1. OCAU Merchandise is available! Check out our 20th Anniversary Mugs, Classic Logo Shirts and much more! Discussion in this thread.
    Dismiss Notice

Managing Mobile Broadband Fleet

Discussion in 'Business & Enterprise Computing' started by Dark_Falcon, May 24, 2010.

  1. Dark_Falcon

    Dark_Falcon Member

    Joined:
    Mar 22, 2005
    Messages:
    65
    Location:
    Muswelbrook NSW
    The asset I work for now has over 20 Telstra mobile broadband services which are either assigned to specific users or used as loan devices when users are travelling or need to work from home.

    Whilst our normal internet use runs through a enterprise level (out of our control) proxy these wireless devices allow completely unmanaged and to my knowledge unrecorded access to the internet.

    Does anyone else out there manage a similar fleet and what if any controls do you have in place? I expect this will be near impossible but thought it was worth the question.
     
  2. GiantGuineaPig

    GiantGuineaPig Member

    Joined:
    Oct 23, 2006
    Messages:
    4,027
    Location:
    Adelaide
    I guess the question is, do you care what they do with their mobile phone? For us, we don't... as long as they don't go over their quota, there's no issue.

    Device management is an issue though, more iphones and ipads and whatever other devices come along worries me. BlackBerries we can at least push apps out to, but the iphone is a lot more manual. We could put the restrictions on each time we receive a new iphone, but then how do you change them without getting the device back?

    I don't know if you can force all 3g data to go via your proxy servers for authentication easily, but it's going to be device dependant too.
     
  3. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,678
    We dont care what they do with phones, but we do care what they do with their company issue laptops. Browsing through a normal 3g dongle would mean that traffic wouldn't be filtered through our proxy, meaning the only line of defense is the desktop antivirus.

    We have several 3g dongles that connect straight into our mwan, all other users need to connect via vpn and browse through the proxy (proxy set via gpo, and not user editable)
     
  4. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,659
    Location:
    Brisbane
    Telstra offer Next G cards that connect directly into your Cloud (as opposed to the web) if you have managed comm services with them.
     
  5. GiantGuineaPig

    GiantGuineaPig Member

    Joined:
    Oct 23, 2006
    Messages:
    4,027
    Location:
    Adelaide
    Oh yeah, had mobile phones on the brain, good point.

    Our Messagelabs filtering does have the option of forcing remote users to go via the proxy regardless of how they're connecting, but I haven't actually tested it.
     
  6. Iceman

    Iceman Member

    Joined:
    Jun 27, 2001
    Messages:
    6,647
    Location:
    Brisbane (nth), Australia
    Don't mess with the USB dongles trying to redirect them through your proxy or whowhatzit. Waste of time. What's stopping them taking the laptop to any old internet connection and having unfettered internet access? eg they plug it in at home, hook up to a free wifi point at ShmuckBucks, use another non corporate dongle, hook it up to their phone etc.

    IMHO your best course of action is to harden the laptop itself and minimize points of attack.
    Enforce windows updates, enforce AV with updates (possibly something with a built in 'firewall'). Make sure these things check in periodically to a remote server (eg mcafee had a product called 'yourasap' that was web monitored).

    Lastly if you can, lock the user down to a non admin account where they can't execute something that takes over the machine.

    Now you can firewall their corporate LAN access to mail servers and applications servers (on specific ports only) only and treat them like a "medium risk" that's below the internet but above your internal workstations. You can limit this access via via specific ports on your LAN or via VPN.

    My 0.02.
     
  7. joyufat

    joyufat Member

    Joined:
    Jun 27, 2001
    Messages:
    1,015
    Location:
    Moral High Ground
    You can force their computers to go through something like ZScaler to always enforce policy. But I think it's too much - let your users live a little!
     
  8. GiantGuineaPig

    GiantGuineaPig Member

    Joined:
    Oct 23, 2006
    Messages:
    4,027
    Location:
    Adelaide
    Give them a VM to run on their PC that they can go crazy with :)
     
  9. gords

    gords Oh deer!

    Joined:
    Aug 3, 2001
    Messages:
    6,645
    Location:
    Sydney, Australia
    Isn't that what their personal computers are for?
     
  10. FoderMe

    FoderMe Member

    Joined:
    Jul 22, 2001
    Messages:
    2,683
    Location:
    Melb
    This. Or at least something similar.

