Skip to main content
Report this ad

See also:

Reduce the danger of BYOD with network infrastructure adjustments

Employees want to bring their own devices (BYOD) to work, or to use their tablets and mobile phones for work. There are several reasons for this; people want to use newer equipment, they feel they can get more done using equipment they are comfortable with, they want to work from home and cannot take company equipment home to work.
The argument against allowing unapproved equipment on the company network is that devices managed by corporate IT are more likely to have updated antivirus software; and adding non-homogenous equipment to the mix may increase support costs, as employees ask for support for software issues on their own equipment. Many IT departments flatly refuse to allow non-corporate computers onto the network.
A simple network change makes it considerably safer to allow non-corporate machines on the network. It involves creating a pair of guest networks that allow no access to the inner corporate network, except through the corporate VPN tunnel. You have to have a layer 2 switch that allows you to create virtual LANS, and one or more wireless access point. Allow a wired virtual LAN and a wireless LAN segment. When a non-corporate computer plugs into a network port, it requests an IP address from the DHCP server on the network. If the MAC address of the device is not in the switch's ARP table, the device is given an address on the guest network, automatically. The wireless network is all always guest-network only. If the employee is approved to use the VPN, then they connect through their VPN connection to reach corporate resources, like storage, applications and printers.
Even if you do not consider it safe to allow non-corporate devices on the network, segmenting the network so that production data is unreachable from workstations makes the network much safer, because it can make it unauthorized access to production data and servers much harder. In the event of a workstation being compromised or infected, it makes it much harder for the infection to propagate into production servers.

Report this ad