/laptops on that small of a connection. Adding 100 smart phones trying to constantly do app and OS updates would bring our internet connection down to a crawl. More than it already is, anyway.

ccmis · 2014-10-07T17:08:34.000Z

We dont allow any mobile devices on our internal network. We have guest wireless setup that pretty much anyone can use.

anon86462486 · 2014-10-08T07:28:56.000Z

We use a BYOD system for the wifi. We have MAC address filtering so we can control who is allowed on or not

melanie-for-bitglass · 2014-10-08T19:03:41.000Z

A solution that solves a lot of these points is Bitglass. Bitglass allows for BYODs to access certain enterprise resources while still keeping certain data blocked, as well as the ability to work within the network. It works as a cloud-based proxy, with no agents to install. As traffic flows transparently through Bitglass, you are able to apply controls to the device’s inbound/outbound data. You get full visibility into all corporate data going to the device, while it’s all done from the network with no software to install on the device. You also have the ability to wipe corporate data in case a device is lost/stolen, along with setting basic device level policies such as encryption and pass codes.