BYO Access Points: IT Friend or Foe? by LPhifer
As the bring-your-own (BYO) explosion continues, a rising tide of smartphones and pocket-sized personal hotspot gadgets are bringing BYO access points (APs) into the workplace. According to a February 2013 survey conducted by Smith Micro, 62 percent of smartphone users utilize their handset’s personal hotspot feature. Market analyst firm TechNavio expects the Global Mobile Hotspot Router market to grow 34% annually between 2012 and 2016, driven in part by 4G bandwidth.
BYO AP Benefits
Whether powered by smartphone software or mobile router hardware, BYO APs can turn any 3G/4G cellular data connection into a small footprint Wi-Fi hotspot, whenever and wherever Internet access is needed.
This personal convenience can reduce mobile worker dependence on commercial and free Wi-Fi hotspots, eliminating time-consuming and sometimes frustrating searches for a nearby café or hotel that offers Wi-Fi. BYO APs can also deliver more bang for the buck by letting workers share a single monthly bucket of cellular data among several devices – increasingly important as the number of devices per worker continues to rise, driven by Wi-Fi-only tablets.
From a security perspective, BYO APs often mean fewer mobile devices connecting (and automatically reconnecting) to unknown and potentially-risky SSIDs outside the workplace. Instead of reconfiguring a tablet to connect to every new hotel or airport or conference center SSID and remembering to “forget” that network when done, I can simply rely on my tablet to consistently connect to my very own BYO AP. Ditto my laptop, my Kindle, my AirPort, and any other Wi-Fi enabled gadget I carry with me.
Moreover, all of those client-to-BYO AP associations can be secured by WPA2-Personal (AES/PSK), providing a baseline level of protection that otherwise varies from one commercial/free hotspot to the next. In addition to eavesdropping, using my own secure BYO AP reduces my exposure to easy public hotspot hacks such as Evil Twins, SSL session hijacking, accidental file sharing and ARP spoofing.
BYO AP Drawbacks
This all sounds great, but it’s not always that simple.
When BYO APs are used outside the workplace, employers may lack the management and monitoring tools to facilitate and ensure safe use. For example, there’s no Apple-defined iOS MDM profile to configure an iPhone personal hotspot feature with long, random WPA2-Personal password, or to periodically update that password – steps that could deter PSK cracking.
And there’s no way to integrate personal hotspot security with enterprise security measures, such as using WPA2-Enterprise with an IT-issued certificate or login. Yes, IT can configure secure Wi-Fi connections on iOS, Android, and Windows Phone clients – what’s missing is the ability to centrally provision personal hotspots themselves on BYO smartphones or mobile routers.
When BYO APs are used inside the workplace, additional security and performance challenges are surfaced. Any business traffic sent through a BYO AP bypasses corporate Wi-Fi security measures, including upstream controls such as network anti-malware, URL filtering and data leak prevention – that is, unless tunneled back into the corporate network via “remote access” VPN. Given infrequent use of non-split tunnel VPN on BYODs connecting to BYO APs, this could rip a gaping extrusion hole in on-site network defenses.
Additionally, BYO APs used inside the workplace often create transient, hard-to-predict co-channel interference and performance degradation for the corporate Wi-Fi network. While mobile routers can have configurable channel assignments, smartphone personal hotspots are more likely to choose their own channels. As an employee or visitor moves throughout an office building carrying an active BYO AP, they can leave a small wave of disruption in their wake.
BYO AP IT Policies and Tools
Given these tradeoffs, how can your company benefit from BYO APs while managing associated risks?
Start by creating a BYO AP Acceptable Use Policy. Define where BYO APs can be used to carry business data or connect to devices that harbor business data – inside the office, outside the office, in specific public areas at the office, etc.
Define mandatory security settings for BYO APs use under this policy, and provide detailed instructions on how workers can manually provision them. Identify associated security requirements, such as VPN or secure browsing, so that workers don’t mistakenly assume end-to-end safety for traffic exchanged via BYO APs. Help workers understand related threats, such as exposure when sharing a BYO AP with a stranger or the possibility of a personal hotspot evil twin.
Finally, implement a monitoring process (e.g., Wireless IPS) to detect the presence of BYO APs in the workplace, verify compliance with defined policy, associate known BYO APs with worker identities and permissions.
* Test popular smartphones and routers to refine rules that recognize these BYO APs and their impacts.
* Consider why and how to treat a non-compliant BYO AP as you might any other rogue AP that poses real risk, using WIPS to block business client-to-BYO AP communication.
* Develop processes to recognize BYO AP interferers and take automated steps to minimize their impact on the corporate network.
These are just a few steps you might want to make the best of BYO APs. I welcome feedback on other steps that have proven successful – or NOT! – in companies that have tried to get a handle on smartphone personal hotspots and mobile routers.