Managing the BYOD Chaos with Network and Security Information Monitoring and ManagementJune 29, 2012 No Comments
By Sanjay Castelino, VP, Market Leader Network Management Business at SolarWinds
Enterprise computing, as we know it, is facing a dimensional shift with the widespread diffusion of the BYOD (Bring Your Own Device) phenomenon. BYOD is the latest trend where employees bring their personally-owned mobile devices, smartphones and tablets to their place of work, and make use of the corporate network for work purposes such as accessing files, mails servers, and databases.
While this may be a real boon to the employees making their work environment employee-friendly and personalized, but IT organizations will face challenges in terms of:
- protecting secure data
- beefing up IT infrastructure security
- regulating the usage of increasing IP-enabled devices
- monitoring Wi-Fi access points and user logon
- keeping a check on the bandwidth consumption
- strengthening Wi-Fi connectivity and security
- revamping enterprise IT policy to make provision for the BYOD and Mobile Device Management
As the number of non-enterprise devices on the network increases, so too will the number of switches, ports and Wi-Fi access points you need to monitor. Additionally, there exists the potential for chaos with IP address provisioning and management, and an increase in the number of users and devices that we need to identify and track on the network.
All this points to the fact that a BYOD explosion is in the offing, and managing the Wi-Fi-enabled devices while leveraging their benefits is going to be an enterprise challenge. However, this can be a win-win situation for both the company and the employees if the situation is properly managed with the right tools. While employees can consolidate hardware, have improved connectivity, and work with more user-friendly personal devices and functional interfaces than were available with some corporate applications, enterprises can benefit from potentially lower hardware and support costs and improved employee productivity.
This article will focus on a number of areas for managing potential BYOD chaos: Network Traffic Analysis, IP infrastructure management, user device tracking & switch port monitoring, and security information event management.
Network traffic capacity and usage in a BYOD world is an important consideration for the IT organization. Let’s face it, you’re never going to eliminate personal use of network resources, and this becomes even more of an issue with the increasing number of personal devices. You can, however, minimize the impact by analyzing traffic using flow analysis and managing your Quality of Service (QoS) policies. Before you see degradation in network performance or increase your bandwidth, you will want to ensure that increases in network traffic are work related and that your business critical apps continue to take priority over personal device usage.
Most routers today have the ability to generate flow-based information (Cisco® NetFlow, Juniper® J-Flow, sFlow®, Huawei NetStream™ and IPFIX) that can be used to understand who and what are generating network traffic and how the bandwidth is being used. By analyzing traffic patterns over months, days, or minutes, you can determine the impact of personal devices on your network bandwidth.
As you allow more and more personal devices on your network and get a better understanding of just how the network is being used, you may decide to implement QoS policies to ensure that the network needs of your business critical apps get priority over personal devices. This can be accomplished by quantifying the bandwidth consumption of users, protocols, and applications; by viewing network traffic by class of service; and by measuring the effectiveness of your QoS policies pre and post QoS implementation.
With the growing number of BYOD devices on the network, and given the dynamic allocation (and hence consumption) of IP addresses, IT professionals need the ability to manage their IP infrastructure. This includes IP Address management, and DHCP/DNS management and monitoring. Without real-time monitoring and management abilities, it becomes increasingly difficult to monitor your IP infrastructure.
Allocating, recycling, and documenting IP addresses and subnets in a network can get confusing very quickly if you have not laid out an IP addressing plan. A sound plan will help you prepare the network to support the increased demand for IP addresses as a result of BYOD through the avoidance of overlapping or duplicate subnets, duplicate IP address assignments, and wasted IP address space. There are a number of free and commercially available products in the market that will help you plan your IP address space accordingly.
It is critical to know exactly how your IP space is being used. Addresses will typically fall into one of four categories: Available, Reserved, Used, or Transient. Again, without some kind of regular monitoring, it will always be difficult to see how your IP addresses are allocated. Only when this information is readily available, can you justify allocating newer IP addresses, or reallocating the available ones, and identify non-responsive IP addresses to optimize IP allocations.
Look for the ability to track addresses and see how certain properties have changed over time. This is especially useful for forensic analysis when issues arise as well as auditing.