    My work provided Telstra Next G has had normal internet disabled from Telstra's side and will only allow me to connect via an extranet, which of course had a proxy for all internet traffic.
     
  11. Ding.Chavez

    Ding.Chavez Member

    Joined:
    Jul 27, 2001
    Messages:
    423
    Location:
    Sydney
    GPO their IE to have a .pac file from webguard.com.au and lock down the Internet Connections > LAn settings tab so they can't change it.

    When they browse they will always go via a web based proxy which authenticates with a RADIUS server at work.

    easy
     
  12. joyufat

    joyufat Member

    Joined:
    Jun 27, 2001
    Messages:
    1,015
    Location:
    Moral High Ground
    I don't think it's reasonable to expect a perfect separation of work and personal life. When I'm at home I don't necessarily stop thinking about systems and networks, and when I'm at work I don't stop thinking about personal stuff.

    If I want to use my work computer to make a deposit through online banking, go find directions for a trip I'm taking, check my personal email, etc etc, it shouldn't matter to my employer unless it interferes with my job or places a noticeable burden on IT resources.

    I believe in hiring smart people and trusting them to use their judgement... but this philosophical stuff is getting off-topic from Dark_Falcon's post so I'll behave. :D
     
  13. FiShy

    FiShy Member

    Joined:
    Aug 15, 2001
    Messages:
    9,682
    Just get your own apn and make all traffic from the phones go via ya proxy.







    /this aint cheap.
     
  14. Lukenet

    Lukenet Member

    Joined:
    Oct 4, 2002
    Messages:
    535
    Location:
    Brisbane
    I think a few people have indicated here in different ways that Telstra have a product that will do what you want seamlessly.

    From what my account manager told me it allows you to run all of your Telstra internet conections via an always on VPN that they set up in side their cloud/network.

    It "Auto authenticates" users via their existing protocols to allows you to have a wide area virtual network using their infrastructure. So your network is spread to your own bubble that in in side of their cloud/network.

    Its kind of cool, but it is pricey. It will do what you want and allows you to drive all traffic via your selected gateway, plus a whole lot more.

    I think I started to early on the beers tonight.. Go QLD
     
    Last edited: May 26, 2010
  15. wazza

    wazza Member

    Joined:
    Jun 28, 2001
    Messages:
    3,820
    Location:
    NSW
    Well this all depends on their policies around it, from the sounds of it the policy that Dark_falcon is trying to enforce is more based around security (ie virus/malware/phishing filtering) than blocking access to all but approved sites.
     
  16. FoderMe

    FoderMe Member

    Joined:
    Jul 22, 2001
    Messages:
    2,683
    Location:
    Melb
    Yeah, I'm not sure of exact figures, but it's something along the lines of $300-ish month per unit additional to whatever business data plan they're on.
     
  17. crazyelf

    crazyelf Member

    Joined:
    Mar 15, 2005
    Messages:
    32
    Location:
    Sydney
    What about-

    Set up a free OpenDNS account, or add changes to an existing one.
    Install OpenDNS Updater (or whatever they call it) on the remote laptops (because of Dynamic Public IPs).
    Force the DNS Server on the laptops to be the OpenDNS one (static)..Keep other network connection settings the same.
    From within OpenDNS you can choose whats acceptable and whats not. When you apply your filtering settings, any request from those laptops would be filtered.

    Ive done that before with a bunch of 20 laptops and it worked quite well.. if thats too hard then maybe a HOSTS file on each laptop could be another way of doing it
     
  18. rosen

    rosen Member

    Joined:
    Mar 25, 2002
    Messages:
    354
    Location:
    Brisbane
    The most expensive part is you have to have a Telstra SHDSL/Fibre connection, and ofcourse Telstra wants mega $$$$ for this compared to what other carriers can provide :(
     
  19. CordlezToaster

    CordlezToaster Member

    Joined:
    Nov 3, 2006
    Messages:
    4,083
    Location:
    Melbourne
    Sophos allows some control.

    Also take a look at your proxy/firewall there maybe a client which will sync with mobile users to enforce access.
     
  20. Nikoy

    Nikoy Member

    Joined:
    Mar 10, 2004
    Messages:
    2,972
    Location:
    Perth WA
    We do this not becasue of security but for ease of use for our technically challanged users.
     

Share This Page

Advertisement: