CWNA Chapter 20 – Bring Your Own Device (BYOD)

My Notes from chapter 20 of the CWNA study guide

Mobile Device Management

  • Company-issued devices versus personal devices
    • An MDM solution can be used to manage both company-issued devices and personal devices.
    • the management of CID and BYOD is quite different.
    • The management strategy for company mobile devices usually entails more in-depth security because very often the CIDs have company documents and information stored on
    • them.
    • When company devices are provisioned with an MDM solution, many configuration settings such as virtual private network (VPN) client access, email account settings, Wi-Fi
    • profile settings, passwords, and encryption settings are enabled.
    • The ability for employees to remove MDM profiles from a CID is disabled and the MDM administrator can remotely wipe company mobile devices if they are lost or stolen.
    • Because these devices are not personal devices, the IT department can also dictate which applications can or cannot be installed on tablets and/or smartphones.
    • The concept of BYOD emerged because personal mobile devices are much more difficult to manage unless a proper MDM solution has been deployed.
    • Every company should have its own unique BYOD containment strategy while still allowing access to the corporate WLAN
    • For example, when the personal devices are provisioned with an MDM solution, the camera may be disabled so that pictures cannot be taken within the building
  • MDM architecture
    • The basic architecture of any MDM solution consists of four main components:
      • Mobile Device
        • The mobile Wi-Fi device requires access to the corporate WLAN
        • can be either a company-owned or employee-owned device.
        • The mobile devices are not allowed onto the corporate network until an enrolment process has been completed and an MDM profile has been installed
      • AP/WLAN Controller
        • All Wi-Fi communications are between the mobile devices and the access point to which they connected
        • If the devices have not been enrolled via the MDM server, the AP or WLAN controller quarantines the mobile devices within a restricted area of the network known as a walled garden
      • MDM Server
        • The MDM server is responsible for enrolling client devices
        • provisions the mobile devices with MDM profiles that define client device restrictions as well as configuration settings
        • Certificates can be provisioned from the MDM server
        • Whitelisting policies restrict enrolment to a list of specific devices and operating systems.
        • Blacklisting policies allow all devices and operating systems to enrol except for those that are specifically prohibited by the blacklist.
        • Device inventory control and application management are key components of any MDM solution
      • Push Notification Servers
        • The MDM server communicates with push notification servers such as Apple Push Notification service (APNs) and Google Cloud Messaging (GCM) for over-the-air management of mobile Wi-Fi devices
  • MDM enrolment
    • Mobile devices must go through an enrolment process in order to access network resources
      1. Mobile device connects with the access point
        • The mobile device must first establish an association with an AP.
        • The Wi-Fi security could be open, but usually the CID or personal devices are trying to establish a connection with a secure corporate SSID that is using
        • 802.1X or preshared key (PSK) security
        • At this point, the AP holds the mobile client device inside a walled garden.
      2. AP checks if the device is enrolled.
        • The next step is to determine if the mobile device has been enrolled.
        • If the mobile device is already enrolled, the MDM server will send a message to the AP to release the device from the walled garden.
        • Unenrolled devices will remain quarantined inside the walled garden.
      3. MDM server queries LDAP
        • The MDM server queries an existing LDAP database, such as Active Directory.
        • The LDAP server responds to the query, and then the MDM enrolment can proceed
      4. Device is redirected to the MDM server
        • When the user opens a browser on the mobile device, it is redirected to the captive web portal for the MDM server
        • The enrolment process can then proceed.
        • For legal and privacy reasons, captive web portals contain a legal disclaimer agreement that gives the MDM administrator the ability to restrict settings and remotely change the capabilities of the mobile device.
        • If the user does not agree to the legal disclaimer, they cannot proceed with the enrolment process and will not be released from the walled garden.
      5. Devices installs certificate and MDM profile
        • Once enrolment begins, a secure over-the-air provisioning process for installing the MDM profile is needed
        • Over-the-air provisioning differs between different device operating systems, but using trusted certificates and SSL encryption is the norm.
      6. MDM server releases mobile device
        • once the device has completed the MDM enrolment, the MDM server sends a message to the AP or WLAN controller to release the mobile device from the walled garden.
      7. Mobile device exits the walled garden
        • The mobile device now abides by the restrictions and configuration settings defined by the MDM profile
  • MDM profiles
    • MDM profiles are used for mobile device restrictions
    • MDM profiles can also be used to globally configure various components of a mobile device.
    • MDM profiles can include device restrictions, email settings, VPN settings, LDAP directory service settings, and Wi-Fi settings
  • MDM agent software
    • The operating systems of some mobile devices require MDM agent application software.
    • An MDM agent must support multiple Android device manufacturers.
    • The MDM agent on the iOS device could potentially send information back to the MDM server that is not defined by the Apple MDM APIs
  • Over-the-air management
    • The MDM server can monitor device information including device name, serial number, capacity, battery life, and the applications that are installed on the device
    • Information that cannot be seen includes SMS messages, personal emails, calendars, and browser history.
    • The mobile device can still be managed remotely, even if the mobile device is no longer connected to the corporate WLAN
    • The communication between the MDM server and the mobile devices requires push notifications from a third-party service.
    • Both Google and Apple have APIs that allow applications to send push notifications to mobile devices.
    • What kind of remote actions can an MDM administrator accomplish over the Internet
      • Make changes to the configuration.
      • Make changes to the device restrictions.
      • Deliver a message to the device.
      • Lock the device.
      • Wipe the device.
      • Make application management changes.
  • Application management
    • Enterprise MDM solutions also offer various levels of management of the applications that run on mobile devices.
    • Managing applications on company-owned devices is commonplace; however, application management on employee’s personal devices is not as prevalent.
  • Wi-Fi client onboarding
    • The main purpose of these onboarding solutions is to give the customer an inexpensive and simple way to provision mobile devices onto the secure corporate SSID.

