From school campuses to doctors’ offices to board rooms, it is more than evident that the iPAD/smart-device revolution has changed the dynamic surrounding host device access. The employees who bring in their own personal iPads to work have caused a lot of strife for IT administrators; how do we provide access for these devices—especially when corporate executives get their hands on them? How do we provide access while at the same time protecting our assets? How do we distinguish between guest devices, employees who bring their own devices to work (BYOD), and corporate-owned assets?
In addition to struggling with non-standard device access, administrators also have to contend with the additional capacity requirements associated with the proliferation of so many new, smart-devices seeking wireless access. If that isn’t enough, these same devices are demanding more and more bandwidth and the applications are becoming more and more time-sensitive—requiring quality of service (QoS) capabilities within the environment.
It is important for IT administration to embrace the inevitable push by customers, employees and executives to allow access for these devices – but it doesn’t have to be all at once. A thorough examination of the specific device types and their specific uses (and nuances) is required, and then administration must come up with a plan of attack. Most companies are starting with Apple iOS devices first, due to the higher demand and for some of the business-enabling applications the devices support.
The initial hurdle that needs to be addressed is for IT to be able to differentiate between corporate-issued devices vs. the devices that employees bring in themselves. The type of wireless LAN (WLAN) infrastructure that is in in place, along with the back-end authentication equipment, will greatly affect an organizations strategy.
One of the newer techniques involves DHCP inspection and fingerprinting to determine the device type/operating system. Once this is established, those devices can be put into a default role with access to certain resources as dictated by a well-defined security policy—ha. We’ll save that for another discussion.
What can you do with a device once it is identified? The most common action is simply to provide unique firewall rules that control what those devices are able to do. Additional granularity can be achieved through a PKI device certificate installed on the employee’s personal devices, which could work with a BYOD policy. Guest access may not be as good of a use-case for certificates.
Guest access should have, at a minimum, several basic capabilities:
- Ability to create duration times for network access
- Start/End times per day, week.
- Bulk provisioning
Provisioning Methods
- Self-sign in Kiosk
- Lobby gatekeeper
- IT staff
As these smart-devices are almost exclusively wireless, a critical component in preparing for these devices is a wireless site survey. Often neglected, a critical aspect of a WLAN site survey is the interview process with the customer--analyzing or estimating network users’ behavior to determine AP densities/placements. Designers gather as much information as possible about the facility, the customers, their business needs and behaviors.
While floor plans/building schematics are a good starting point, a site survey (with a spectrum analyzer) is still the best means of determining a proper design.
Do not forget Power over Ethernet (PoE).
A sound QoS strategy is also something to consider. These time-sensitive applications such as facetime, VoIP and some eLearning applications all require a robust, well designed QoS-enabled environment across both the WLAN and the LAN. An overall QoS strategy needs to be determined based on business needs. Once these are determined a QoS solution can be implemented based on the manufacturer chosen. What applications are mission critical to your business? Of those, what are time-sensitive vs. those that could fall under best-effort?
