Network access control policy: Handling smartphone access control

NAC can be helpful for laptops and desktops, but it’s limited with mobile devices. In this tip, learn how to extend NAC for smartphone access control.

From iPhone, to Droid, to BlackBerry, to Nexus One, it seems a new mobile device is born every week and employees...

are trying to put them on corporate wireless networks about 15 minutes after launch!

How does an organization cope with the risk posed by mobile devices and control their introduction onto enterprise networks?  In this tip, we examine the role that network access control (NAC) systems play in the mobile environment.

Network access control (NAC) policy for mobile devices
If you’re already using NAC in your environment, you’re probably familiar with the process used to authenticate a laptop or desktop computer:

1.  User attempts to join a new device to the network.

2.  The NAC server detects the new device and determines it is not already authenticated.

3.  The user is prompted to install a NAC client on the endpoint.

4.  The NAC client provides the user’s credentials to the NAC server for authentication.

5.  The NAC client performs an assessment of the client’s security status and provides that to the NAC server.

6.  The NAC server uses the credentials and assessment results to determine what, if any, network access the device should gain.

Unfortunately, this process breaks down at step three, when smartphones, tablets or similar “dumb” devices try to join the network, as it’s not possible to install a NAC client on such gadgets.  In this case, NAC systems usually fall back to two possible approaches:

●  In the “captive portal” approach, the NAC device intercepts the user’s requests for webpages and redirects him or her to a Web-based authentication page.  Once the user authenticates, the device is granted access to the network, which allows authorized users to join any mobile device to the network.

●  The alternative approach is to whitelist the MAC addresses of approved wireless devices.  This involves much more administrative overhead, requiring your IT staff to add the MAC address of each device to the NAC system every time a new device is deployed. However, this whitelisting option does give the enterprise a greater degree of control over network access.

The downside of both of these approaches is the NAC system has no ability to probe the security status of the device, greatly reducing the functionality that NAC traditionally offers in the laptop/desktop environment.

Making the most of mobile NAC
So, how can an enterprise leverage its existing NAC infrastructure to help secure mobile devices?  I suggest a three-pronged approach that hinges upon differentiating between corporate-owned devices and personally owned devices.  Your mileage may vary, depending upon the security needs of the organization, but this framework offers a starting point that you can use to build an appropriate mobile network access control policy and related controls for your business environment.

 Limit full wireless network access to company-owned smartphones . You’ll simply never be able to gain the level of confidence in personally owned devices that you can have in those owned and managed by your IT staff.  For this reason, I encourage limiting full network access to those devices owned and managed by the company.  The easiest way to enforce this requirement -- which should be spelled out in your NAC policy -- is with the MAC whitelisting approach described above.

 Supplement NAC with mobile device management. While NAC products generally don’t allow you to reach down into the configuration settings of smartphones for more thorough smartphone access control, mobile device management software does.  I suggest deploying one of these products as a complement to NAC and using it to enforce encryption, screen locking and other security settings on your company-owned devices.

 Consider a quarantine network for personally owned devices. In many environments, practicality dictates allowing personally owned devices to access the network.  If this is the case in your organization, you may wish to place these devices on a separate quarantine network that has limited access.  While you might allow personally owned devices to freely access the Internet, you should carefully control what (if any) corporate resources they are able to access.  After all, do you really want business secrets sitting on a phone that you don’t own?

While it is difficult to bring the advantages of NAC to the mobile phone environment, it’s certainly achievable.  The three steps outlined above provide the basic framework needed to begin designing a smartphone management strategy that meets your business needs.

About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.

Dig Deeper on Enterprise mobile security