April 24, 2013

Why VLAN-based grouping or “sandbox” is inadequate for BYOD Management

This blog is part one of a two-part blog series. Here, I will explain why a VLAN-based solution is not adequate for BYOD management.

Recent trends in Enterprise Mobility and smart devices like tablets and smartphones are giving users more choices and power through the use of customized and personalized devices at home and in the enterprise. Personalization involves using technology that empower individuals to be treated based on personal attributes and preferences rather than as part of a group. Yes, it is easier and may be cheaper for organizations to allow customization by treating individuals or devices as a group, but this does not enable individuals to consume and produce based on their personal profile and capabilities. Today, any of us can now communicate with anybody else, anywhere in the world, at costs close to zero. We can set up our own custom websites, blog and social pages. We can produce, publish, syndicate and choose what personal devices we use at work. We can customize our devices based on applications we use, bandwidth we need, when and how much we want to work whether in the office, at home or on the road. These choices and the ability to Bring Your Own Devices (BYOD) to the enterprise is allowing people to be more happy, creative, productive and valuable as unique individuals rather than restricted to group options. This is why many organizations today are allowing employees and other users to use a variety of devices in the corporate network, regardless of whether they are owned by the organization or the individuals (BYOD).

As a result of these benefits, many organizations have asked their IT departments to enable BYOD and corporate-owned devices that enable users to connect these devices via WiFi (or wired Ethernet) to the corporate infrastructure so that users can have full access to specific services, based on user profile and devices used – without compromising security and adding more staff

Some organizations think there are two ways to deploy BYOD management :

  • VLAN-based or a “sandbox” approach, or
  • Deploying a Network Identify and Access Management (IAM) solution – which extends a traditional Network Access Control (NAC) solution

A VLAN-based approach essentially creates a Virtual LAN or a “sandbox” where groups of users are assigned based on their status. For example, if you use a guest VLAN, you configure your network so that the guest VLAN only goes out to the Internet. Or in a school, IT may create a ‘Students’ VLAN and a ‘Teachers’ VLAN where all the users of particular VLAN use the same group settings. Proponents of this approach argue that it provides all the requirements of BYOD: onboarding, user-based policy, network visibility of devices, and security. But the reality is that this approach is very much limited as it treats everyone as part of a group rather than as individuals – there is no personalization.  For example, if a school wants to give a particular user within a predefined VLAN more bandwidth or network access during non-business hours, it cannot be easily and dynamically done. A new VLAN needs to be created and the user moved. Also, there is a false sense of security with VLANs. VLANS were designed for managing large LANs efficiently, by creating logical smaller workgroups, independent of physical location. As such, a hacker can hop across VLANS using several known techniques if adequate access controls between VLANS are not in place.

The many issues of using VLANS for BYOD management include:

  • No Auto discovery and multi-level profiling – which means they cannot provide granular identity attributes – this means IT has less flexibility on filtering and authorizing of particular users or devices
  • Lack of rules-based policy for dynamic Personalization – this means individuals within a defined group cannot to be treated based on personal attributes, preferences or devices – for example if the organization wants ‘jail broken devices’ within the ‘Teachers’ VLAN restricted from certain servers, they won’t be able to do – they will have to create a new VLAN assigned for jail broken devices
  • No visibility and trouble shooting capabilities – making it very difficult for IT to track usage and performance, and provide exceptional support to their users. VLAN-based solutions typically lack the visibility to discover important network analytics such as: top bandwidth users based on time of the day; and number of iPhone vs. Android users
  • No ability to identify users and their devices – what if I want to be able to type a user’s name and immediately identify their connected devices and their locations? Or what if I want the system to notify me as soon as a “lost” device shows up in the network? A VLAN-based solution is not capable of such functionalities
  • No ability to integrate with other mobility products like VDI, MDM and Firewalls – means IT has less control on resource management
  • False sense of security- a VLAN function is more like “the lines on the highway” that are supposed to separate drivers based on type of drivers (depending on how fast you are driving). However, they don’t prevent bad drivers from swerving off onto another lane or stream and causing a disaster

We believe, the better alternative to a VLAN-based approach is to implement a solution based on centralized management through the use of distributed policy, where the whole network (wired and wireless, multiple VLANs, etc) can be easily monitored, automated and controlled – based on individual profile of each user and their devices, location, time of day, network access, etc. This is a Network IAM solution and the Enterasys solution is called Mobile IAM

Part two of this blog series will explain why a Network IAM solution like the Enterasys Mobile IAM makes more sense for BYOD management

If you would like to share and collaborate on topics like this and others that include BYOD, Wi-Fi, SDN and Enterprise Mobility, please follow @akafel and I will follow you back.

About The Contributor:
Extreme Marketing Team

See My Other Posts