Using NAC for smartphone security on wireless LAN

As unmanaged, Wi-Fi-enabled smartphones proliferate on corporate networks, network managers should use wireless network access control (NAC) to give them an idea of what’s on the network and how they can secure those devices.

“I talked to a hospital recently that had some sense that they had a lot of smartphones on their network, but they weren’t really sure,” said Jeff Wilson, principal analyst for Infonetics Research. “They thought they had about 8,000 total devices on their network, but when they dropped in [a network access control appliance from] ForeScout, they found that they had 12,000 devices. Most of the devices they hadn’t accounted for were smartphones of all flavors.”

Once network managers understand what devices they have on the network, they need look at their smartphone population as two main groups: company-owned assets that IT has access to, and user-owned devices that employees are using to access email and work with sensitive corporate information.

“You have to look at the world in terms of what are the devices I know about and control and what are the devices I don’t know about and can’t control,” Wilson said. “Then you come up with one strategy that works for devices you know about and one for unknown devices. Whether that will be a way to block all access to those devices or to allow access but find some way to limit and control [access] is up to you.”

Grasping control of the managed smartphones on the network is a matter of collaborating with the mobile device manager in the IT organization. The unmanaged devices will be a bigger challenge, Wilson said, “because you’re not going to physically touch all of them.”

Enterprises can use NAC to discover not only what kinds of devices are out there but which software and which security clients, if any, are running on them, he said. This information can help network managers determine what sort of security policies to implement for unmanaged smartphones.

Bill Perry, the IT services manager for Richard Huish College in Taunton, England, recently installed a NAC product from ForeScout specifically to gain visibility into the number of iPhones and USB devices he had on the network.

“There are many courses here where [professors] teach totally from the network,” Perry said. “If it goes down, they stop teaching. I think the iPhone could come on and bring in something that could affect the operations of the network.”

Perry’s ForeScout appliance is currently in monitoring mode to see what is happening on the network. This month he will start implementing rules and policies to gain control over which devices can access his Cisco wireless LAN and his wired network.

Wireless network access control: What are devices doing?

After taking inventory of the smartphones on the network, network managers need to know how devices are being used.

“An important part is understanding how they are getting used on your network,” Wilson said. “What is it [that] users do with the devices when they’re connected, and what kind of threat does that present? That’s something that using some sort of NAC or application control or discovery product can help you understand.”

“Secondarily, think about the data at rest problem,” he said. “Do we have a policy for what to do if someone’s phone is lost? How do we decide whether I care from an IT perspective if that device is lost? And what is it we can do if we can never see, touch or do anything to handle these devices? How can we protect ourselves assuming we are never going to have access to these devices?”

Turning a blind eye to unmanaged smartphones is a gamble. “We haven’t seen a lot of mobile device-specific exploits yet, but I believe that they are coming. Also, companies that invest specifically in security for smartphones right now [are doing it] because they know there are sensitive data that they would worry about if it’s lost or stolen.”

Out-of-band wireless NAC solutions

Not every NAC solution will afford the same amount of control and visibility into unmanaged smartphones, Wilson said. For instance, NAC products from endpoint protection vendors like McAfee and Symantec may not do much good, given that they rely on client software that the smartphones probably won’t have installed. Microsoft NAP might do a good job of managing Windows Mobile smartphones, but it will have trouble tracking other smartphone platforms. NAC products that track only devices that have 802.1x supplicants will have trouble seeing devices that don’t have this software, particularly smartphones.

“So you’re looking at out-of-band solutions that aren’t limited to 802.1x and use other methods, such as capturing MAC addresses and machine IDs,” Wilson said.

Going beyond smartphone security

NAC has also helped Perry deal with other issues relating to both managed and unmanaged laptops on the network. For instance he’s detected a couple of unmanaged PCs that are scanning his network, particularly password scanning, so he’s trying to track the machines down with ForeScout. He’s not convinced that someone is trying to hack the network, but he’ll know more once he finds the machine.

The technology also helped him find a school-owned loaner laptop that had gone missing.

“We went through the records and could see the last time it was on a network, the person who was using it and the port it was accessed through,” Perry said. “So you can track it down, then go find it. That one was being used by the finance department, and then it was locked away in a cupboard for a month and a half.”