When a BYOD user or visitor needs network access, how do you roll out the welcome mat without leaving the door wide open to anyone who wanders by? Plenty of organizations use conventional pre-shared keys or MAC authentication to get BYOD users and visitors on the network. These mechanisms while seem reasonable have some major security flaws. What’s so bad about traditional pre-shared keys(PSKs) and MAC authentication for guest and BYOD onboarding from an IT security perspective?
Let’s look at some issues:
- What’s the problem with pre-shared keys?
When users ask for “the Wi-Fi password”, they are asking for pre-shared keys. Suppose an IT administrator sets up a Wi-Fi SSID with an assigned PSK, and then simply gives that PSK to anyone who requires network access. Maybe you even use this approach yourself—why not? Well, for a few reasons.
Start with the fact that when you have a single Wi-Fi password, you have no way to control who has access to it. Users can—and do—share Wi-Fi passwords with others, even people you might not want to have access to your network. When everybody’s sharing the same password, there’s also no way to revoke access to an individual user—say, when someone leaves the organization.
2. What about MAC Authentication?
At least PSKs encrypt data traffic in transit over the air. When you use MAC authentication to provide network access for BYOD and guest users, that’s not the case. Anyone can intercept that data traffic. Attackers also find it easy to spoof MAC addresses and thereby gain unauthorized access to the network.
With both PSKs and MAC authentication, you have no way to associate each device with a user. There is no effective way to block a device / user from the network for either accessing network or limiting the device’s usage on the network
Solution: The key steps to mitigate risks with the BYOD devices are:
- Protect sensitive data
- After securing your data, you must ensure the security of your network. Instead of relying on generic firewalls for your data security, it is important to deploy a dedicated solution. Then, carefully lock your network from the outside world to avoid security holes that can be initiated by BYOD and actively monitor devices connected to your network and their activity.