Bradford Networks Securing The BYOD Revolution
The Bradford Network Sentry system enables organisations to implement a BYOD policy and ensure that it operates within the organisations security policy. It does this by establishing visibility of the network and the devices attached to the network, and then applying control.
It does it for Wired, Wireless and VPN connected devices and is a truly multi vendor solution supporting most connectivity and security infrastructure products and most device operating systems (Windows, MAC-OS, Android, Apple iOS, LINUX.) It is an Out-Of-Line system enabling simple low cost deployment even in multisite environments.
The Network Sentry provides visibility of and control over who gets access to what, from what, from where and when. These include:
Identity Management – WHO
Bradford gives a greater understanding of WHO wishes to access the network.
Internal Users
Bradford communicates with the organisation’s directory services systems, (such as Active Directory, and Radius) This gives it information on who the corporate users are, what groups they are members of, and by extension what access privileges they should enjoy.
Guests
Bradford automates the process of provisioning and managing guest accounts and guest privileges, enabling the guest management process to be delegated to appropriate users, departments, or to the guests themselves.
Device Management – WHAT
Bradford uses standard network protocols to communicate with network devices (switches, routers, wireless, VPN)
This enables it to identify devices as they attach to the network.
Bradford can identify:
- the device type (Printer, Access Point, PC, iPAD
- the manufacturer
- the precise device, by MAC address, IP address
- the location WHERE the device is connected
- the time at which the device connects / disconnects WHEN
It enables and automates device registration, so that the system understands WHAT belongs to WHO.
Endpoint Compliance – MORE ABOUT WHAT
Endpoint compliance enables the system to understand more about the devices that are connecting to the network. By running a permanent or dissolvable agent on the client device Bradford is able to establish whether the device complies with key components of the security policy.
For example it enables Bradford to understand whether Windows devices are running the latest Microsoft security patches, and acceptable anti-virus product and the latest antivirus updates, and whether Apple iOS devices have been Jail Broken.
Role Based Access – WHO can access what services from WHAT devices, WHEN from WHERE.
Bradford uses the information it knows about people, devices, device ownership, location and time to enforce the security policy. It configures existing infrastructure to allow or deny access to resources, and if appropriate to remove access privileges in real time.
Remediation
In a BYOD world the purpose is to allow access where possible, within the security policy. To provide access, without over burdening the user or the support department. Remediation is a process whereby if the endpoint compliance status of a device does not meet the security policy for the access requested, the system will help the user to bring the device within the policy. It does this by allowing access to a remediation portal which describes what needs to be done, and helps to automate the process.
Global Reporting
Bradford networks provides a single interface from which to view the network and network security infrastructure. Through a web-based administrative interface, the Network Sentry management console enables administrators to easily navigate the network topology, view all network connections, define policies, establish event criteria, schedule tasks, enable automated actions, and more.
Network devices, ports, users, and endpoint devices can be grouped for easier management and for role-based assignment. Management control features include the ability to locate, enable or disable devices by MAC address, IP address, location, time, and other factors.
The Connection Log provides historical connection information to monitor and track all endpoints on the network. A set of pre-defined reports provides on-demand reporting, while the standards-based database infrastructure provides the ability to quickly generate reports to perform trend analysis and to document regulatory compliance. User-customized views provide administrators with real-time access to
Securing The Whole Infrastructure
The Bradford Network Sentry secures the whole network, not just the wireless.
Bradford uses its knowledge of people and devices. It communicates with the infrastructure and automates the configuration of devices to implement security policy.
Wired Example
There is a printer in the conference room. It is connected to a port on a switch and associated with a VLAN.
Bradford knows it is a printer, made by HP, connected to switch port 18/24 and should be in VLAN5 – printers.
- If a user unplugs the printer and plugs a PC into the port, Bradford will know.
- It will know that the printer was disconnected, which port it was disconnected from and when.
- It will know a device was connected, which port it was connected to and when.
- It will know it is a PC, running windows.
- If policy does not allow a windows PC on the printer port, then Bradford will tell the switch to move the printer port into a different ‘dead-end’ VLan.
VPN Example
- A user of a corporate laptop is working from home, via VPN.
- The user downloads a file sharing application from the internet which breaches policy.
- The Bradford agent detects that the application is present and informs the Network Sentry.
- The Network Sentry sends a command to the VPN controller to move the session from the production VLAN and place the user in remediation.
Wireless Example
- A user on an iPAD in the guest network access a website deemed to be dangerous by the firewall.
- The firewall notes this in its log.
- Bradford reads the log, and tells the wireless controller to move the user into quarantine.
