1 / 36

Mobile & (BYOD) Best Practices

Mobile & (BYOD) Best Practices . Ernest Staats info@ networkpaladin.org Master Science Information Assurance, (CISSP)®, C | EH v5, MCSE, CNA, CWNA, Security+, I-Net+, Network+, Server+, A+ . Life has Changed!!. Mobile/BYOD is here and life has changed . Mobility Trends.

kimama
Télécharger la présentation

Mobile & (BYOD) Best Practices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mobile & (BYOD) Best Practices Ernest Staats info@networkpaladin.org Master Science Information Assurance, (CISSP)®, C|EH v5, MCSE, CNA, CWNA, Security+, I-Net+, Network+, Server+, A+

  2. Life has Changed!! Mobile/BYOD is here and life has changed

  3. Mobility Trends • Everyone one has multiple devices and change them often • Full Tech Support for Users BYOD • Data volumes are exploding • Mobility adds complexity to management • Schools are expected to get it perfect • It may cost more

  4. College Survey BYOD 56 % use (NAC) or MDM 27% don’t do anything 54% Don’t require any AV/firewall 52% say BYOD is used in classrooms 38.9 % users on same network 67% no visibility in who is connecting

  5. Know Jack or Get Hacked What’s on your network Who’s using it How are they using it Host and Flow Data Where are they accessing it When did this all take place How do you automate notifications WHAT IS YOUR NORMAL TRAFFIC

  6. Coverage AND Capacity

  7. What is the Big Issue? 3 to 5 Mb per user 9 Mb per user HD

  8. Control Access First

  9. COIT Tech Support

  10. Better Support • Proactive IT plan, train and document issues + solutions • Make a searchable knowledgebase • Tracking walk-in request • Enable Self Support

  11. Walk-in Output to Spiceworks • This message from the GCA Walk-in Tech support • Student Information: Landon Stoner • Problem: Online Softwarelansto14@gca.com Helpdesk Worker Information: Ernest StaatsComments: Needs help with ASI do to the fact that he can’t remember his password Ticket Overview • Priority: MedCreator: Landon StonerAssignee: Ernest Staats Ticket URL: http://GCACHD/tickets/list/single_ticket/213

  12. What needs to be done NOW?

  13. Eyes in Sky Feet on the Street

  14. Bandwidth Hogging Detection Mitigation • Software/Hardware: • LANGuardian • Wireshark • Spiceworks • Your Wireless / Switch Vendor • Appliance Base: • NET Equalizer http://www.netequalizer.com/ • Exindahttp://www.exinda.com/solutions/wan-optimization-2.0 • Procerahttp://www.proceranetworks.com/oem-dpi-engine-navl.html

  15. Firewall Where? Everywhere

  16. Policies

  17. Smooth Data Flow • Capture real- time data, log, flow and automate reports • Analyze,Analyze, Analyze • Security Onion • Packet Shapers • Splunk (paid) or ELSA (Open Source) • ELSA how to http://tiny.cc/904p6w

  18. Mobile Device Management Manage policies The ability to roll out apps to users Manage updates and installs Inventory mobile devices and their installed software Quickly identify devices that have violated AUPs A good list of MDM solutions and what they offer http://www.enterpriseios.com/wiki/Comparison_MDM_Providers A Free option http://www.meraki.com/products/systems-manager/

  19. Magic Quadrant MDM 2013

  20. What MDM Can BecomeControl Freak! Fuit: Latin he or she was… for IT He or She was in control but now it is Forget yoU Information Technology F.U. I.T.-- The user will do it themselves and get around all your fancy controls… Use open DNS no worries I will just use Google DNS…

  21. Where to start -- Mobile/BYOD

  22. Other Considerations • Enrollment Experience • User self-enrollment – ease of use is critical • Password/PIN policy decisions • Push capabilities DO THEY WORK?? • HOW DO THEY WORK? • Location services always on – battery impact • Jailbreak enforcement • Application blacklisting • Encryption requirements

  23. Ten+ Commandments Plus one or so..

  24. Tablet Best Practices · Device lock: enable native device authentication (PIN, password, pattern) · Anti-theft measures: Remote lock or data wipe … use of tablet "find me" (services can also raise privacy concerns) · Over-the-air encryption: All tablets can secure Web and email with SSL/TLS, Wi-Fi with WPA2, and private data with mobile VPN clients. · Stored data protection: Hardware and mobile OS support for stored data encryption varies.

  25. Tablet Best Practices II · Mobile application controls: Many downloaded apps require access to sensitive data and features, understand what apps have control to what data access to contacts (Block iTunes sharing) · Anti-malware: Typically don’t have- anti-virus, anti-spam, intrusion detection, or firewall apps · Device management: For visibility, policy configuration, app provisioning, schools can centrally manage tablets, no matter who owns them

  26. WIFI Best Practices • Use a WIDS solution 2.4 GHz and 5 GHz • Monitor for rogue APs & other WiFi interference (handheld monitor) • Use auditing to discover intruders on the wireless network. For example, accept Dynamic Host Control Protocol (DHCP) requests only from authorized network devices • Block rogue APs from receiving an IP address and alert the network manager to potential intruders(from the wired lines) • Train staff not to connect to any ad hoc WLANs • Prevent automatic association with ad hoc networks Windows on Edmodo

  27. WIFI Best practices II • Use 802.1X with EAP to provide mutual authentication of users and authentication servers • Use one of the following EAP types: TLS, TTLS, PEAP. Note that EAP-TLS requires certificates on both the supplicant and the authentication server (Best option ) Not an option with Apple TV • If 802.1X is not deployed for the wired network, use IPsec or SSL (if supported by school applications) Not an option with Apple TV • WPS and WPA2 PSK is broken But required if using Apple products • Authenticate guests through a captive portal webpage and monitor usage

  28. Network Management • Modify default SSID to a school/district-specific name • Use a controller-based or Centrally Managed WLAN system instead of autonomous APs • With WLAN hardware use strong passwords - Change passwords periodically (Default hardware PWD) • Disable wireless-side management access to wireless network • Monitor vendor updates and apply patches • Use (SNMP) v3, Secure Shell (SSH), and SSL • Restrict wired-side AP/controller access to certain IP addresses, subnets or VLANs

  29. Resources and software

  30. Mobile Parental Controls

  31. Alphabet BYO-security • BYOD • BYOx • Devices • Apps • Data • MDM • MAM • MIM

  32. Windows Apps on BYOD • Frame Hawk • HTML5 • PhoneGap, • Worklight • API Based • Appcelerator • RhoMobile • VDI • Citrix • VMware

  33. To Drop or Not • Zoolz • Watchdox • Sharefile • Egnyte • Cubby • Box

  34. Private Cloud DropBox • SharePlan • Tonido • SpiderOak • Cubby • GoodSync

  35. iCloud = iHog…. • iCloud use ports 80 443, and 5223 • Uses Apple, Microsoft and Amazon cloud services to deliver apps and data.

More Related