Many BYOD solutions only think about wireless network connectivity, but have you thought about devices users are bringing in that are wired? Users devices aren’t just iPhones and tablets any more they also include laptops, printers and even VoIP phones, all that probably have wired Ethernet ports plugged into the LAN.
A real BYOD solution takes into account all forms of network access. It should protect wired, wireless and VPN. Ideally the same tool and network is used for all of this. Having a separate network for Guests or BYOD use is costly and more difficult for users. See my last post for more details.
Devices that are connected to the network that do not authenticate should be given a Guest only role, or not allowed at all. Guest networks are similar to, and can be a part of a BYOD solution.
Devices that have an authenticated user, but that are not managed by IT or corporate security may be allowed to connect and have the same role that the user would normally get with a slightly more restricted role, since the device could be compromised, at least until it has been assessed for compliance. Our Mobile IAM solution can perform either client-based scans, or for “other” devices, like phones or printers, we can use a network based scan tool to look for known issues. For example you may not want to allow a printer on the network that has an open file share.
Devices that are managed and thus known to be secure, or those that are not managed but pass an assessment scan, can be allowed full network access. We detect managed devices because they have authenticated by 802.1x with EAP/TLS. Since we auto-enroll machines with a certificate from our internal certificate authority once we add them to the domain, and we make the certificates non-exportable (meaning they only work on the device we gave them to) we can be certain that they are being managed by us.
While wired ports are considered “safer” since they require physical access to the building, that does not protect you from users bringing their own devices. Make sure your BYOD solution covers the whole network, not just wireless.