Guest WLAN access

  • Guest SSID
    • In the past, a common SSID strategy was to segment different types of users—even employees— on separate SSIDs; each SSID was mapped to an independent VLAN
    • That strategy is rarely recommended now because of the layer 2 overhead created
    • What has not changed over time is the recommendation that all guest user traffic be segmented onto a separate SSID by having many SSIDs
    • The guest SSID will always have different security parameters than the employee SSID, and therefore the necessity of a separate guest SSID continues
    • Although encryption is not usually provided for guest users, some WLAN vendors have begun to offer encrypted guest access and provide data privacy using dynamic PSK credentials. Encrypted guest access can also be provided with 802.1X/EAP with Hotspot 2.0
  • Guest VLAN
    • Guest user traffic should be segmented into a unique VLAN tied to an IP subnet that does not mix with the employee VLAN
    • Segmenting your guest users into a unique VLAN is a security and management best practice.
    • Although isolating the guest VLAN in a DMZ has been a common practice for many years, it is no longer necessary if guest firewall policies are being enforced at the edge of the network.
  • Guest firewall policy
    • The most important security component of a guest WLAN is the firewall policy
    • The guest WLAN firewall policy prevents guest user traffic from getting near the company network infrastructure and resources
    • The guest firewall policy should simply route all guest traffic straight to an Internet gateway and away from the corporate network infrastructure.
    • It really is up to the security policy of the company to determine what ports need to be blocked on the guest VLAN
  • Captive web portals
    • Often, guest users must log in through a captive web portal page before they are provided access to the Internet
    • One of the most important aspects of the captive web portal page is the legal disclaimer.
    • A captive portal solution effectively turns a web browser into an authentication service.
  • Client isolation, rate limiting, and web content filtering
    • Client isolation is a feature that can be enabled on WLAN access points or controllers to block wireless clients from communicating directly with other wireless clients on the same wireless VLAN.
    • Client isolation is highly recommended on guest WLANs to prevent peer-to-peer attacks.
    • Enterprise WLAN vendors also offer the capability to throttle bandwidth of user traffic.
    • Enterprise companies often deploy web content filter solutions to restrict the type of websites that their employees can view while at the workplace.
  • Guest management
    • Most guest WLANS require a guest user to authenticate with credentials via a captive web portal
    • Unlike a pre-existing Active Directory database, guest user databases are normally created on-the-fl y
    • Someone has to be in charge of managing the database and creating the guest user accounts
    • IT administrators are typically too busy to manage a guest database; therefore, the individual who manages the database is often a receptionist or the person who greets guests at the front door
  • Guest self-registration
    • A good guest management solution allows the receptionist to register a single guest user or groups of users
    • Over the past few years, there has also been a greater push for guest users to create their own account, what is commonly referred to as self-registration.
    • When the guest is redirected to the captive web portal, if they do not already have a guest account, a link on the logon web page redirects the guest to a self-registration page.
    • Self-registration via a kiosk is quite useful when the kiosk is deployed in the main lobby or at the entrance to the company
    • An advantage of self-registration kiosks is that the receptionist does not have to provision the users and can concentrate on other work duties.
  • Employee sponsorship
    • Guest users can also be required to enter the email address of an employee, who in turn must approve and sponsor the guest
    • Employee sponsorship ensures that only authorized guest users are allowed onto the guest WLAN and that the company employees are actively involved in the guest user authorization process.
  • Social login
    • A new trend in guest networks in retail and service industries is social login
    • Social login is a method of using existing logon credentials from a social networking service (such as Twitter, Facebook, or LinkedIn)
    • Social login is often enabled using the OAuth protocol.
    • OAuth is a secure authorization protocol that allows access tokens to be issued to third-party clients by an authorization server
    • The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service and can be used for social login for Wi-Fi guest networks
  • Encrypted guest access
    • The problem is that the many consumers and guest users are not savvy enough to know how to use a VPN solution when connected to an open guest WLAN
    • However, if a company can also provide encryption on the guest SSID, the protection provided to the guest user is a value added service.
    • Another growing trend with public access networks is the use of 802.1X/EAP with Hotspot 2.0
    • Hotspot 2.0 is a Wi-Fi Alliance technical specification that is supported by the Passpoint certification program
    • Though open networks are still the norm today, growing interest in security and automated connectivity in public access networks will motivate adoption and use of Hotspot 2.0

Network access control (NAC)

  • Posture
    • Network access control (NAC) began as a response to computer viruses, worms, and malware that appeared in the early 2000s
    • Posture is a process that applies a set of rules to check the health and configuration of a computer and determine whether it should be allowed access to the network.
    • NAC products do not perform the health checks themselves but rather validate that the policy is adhered to.
    • Essentially, posture assessment “checks the checkers.”
    • After the posture check is performed, if a computer is considered unhealthy, the ideal scenario would be for the posture agent to automatically fi x or remediate the problem so
    • that the computer can pass the check and gain network access.
  • NAC and BYOD
    • With the proliferation of personal Wi-Fi-enabled devices, enterprises were forced to decide if these devices would be allowed to connect to the enterprise network and if so, what type of access would be allowed.
    • Allows you to set device and user to be looked at if device is allowed onto network
    • NAC uses various monitoring and fingerprinting techniques to identify different devices so that access can be controlled.
  • OS fingerprinting
    • The operating system of WLAN client devices can be determined by a variety of fingerprinting methods, including DHCP snooping.
    • An extensive list of DHCP fingerprints can be found at www.fingerbank.org.
    • Another OS detection method is HTTP fingerprinting. The user-agent header within an HTTP packet identifies the client operating system
  • AAA
    • Authentication obviously is used to identify the user who is connecting to the network
    • Authorization is used to process information such as the
    • following:
      • User type (admin, help desk, staff)
      • Location, connection type (wireless, wired, VPN)
      • Time of day
      • Device type (smartphone, tablet, computer)
      • Operating system
      • Posture
    • By utilizing both authentication and authorization, a NAC can distinguish between John using his smartphone and John using his personal laptop.
  • RADIUS change of authorization
    • Prior to RADIUS Change of Authorization (CoA), if a client was authenticated and assigned a set of permissions on the network, the client authorization would not change
    • until the client logged out and logged back in.
    • RADIUS accounting (the final A in AAA) is used to monitor the user connection
    • RADIUS CoA can dynamically change the permissions that the user has on the network

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s