The BYOD Thread

Discussion in 'Business & Enterprise Computing' started by PabloEscobar, Mar 1, 2012.

  1. RaZ

    RaZ Member

    Joined:
    Aug 6, 2001
    Messages:
    307
    Location:
    Melbourne
    Not a design issue - use at own risk
    Could ask the same with any 3G connection or wifi connection you might use in the city or your house>?

    As I understand it - yes that will be the case - use at own risk. Networks are very well setup with a shit load of firewalls controlling everything. Put it this way - I have worked for nab wholesale and retail... retail's network was insane... this one here is even better! :) Not bad for RMIT.

    In general - the BYOD is never supported by internal IT, and that will be the case here as well. Currently users connect to a wireless network anyway to access set functions like printing and internet.

    Of course the only diff here is that those same people can download and install the Citrix client, then be able to access a VDI with a volatile hard disk so anything they setup is destroyed when they log out ;) Plus also access streamed applications and XenApp.
     
  2. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    16,185
    Location:
    Canberra
    How frequent are you pen-tested.

    Claiming a shitload of firewalls means nothing without regular, independent testing.
     
  3. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    9,910
    @Raz - your deployment does not really fit the definition of BYOD that we have used for most of this thread.

    You are just offering some services to a wild network.

    If we were looking at BYOD in my workplace, and we were providing the network, there is no way it would be a Use at your own risk type setup.
     
  4. geniesis

    geniesis Member

    Joined:
    Aug 27, 2007
    Messages:
    190
    I would probably enable client isolation on the wireless network to stop wireless users from being able to attack other users directly.


    I assume that you would have your VDI setup in a dedicated vlan/cloud and then your actual line of business apps are in a separate vlan with a firewall and possibly an ips between the two vlans providing some security.

    What would you do if a byod device was infected with a worm and started spreading in your wireless network to other byod users? How do you stop your network from an rmit perspective from being a massive spam source or ddos source?

    The biggest threat is when your ip ranges get blacklisted because your seen as a spam source or ddos source. This would cause a lot of headaches for your legitimate traffic. Just wait till marketing yell saying they can't send their promos.
     
  5. MrvNDMrtN

    MrvNDMrtN Member

    Joined:
    Dec 24, 2001
    Messages:
    1,355
    Location:
    SW Syd
    Theres a new challenge now...

    BYOD Apple devices... MBP.. ipad/iphone.. apple tv.

    Wanting to do presentations via apple tv wireless.

    Think about routing/switching/multicasting/security.. the whole shebang.
     
  6. geniesis

    geniesis Member

    Joined:
    Aug 27, 2007
    Messages:
    190
    Very true.

    I believe wireless vendors are now coming up with some solutions such as bonjour proxying. Aerohive having bonjour gateway and Aruba with AirGroup.

    Airgroup looks to have some good promise with the ability for self-reg so users can authorize devices themselves.

    So it's possible, but still very new and not all vendors have got it covered yet...AFAIK, Cisco doesn't have something in this area yet. Not to mention having having to upgrade your wireless system if you don't have that respective vendor.

    Creating a whole multicast network is something not many network engineers have got great experience with. IGMP,PIM, RP, and other multicast concepts are still very foreign to the average network engineer. It's not something most companies/networks have actually implemented. Let alone attempting to secure the whole thing for BYOD.
     
  7. RaZ

    RaZ Member

    Joined:
    Aug 6, 2001
    Messages:
    307
    Location:
    Melbourne
    currently being trialed in two class rooms... oh not apple TV as such... but using big LCD's around a class room and the teacher can drag a window from a pad to any of the screens, which are of course network connected, I don't know the full setup but it works great :) Wish I could create an app for it ;) would make killer amounts of cash lol as far as I know when you drag the app to the top of the pad screen you get little box's, colored so you know which screen is which, you drag the window to the box and it puts up on the TV screen. The amount of uses this has not only in teaching but in the private sector... man - I wish I could code!

    BYOD to me, is all about letting users, use what ever they like to connect to set resources, BUT, because its BYOD you have to control how they access those resources and also define what resources BYOD can and can-not use. Personal security on each of those devices is up to each owner. Network security and where those BYOD's can get to, again comes down to the usage of those devices and what resources you allow them to use.

    Using Citrix to deliver the app by means of either streaming to an xenapp server and then published or by the users connecting to a locked down VDI environment to access both applications and resources such as internet and printing is really not that big of a problem. More so with controlled vlan, and physical switch security splitting the networks, eg: if I want to be on a set subnet, I need to repatch my patch point.

