Just imagine all the “apps” that typically get installed on today’s smartphones and iPads. They are not controllable so this opens a huge backdoor into today’s enterprise IT infrastructures. And all of this happens on a variety of hardware and software platforms. Restricting the use of additional “apps” on the devices via organizational rules is not really a workable solution. And if one does so the value of these new devices to the employee is suddenly very limited.
And, as always in IT, the world is grey, not black or white and everyone has a different approach to the problem. Especially when it comes to NAC I’ve seen a lot of different solutions being deployed by our customers since I took over the role of the solution architect at the end of 2006. Luckily we architected it in a way that allows maximum flexibility.
Our NAC detects new devices on the infrastructure automatically and profiles them to determine the type of device. Various sources such as network based assessment, DHCP OS fingerprinting, captive portal (used for remediation and registration, guest services) and external profilers can be used. The Device type can be an Operating System Family, Operating System or Hardware Type. Access to resources can be controlled by using the device type information – without the need for authentication if desired but it can be combined with strong authentications well.
From my point of view there are pro’s and con’s to the approach from my colleague Rich Casselberry . While one can detect obvious vulnerabilities it is not really possible to control the apps on the device itself. Strong authentication helps to keep unwanted devices off the network. Combined with our device type detection mechanism in NAC – as stated before – one can at least restrict access by policy on non-IT managed devices like an iPAd – even valid credentials are provided. But user and application behavior is not fully controllable and access to various resources must be allowed so the use of an iPad is beneficial to the user and the business.
Talking to a lot of customers with high requirements for data security and privacy like banks and hospitals they seem to be in favor of a “thin client” approach that can be also applied to BYO devices. Using virtual desktop infrastructures the confidential data is not just put out onto the device and but presented to the user. From my point of view this is the Holy Grail for endpoint security. Especially when you can ensure that the device is always connected. This is reality for campus usage and is becoming reality on any location in the developed world. NAC along with our Enterasys policy can then ensure that only the VDI protocol into the data center can be used inside the corporate network so no malicious attacks can be originated from that device. And Internet services can still be accessed so the apps on the device can provide the maximum benefit.
Anyway, this is another approach to the problem of supporting consumer devices on the corporate net. How are you handling the issue?