Mobile & (BYOD) Best Practices Ernest Staatsinfo@networkpaladin.org Master Science Information Assurance, (CISSP)®, C|EH v5, MCSE, CNA, CWNA, Security+, I-Net+, Network+, Server+, A+

Life has Changed!!Mobile/BYOD is here and life has changed

Mobility Trends

• Everyone one has multiple devices and change them often

• Full Tech Support for Users BYOD• Data volumes are exploding• Mobility adds complexity to

management• Schools are expected to get it perfect• It may cost more

College Survey BYOD

56 % use (NAC) or MDM

27% don’t do anything

54% Don’t require any AV/firewall

52% say BYOD is used in classrooms

38.9 % users on same network

67% no visibility in who is connecting

Know Jack or Get Hacked What’s on your network

Who’s using it

How are they using it

Host and Flow Data

Where are they accessing it

When did this all take place

How do you automate notifications

WHAT IS YOUR NORMAL TRAFFIC

Coverage AND Capacity

What is the Big Issue?

3 to 5 Mb per user9 Mb per user HD

Control Access First

COIT Tech Support

Better Support

• Proactive IT plan, train and document issues + solutions

• Make a searchable knowledgebase • Tracking walk-in request• Enable Self Support

Walk-in Output to Spiceworks• This message from the GCA Walk-in Tech support • Student Information: Landon Stoner• Problem: Online Software

lansto14@gca.com

Helpdesk Worker Information: Ernest Staats

Comments: Needs help with ASI do to the fact that he can’t remember his password

Ticket Overview• Priority: Med

Creator: Landon StonerAssignee: Ernest Staats Ticket URL: http://GCACHD/tickets/list/single_ticket/213

What needs to be done NOW?

Eyes in Sky Feet on the Street

Bandwidth Hogging DetectionMitigation Software/Hardware:

LANGuardian Wireshark Spiceworks Your Wireless / Switch Vendor

Appliance Base:NET Equalizer http://www.netequalizer.com/Exinda http://www.exinda.com/solutions/wan-

optimization-2.0Procera http://www.proceranetworks.com/oem-dpi-

engine-navl.html

Firewall Where? Everywhere

Policies

Smooth Data Flow

• Capture real- time data, log, flow and automate reports

• Analyze, Analyze, Analyze • Security Onion• Packet Shapers • Splunk (paid) or ELSA (Open Source)

– ELSA how to http://tiny.cc/904p6w

Mobile Device ManagementManage policies

The ability to roll out apps to users

Manage updates and installs

Inventory mobile devices and their installed softwareQuickly identify devices that have violated AUPs

A good list of MDM solutions and what they offer

http://www.enterpriseios.com/wiki/Comparison_MDM_Providers

A Free option http://www.meraki.com/products/systems-manager/

Magic Quadrant MDM 2013

What MDM Can BecomeControl Freak!

Fuit: Latin he or she was… for IT He or She was in control but now it is Forget yoU Information Technology F.U. I.T.-- The user will do it themselves and get around all your fancy controls… Use open DNS no worries I will just use Google DNS…

Where to start -- Mobile/BYOD

Other Considerations

• Enrollment Experience– User self-enrollment – ease of use is critical

• Password/PIN policy decisions• Push capabilities DO THEY WORK??

– HOW DO THEY WORK?• Location services always on – battery impact• Jailbreak enforcement• Application blacklisting• Encryption requirements

Ten+ Commandments

Plus one or so..

Tablet Best Practices

•· Device lock: enable native device authentication (PIN, password, pattern) •· Anti-theft measures: Remote lock or data wipe … use of tablet "find me" (services can also raise privacy concerns) •· Over-the-air encryption: All tablets can secure Web and email with SSL/TLS, Wi-Fi with WPA2, and private data with mobile VPN clients. •· Stored data protection: Hardware and mobile OS support for stored data encryption varies.

Tablet Best Practices II

•· Mobile application controls: Many downloaded apps require access to sensitive data and features, understand what apps have control to what data access to contacts (Block iTunes sharing)

•· Anti-malware: Typically don’t have- anti-virus, anti-spam, intrusion detection, or firewall apps

•· Device management: For visibility, policy configuration, app provisioning, schools can centrally manage tablets, no matter who owns them

WIFI Best Practices

•Use a WIDS solution 2.4 GHz and 5 GHz •Monitor for rogue APs & other WiFi interference (handheld monitor)•Use auditing to discover intruders on the wireless network. For example, accept Dynamic Host Control Protocol (DHCP) requests only from authorized network devices

•Block rogue APs from receiving an IP address and alert the network manager to potential intruders (from the wired lines) •Train staff not to connect to any ad hoc WLANs

•Prevent automatic association with ad hoc networks Windows on Edmodo

WIFI Best practices II•Use 802.1X with EAP to provide mutual authentication of users and authentication servers•Use one of the following EAP types: TLS, TTLS, PEAP. Note that EAP-TLS requires certificates on both the supplicant and the authentication server (Best option ) Not an option with Apple TV

•If 802.1X is not deployed for the wired network, use IPsec or SSL (if supported by school applications) Not an option with Apple TV •WPS and WPA2 PSK is broken But required if using Apple products •Authenticate guests through a captive portal webpage and monitor usage

Network Management

•Modify default SSID to a school/district-specific name•Use a controller-based or Centrally Managed WLAN system instead of autonomous APs •With WLAN hardware use strong passwords - Change passwords periodically (Default hardware PWD)

•Disable wireless-side management access to wireless network •Monitor vendor updates and apply patches•Use (SNMP) v3, Secure Shell (SSH), and SSL•Restrict wired-side AP/controller access to certain IP addresses, subnets or VLANs

Resources and software

Mobile Parental Controls

Alphabet BYO-security

BYODBYOx

DevicesAppsData

MDMMAMMIM

Windows Apps on BYOD• Frame Hawk• HTML5

– PhoneGap,– Worklight

• API Based– Appcelerator– RhoMobile

• VDI– Citrix– VMware

To Drop or Not

• Zoolz• Watchdox• Sharefile• Egnyte• Cubby• Box

Private Cloud DropBox

• SharePlan • Tonido• SpiderOak• Cubby• GoodSync

iCloud = iHog….

• iCloud use ports 80 443, and 5223

• Uses Apple, Microsoft and Amazon cloud services to deliver apps and data.