Too many IP addresses dynamically being assigned can sometimes lead to IP address conflicts, which result in downtime and lost productivity. By performing regular IP address scans, you can ensure that your IP address space is always updated with the IP address and MAC address assignment data.
The ability to be able to create and share customized IP space reports is especially useful when you are part of a multi-person IT organization. If using automated tools, you will want to look for a solution that provides out-of-the-box reports that are customizable so you don’t need extensive SQL knowledge.
Your DHCP and DNS servers are at the core of your IP infrastructure. The DHCP server eliminates the manual task of assigning IP addresses to connected devices while providing a central database of devices and eliminating duplicate resource assignment. DHCP management tools allow you to create scopes as well as add additional parameters such as subnet masks, address lease time, default gateway, and DNS servers. If not properly configured, you run the risk of not being able to assign IP addresses to network devices, clients receiving duplicate IPs, an inability to reach external networks, an inability to use the Internet with domain names, or many other issues.
Your DNS server translates the human-readable domain names and hostnames into the corresponding numeric IP address. In most typical configurations the DNS server is configured as part of the DHCP pool. Again, a misconfigured DHCP or DNS server will result in the inability to access the Internet using domain names.
By tightly integrating IP address management with DHCP/DNS management and monitoring, you get better manageability of your IP infrastructure through a unified global view. This will result in improved network security, decrease in network downtime due to IP address conflicts, increased efficiency by eliminating duplicate efforts in IP administration, and improved regulatory compliance through historical tracking and event recording of all IP related activities.
BYOD clearly increases the number of devices and users connecting to your network resulting in both increased security risks and additional capacity burden on switch ports and wireless access points. This, in turn, increases the need for a method to track those users and devices and manage switch port capacity. For the purpose of this article, we will refer to this as User Device Tracking and Switch Port Monitoring. Effective user device tracking and switch port monitoring can provide a wealth of information
- Where (which switch port) a user is connected to the network
- Where a device is currently or was previously connected to the network by just knowing its IP or MAC address
- Which user connected the device on the network
- Historical data on when and where the device was connected, and who used it
- Switch capacity
- Information on individual ports per switch
- Locating Users and Devices the Hard Way
To search for a device on your network you will need to telnet to your switch or router, look at the ARP table if searching by IP address or the CAM table if searching for the MAC address. Of course, this approach presumes that you know the switch or router that the device is connected to. If you do not know the switch or router, then you would need to connect to each switch until you find the device you are looking for. This approach is valid only for devices that have a current connection. If the device has been disconnected from the network, then you lose any connection history.
Automated tools allow you to search for a device by user name, MAC address, IP address or Hostname. Once the device has been located on the network, you can determine the switch, port, and VLAN the device is connected to in order to get the location. Once this information is obtained, you can isolate or shut down the port that the suspected device is on. As the number of devices on your network increases, you can see how this could get to be a very time consuming and tedious manual process.
Some automated tools also provide a more proactive method to keep an eye out for specific devices by creating a watch list. These tools will automatically scan your network for the “watched” device and generate an alert when it connects to the network. Once they are located, you will, again, be able to determine the switch, port, or VLAN and take appropriate action.
Ideally, you will want the ability to historically track configuration details and historical data pertaining to the port. Details that you will want to track include port name, port number, and VLAN, along with a complete history of devices that have been attached to the port. This will give you the ability to track the last known location of a device or user if it is no longer connected to the network.
With the increasing number of devices on your network, you place additional burden on your switches and wireless access points. As a result, you need to understand the status, performance and capacity of your switches and their ports.
The first step in proactively monitoring your switch ports is to map your current switches. By mapping your switches, you can see exactly which ports are in use on any given switch.
Once the ports are mapped, you will want to being monitoring them, preferably in real-time. Monitoring your switches and ports will allow you to see key performance indicators such as ports used, CPU load, memory used and more so you can identify potential problems before they arise.
While a BYOD policy may make your employees happier and possibly more proactive, it also introduces significant new risks to your network security. According to Gartner, enterprises are aware of only 80% of the devices on their network. Those 20 percent of unknown devices are inside the perimeter of the network, are unmanaged, and provide users with access. They are small, varied and highly mobile and they are loaded with their own applications, can act as WAPs, and often contain outdated firmware or are jailbroken. This can result in significant increase in network compromises.
