IT Brief New Zealand - Technology news for CIOs & IT decision-makers
Story image
Thu, 1st Nov 2012
FYI, this story is more than a year old

With the BYOD trend gathering momentum, IT managers are losing control over the diverse applications and devices on the corporate network which wasn't designed to handle so many gadgets, nor the sort and scale of traffic generated by the social media and YouTube generation. As a result, a BYOD strategy must begin by addressing two major changes: the surge in wireless traffic and the shift from providing ports to a greater focus on the user. It is less important now to know what device is being used than to know who is using it, and what access they should be allowed.

The first problem with many existing wireless networks is that they were added to the corporate network as an afterthought or add-on rather than being thoroughly integrated into the wired infrastructure. Typically, the wireless traffic from an access point was sent via some sort of VPN tunnel to the controller for processing and forwarding.

A better solution is provided by today's more intelligent access points that can forward traffic directly to the wired network. Instead of a separate wireless overlay, a unified data plane from both wired and wireless traffic is created – allowing seamless roaming and a wireless experience much closer to that enjoyed by a wired user.

Who is on the network? 

The second major issue concerns access and privileges. There are three main classes of user:

  • Network managers and engineers who need privileged access into the deep structure of the network
  • Employees who can log on for full access only to those network resources relevant to their department or work function
  • Guest users who are allowed limited use of the network for Internet access.

It is important to know who is accessing the network in order to make sure that the correct privileges, and only those privileges, are allowed. Access policy must take into account the user identity, their role in the organisation, resources they will need, and those areas they may not be allowed to access.

 

Device identity takes second place, but is still important. Different devices make different demands on the network, some are wired and some are wireless, and some may be dedicated to a more critical applications.

To make sure nothing slips past, it is best to have identity management integrated into the network operating system. It is also better not to rely on any single identification mechanism, but rather to include:

  • 802.1x identification, and even multiple supplicant implementations.
  • Kerberos Snooping for Microsoft Active directory users.
  • If neither of the above applies, the user can be quarantined and restricted to a captive portal to authenticate to the network.
  • Guests to be offered an open VLAN for Internet access, but ideally the access should still be controlled to allow only a selection of relevant services such as Google, e-mail or Linked In.

Here again the advantage of a unified data plane is that the identity management is deployed right at the edge of the network rather than being sent to the central controller. Ideally all the access points should support identity management features by default, and that all user identities can also be monitored centrally to see who is on the network where ever they are and whether wired or wireless.

 

Choice of hardware

Different situations require different physical configurations: integrated or external antennas, mounting on wall or ceiling and so on. Look for a comprehensive hardware range that includes all the features you need in all configurations.

The correct choice of wired switches is also important for supporting a unified data plane. The best wired edge switches are designed specifically for this purpose and support a single easy-to-use operating system including identity management, stacking and many other advanced edge features across the infrastructure from access point to the core without needing customization.

A good management solution will do much to simplify management and maintenance and so reduce the operating cost of the wireless network. As well as monitoring and surveying the network it should provide detailed diagnostic tools and deliver reports to assist the manager.

Keeping costs down

As more employees join the BYOD trend, the time and management costs may keep rising. A correctly designed network, however, with a unified wired/wireless data plane and purpose-built operating system, will not only scale seamlessly but also remains secure and manageable.

In practice, the right choice of access points, controllers and software has been shown to reduce the total operating costs by 30 to 50%, let alone the advantage of having a unified system scalable to the heavy demands of the BYOD trend.

For the IT department, BYOD it can prove a headache. Without a strategy to ensure that the corporate network is up to the task, the gains in productivity and the savings in buying equipment for employees will be offset by an enormous increase in network complexity and management costs.

On the other hand, the right strategy and choices will not only support seamless integration of BYOD but also ensure high security and wireless performance at near wired levels, without further demands on the IT department's time and resources.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X