    As for wireless security - I am not entirely sure as I am just doing the Citrix side of the project, HP will be designing the wireless network end to end, so I would hope they take AV running wild and people wanting to try hacks in to account ;)

    But this solution is all internal - no remote access outside of the building. Trial to one building first, 100% wireless delivery. So yes in a way you could say its offering services to a wild network, but that is why I say above that BYOD needs to have control as to what they can access and what they use it for. Creating a wireless network and having it apart of your normal trusted internal network with no other access controls for those wireless devices, is, IMO, very silly :) hence all the security concerns talked about here in this thread. I think BYOD works best when they can use remote access services like Citrix gateway or web interface, internally so its fast for set functions and that those functions are well defined. :cool:
     
    Last edited: Apr 17, 2012
  8. millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    11,232
    Location:
    Brisbane
    Breaking my 5 month hiatus on ocau to chip in here (You last visited: 10th December 2011 at 3:56 PM) :paranoid:

    The way I see it, the issue is that the users want everything. They want total control of their machine, they want to use their own machine, and they want everything cheaper.

    Major problem being that they're taking and not giving. If they want to bring in their own machine, concessions need to be made somewhere in order to maintain the companies security.

    I still believe VM's are approaching a good balance of security and convenience support wise, the real issue of course is securing the data on the VM. Can you encrypt the contents of a VHD?

    Assuming you can, at least then you can expose a lot of your machines resources to the VM

    Reading stuff like this makes you wonder though if we're screwed anyway :p
     
    Last edited: Apr 17, 2012
  9. Chaffe

    Chaffe Member

    Joined:
    Aug 6, 2010
    Messages:
    1,456
    Location:
    Shitney
    Well I will admit I have no experience in IT and will never really need to know any of the stuff mentioned in this thread but I certainly have found it quite an interesting read.

    One crazy idea/thought (so feel free to ignore it). What about a dual boot on BYOD devices. The company boot volume and data being completely encrypted and the user not having any administrator rights whilst using the company boot volume. Probably a pain in the ass to setup I'd imagine.
     
  10. millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    11,232
    Location:
    Brisbane
    This is the approach I had thought of in the past as getting around it too. You still have the issue of data leakage though, unless you can encrypt hard disks on a partition level.
    I.e. customers personal os install gets a virus. User boots into that environment, inputs the key to unlock the hdd and now the virus can go to town.
    Also brings up the issue of maintaining SOE's for various machines

    Found this interesting:
    BYOD: If You Think You're Saving Money, Think Again
     
  11. novakain

    novakain Member

    Joined:
    Mar 18, 2004
    Messages:
    33
    This is pretty much the request that would come from the end users. And for some reason, many IT departments seem to interpret this request verbatim. This does not mean that the end solution needs to be exactly what the customer asks for.

    As people have already pointed out, and as you are fully aware, such a move is fraught with security risks many organisations would find innacepable if they were fully investigated. Those same organisations, however, would still want to implement a BYOD policy. And for these organisations, simply treating these devices as hostile, setting them up on the guest network, and publishing those apps that users require to do 'work' 'work' in the same way that they are published for remote use via a regular internet connection at hom,e can be a viable solution. All of the security risks may have been addressed by mitigation through technology, work process, or simply by being identified as an acceptable risk based on the company's security policy.

    For example, as part of a security policy, data should be assigned a classification level. Each classification level should have clearly idenified data handling methods (how it should be stored, how access to it should be logged etc) If staff in the organisation need to access highly classified data, which is to be accessed only on computers that have no access to the internet, well, those BYOD's that need access this data would need to be locked down and administered in the same manner as corporate computers that access the same data (ie be kept on-site and never connected to the internet). If the users want to use their devices at home to connect to the internet as well, then those BYOD's would need to be treated as devices that are connected to an unfettered internet connection, and as such, would never access that sensitive data.

    It all depends on the organisation - there is no cookie-cutter solution here. What is acceptable for one organisation os completely unnaceptable for another. The best thing you can do if you're a big business is have a good security policy in place (and signed off by management!), with effective data management processes attached to it. Idenitfy what management wants BYOD's to do, and implement them based on your security policy. If they insist on doing things with BYOD's that are in breach of your security policy, document it as a breach, and get management to sign off on it as such every time security is audited. It's up to them to determine if it's an acceptable risk or not.
     

Share This Page