Security Information Event Management (SIEM) solutions can be used to monitor your network by collecting event logs from network devices, applications, and databases; automating the process of analyzing and correlating the data; and taking automated responses as a result of suspect or malicious activity introduced by personal devices.
Event logs are special files that record significant events within your IT environment and can be analyzed for operational or security purposes. This includes routers, switches, firewalls, IDS and IPS, servers, anti-virus software, operating systems, databases, web servers, and more. These event logs contain a wealth of information that can be used for system management, security auditing, analysis and troubleshooting.
As you can imagine, the amount of event log data generated can grow quite rapidly and it will become increasing difficult, if not impossible, to manually analyze the log data. SIEM solutions eliminate the manual process by automatically analyzing and correlating the event log data across the IT environment to spot potential problem areas and enable you to understand relationships between seemingly unrelated activities thus making troubleshooting quicker and easier.
Collection, analysis, and correlation of event log data are meaningless if you do not take some type of action in response to identified threats and issues. Taking automated actions such as blocking an IP address; creating, disabling, or deleting user accounts; detaching USB devices; killing processes; or restarting or shutting down machines as just a few examples of automated responses that can be taken to reduce the time your IT environment is at risk.
The security policies you set will chart the guidelines and set out restrictions that govern the functionality and usage of employee-owned devices within the corporate network. These policies should define employee and device eligibility, access to network resources, management and provisioning, tracking and usage, and application management just to name a few. Make sure you understand the impact of both external and internal security requirements such as PCI, HIPAA, or SOX.
It’s also imperative to educate employees on the security aspects and the risks, threats and vulnerabilities faced with BYOD. Employees must be instructed on how to be extra cautious when using personal devices within the corporate network, how to safeguard credentials, and how these devices can become a gateway to launch malicious attacks on the organization’s secure data and IT assets.
It is important for organizations to ensure that the network is secure and can only be accessed by authorized users and devices. Authentication mechanisms need to be in place that can grant access to network resources such as secure data, servers, and databases based on user roles and permissions or device classes. Network Access Control (NAC) should be used to provide secure networking services to personal devices.
There is the likelihood that bandwidth consumption may increase if the BYOD devices are used for unofficial purposes such as streaming videos, music, and other personal stuff. It is critical to have the ability to analyze network traffic usage to see how bandwidth is being used and who is using it to identify potential bandwidth problems.
Implement Intelligent and Advanced Security Solutions
Incremental investment on security equipment and appliances should always be checked for ROI. Within affordable limits, and in the objective of meeting higher productivity, companies should upgrade their physical security devices including IDS, IPS, firewalls, and VPNs.
Evaluate the need for a formal Mobile Device Management (MDM) solution. MDM solutions provide a common management platform for the multitude of device types, enhance device security, and can help monitor and enforce the security policies that you have defined. Make sure that the MDM solution that you evaluate supports multiple platforms including Microsoft, IOS and Android at an absolute minimum.
Implement a Security Information and Event Management (SIEM) system to collect, monitor, analyze and correlate event log data in real-time to counter end-point security threats, support regulatory compliance, and protect against data loss.
At the end of the day, BYOD is progress towards mobilizing the enterprise and gaining higher employee productivity, but it needs to be well thought out before implementation. By creating and enforcing the right policy for your organization, monitoring usage and access, and implementing intelligent and advanced security solutions, BYOD can substantially benefit the likes of businesses and employees in developing a better, more productive work environment.
Vice President and Market Leader, SolarWinds
Sanjay Castelino is a VP and Market Leader at SolarWinds, an IT management software provider based in Austin, Texas. Sanjay leads the company’s initiatives around its end-to-end IT solutions for network, SIEM, storage and virtualization management. He is responsible for our product strategy and go-to-market efforts in these markets.
Previously, Sanjay worked at NetStreams where he held the position of VP of marketing and business development where he oversaw all marketing, product management and OEM business and strategic partnerships. He was also the VP of product marketing and management at Motive where he helped to lead the telecom business through its inception and acquisition with Broadjump.Fresh Ink