Facing a scenario where ipads and other tablet devices are being considered and trying to deal with the ramifications on security and network planning.
Our current infrastructure is fairly strict - but works in terms of very little if any security / virus issues etc.
Our 6th for student wireless network (unmanaged BYOD) runs off aruba - and using their firewall polcies we are able to have it so that there are 3 fundamental rules in place.
1. No device on the wireless can talk point to point to another wireless device (stop propogation of viruses and also internal LAN gamining etc)
2. Only HTTP (80) and HTTPS (443) traffic is allowed through the aruba firewall and only then out via inline proxy.
3. Broadcast traffic is turned off (just trying to minimise traffic and preserve bandwidth)
So - having the above in place means the following won't work - and I know it won't work.
Apple TV's We are not able to get Apple TV to work with Ipad mirroring as it requires Broadcast Traffic to be turned on to be discovered (from what I have read). We know it does work as when we turn on broadcasts and ANY ANY on the Aruba Firewall - no issues - Airplay works a treat.
Certain ipad apps (in fact more and more) such as CloudOn - ISwifter - Rover -require non standard ports and often a huge range of ports to be open on the firewall. They do not work over standard 80/443 - nor do they work on only 1 or 2 ports. Again - remove the rule on the Firewall and all works.
Ipad Apps and the Teacher PC.
Currently looking at a few different Apps, particulalry Promethean AtiveEngage for the ipad which works by talking to the Promethean software on the teachers PC. Of course the Teacher PC is on the wired LAN and the student Ipad is on the Wireless LAN and never the twain shall meet (in an unmanaged wireless BYOD network).
So - yes I can throw security and IMO good network practice out the window and everything will work. BUT DO I NEED TO??
Is anyone doing anything like this and are there any ways around it?
I have thought about a different SSID VLAN just for ipads (secured via certificates / ipad profile) that has open ports and can talk to the internal network - but...
This works on the assumption that ipads are safe and are not / nor ever will be a malicious device.
Also - to get Apple TV to work - I need to enable broadcast traffic and this is not something anyone recommends (do they?? Anyone doing it and see any negative impact?)
We are not talking a small network here - we are talking potentially 600-800 ipads!
So - would be glad of any advice,
From talking with people who have already been doing some of this ... they will (eventually) admit that they have cut corners and opened things up ... but they have tried to limit the damage as much as they can. Trying to find the relevant ports is difficult and it is often easier to go for open and then lock down rather than the traditional locked down then release, log what ports are used and then start to close things down ... CloudOn is currently using TCP 443, UDP 3478-3479, and 9000-9999 ports ... and it might be an idea if someone started to log down the relevant ports used by the different apps / tools on the various mobile devices ... this also affects Android as well.
When looking at getting devices talking to one another ... to some extent you might have to start being specific about the traffic which can be allowed. That might be broadcast traffic only to the iPads, routing enabled between the iPads and the teacher's desktop ...
Or go for a higher end network which will automatically deal with what appears to be aggressive traffic ... and these come at a high cost! We all remember those lovely Cisco ads telling us how the network heals itself ... shame it doesn't heal the bank balance too!
Short answer : traditional security corners are being cut, but people are accepting this as a manageable risk and pay off against the benefits of the equipment. The more you spend (on the equipment, on expertise setting it up or your time to setup / manage) it can allow you to manage it better.
There are currently 1 users browsing this thread. (0 members and 1 guests)