Thursday, November 10, 2011

Connecting Smartphones to Wireless Network

The wireless network has always been a challenging wild wild west of connectivity. It isn't generally difficult to secure or control, but it does tend to give people a sense of entitlement that they would otherwise lack. How many people walk into an office, whip out a Cat5 cable, and plug into an open data jack? Not many, unless there's a conference room situation with an obvious switch or something, clearly for that purpose. No one expects automatic physical access to your network, but wireless is different. Everyone seems to expect that they are owed access to your wireless network. They need to get online, they need to check their email, whatever it is. It's pretty common to have someone come into your office space and start asking how to get on the wireless. And, if you work in a typical office, chances are there are several people who could tell you what the wireless password/key is. Heck, some of them likely have it written on a Post-It note and stuck to their monitor or something. Visitors can get on your wireless network without ever having to actually talk to you, the steward of that network. Frustrating, isn't it?

So what do you do? You could set up MAC filtering, that old 2nd-level standby pal of WEP encryption that everyone realized wasn't really all that secure, but who wants that kind of administrative hassle? Adding and removing MAC addresses every time someone wants to get online...yuck. I've tried simply not giving people the wireless key. If they don't know it, they can't share it, right? You need to get on the wireless? No problem; bring me your device and I'll set that up for you. It also gives me an opportunity to check out your machine and verify that you have active and up-to-date AV installed and nothing obviously funky going on I see that Torrent shortcut on your desktop, buddy). The downside to that is that it does mean that every time that visitor comes to your office they have access to your network, at least until you change your password. We all change our password quarterly, right? Right?

Another problem with that is that you have to have the buy-in of your other admins. The above method does you no good if one of your other admins emails the wireless key to someone. I walked into a room where a meeting was taking place and found the wireless key written on a whiteboard; they got the key from an email sent by one of the admins. One solution is to use RADIUS authentication, which involves installing keys on the user's laptop. This certainly takes care of shared keys and the like, and makes administration easier (once it's up and working; getting it set up can be a bear).That takes cares of the laptop/tablet users, but what about the smartphone users?

And now we get to the crux of this post.

I understand why people coming into an office for business would need network access for their laptops. It's not an unusual request, nor is it unreasonable. As long as you're not rocking some unpatched security blackhole of a mess, we can make this work. The new(est) thing is that everyone also feels that they need to get online with their iPhones/Androids as well. I don't understand that logic at all. I've never personally hooked my Android phone up to my company's wireless because I don't have a business case for it. I'm not developing Android apps, and I'm not testing Android apps, so adding my phone traffic to my company's already stretched bandwidth isn't necessary. I get that the amount of overall traffic that results from smartphone usage is maybe not as big deal, but consider the capability of these devices. They can do many of the things laptops can do: stream media, download apps, video chatting. These are the same types of activities that IT departments have long tried to block because of the congestion they provide on the network, especially over wireless which is already slower than Ethernet due to its underlying mechanisms (CSMA/CA). You now add smartphones that are doing countless data processes in the background (refreshing your FB/Twitter feeds for example) to the traffic. On top of that, the common view is that it's okay to do things like this on your phone because,'s your phone. Doesn't matter if you're still using the company's infrastructure; something about moving it from your computer to your phone makes you feel free to roam.

It's harder, IMO, to lock down phones in the same way that you do laptops and other wireless devices. I'm not actually even sure that phones support RADIUS authentication, but it would seem to be a lot of bother to go through for that. I also wonder if others are as concerned/strict about devices accessing their wireless networks. When people ask me to put their iPhone or Android on the wireless, I always ask why. Usually they tell me that it's because they don't want to use their data plan up, which is not a sufficient reason to me, and I typically refuse (unless of course it's a C-Level person for whom "no" is not an option). I give them my reasons, and most have been understanding about it. You don't want to use your data plan up? Well, if you're doing something that data intensive on your phone, why do you think it's okay to use up company data that way?

Thoughts? Opinions?

No comments:

Post a Comment