BYOD (Bring Your Own Device) seems to be the dominant theme for 2012 in the Wi-Fi infrastructure and security space. As people increasingly bring in personal smartphone devices on the enterprise premises, the network/security administrators are grappling with the security implications. Given how engaging the new smartphone and tablet apps are, conflict arises between the users’ desire and the network/security administrators’ intentions. You need to ensure that this conflict does not turn BYOD into BYOR (Bring Your Own Rogue AP)!
Peep into history
This is similar to what happened 5 years ago when laptops started to embed Wi-Fi radios, but organizations had deployed only spotty Wi-Fi coverage, often of the experimental type. Employees would often not get adequate Wi-Fi signal in their offices and they would be prompted to bring in Wi-Fi access points of their own and connect them into the enterprise LAN jacks, often with unencrypted wireless links and with default wireless configurations. That is how the rogue AP threat of the unassuming user type came into being. Administrators became concerned that some open AP showing up on the Wardriving maps of their area could in fact be connected in the corporate networks that they manage. This history can repeat itself with BYOD!
Employees can install rogue APs for unrestricted smartphone use
The BYOD user, frustrated with the smartphone usage controls on the managed Wi-Fi access points, may bring in a personal access point and plug it into the enterprise LAN jack to be able use the smart mobile device in the office without restrictions. Not only will this result in the violation of the corporate smartphone use policy, but as a side effect, will expose corporate network to outsiders through the rogue access point. The urge to connect rogue access point can be even more in the no-Wi-Fi environments.
Visitors can install rogue APs for high-speed, free Internet for their smart mobile devices
Another trigger to install rogue APs could come from visitors, contractors, maintenance personnel, etc. on the enterprise premises, who may want to connect their smartphone devices to the Internet and may install their own APs on the enterprise network without administrator knowledge or permission. Of course, the smartphones can work on the 3G/4G network, but the user experience is way too good with Wi-Fi and it is free. Apple even sells a product called AirPort Express which is 802.11n Wi-Fi access point not larger than size of a power plug, designed for plug and play portability, and use with iPhones, iPods and iPads. Anything Apple sells, does get used a lot; I don’t think there can be any debate about that.
Highly distributed nature of retail networks makes security monitoring difficult. The local staff at the store locations will invariably carry smartphone devices on them (iPhones, gaming consoles, etc.) and thus will be incented to use them despite the corporate policy. Such staff can install rogue APs in stores on retail networks, thereby violating corporate policy and also adversely affecting PCI (Payment Card Industry) compliance which has explicit requirements for the rogue AP prevention.
BYOD security as a whole has many aspect to it, ranging from installing security agents on the IT assigned smartphone devices to deploying access controls in the Wi-Fi infrastructure to prevent personal mobile devices from connecting to the managed Wi-Fi network assests. However, the more difficult you make it to use smartphone device on the enterprise facility through the managed Wi-Fi network, the bigger catalyst it is for rogue APs to be installed on the network. Hence, effective rogue AP detection and containment also becomes an important component of the comprehensive BYOD security.