Bring your own device (BYOD) is the policy of allowing employees to use their personal computing devices for work. Even before the COVID-19 pandemic, 95 % of enterprises were implementing BYOD in some form or another. However, its uptake has only been accelerated by the pandemic, as more organizations adopt work-from-home policies. As the post-pandemic normal involves a hybrid work model, BYOD will inevitably continue being the standard.
Network address translation for BYOD
Connecting BYOD devices to an enterprise network requires network address translation (NAT), a process that translates public IP addresses into private ones and vice versa. NAT is done using network devices such as DSL modems, routers, wireless access points or wireless access controllers. These NATing devices enable laptops and smartphones to access the public internet while keeping their private addresses hidden. NAT became particularly useful in internet protocol version 4 (IPv4) given the limited number of IPv4 addresses, especially across LAN and WAN networks with hundreds of desktop and mobile devices connecting to the internet simultaneously.
NAT: a hidden threat?
While NAT has its benefits, it is not without risks. Most simply, NAT can lead to network performance impairment. As external devices not owned or monitored by an enterprise are able to partake in an enterprise network, the use of hidden BYOD devices via NAT can result in enterprise network resources being overused or abused by unauthorized devices and applications.
More significantly, devices hidden behind NAT can lead to various network security issues. These can be broadly divided into two kinds: negligence and sabotage. Security issues due to negligence arise from situations in which internal and external users unintentionally introduce threats into the network. This can happen in a variety of ways. Personal devices brought onto the enterprise network using NAT could be infected with malware or they could be incompatible with the broader security apparatus and procedures of an enterprise and so create an insecure access point to the internal network. This could ultimately result in an enterprise's data being compromised or their applications being undermined.
Alternatively, the network security issues borne by NAT can be deliberate and malicious. Both internal and external users can intentionally sabotage a network with cyberattacks – either attackers on the public internet being able to map themselves into the enterprise's private network or users with private IP addresses being able to link the enterprise with the public web for nefarious purposes. Be it through the injection of malware or spyware, spurring a DDoS attack using various network devices, or through session hijacking and man-in-the-middle attacks, a malicious actor could access and damage web servers and application servers on the WAN while corrupting or stealing enterprise data and infecting other devices on the LAN. A perpetrator could be doing this to access data with crucial business or political implications, steal credentials for criminal purposes, or simply disrupt and cripple a rival enterprise.
Securing NAT through the network
For these reasons, it is a prerequisite for any enterprise using NAT to know what is taking place on its network. In other words, an enterprise IT administrator needs visibility into real-time IP traffic flows across all devices and applications being used on an enterprise network. One solution to accomplish this is the R&S NAT/mobile tethering transparency plug-in, which is an extension of ipoque's R&S®PACE 2 deep packet inspection (DPI) engine. The R&S NAT/mobile tethering transparency plug-in provides visibility into devices involved in NATing, enabling the proactive detection of unauthorized devices and usage of network resources.
DPI, the technology underpinning the R&S NAT transparency plug-in, looks at data packets for in-depth information about network traffic. There are two main aspects to its operation. First, there is traffic classification, by which it determines the protocol or the application associated with a data flow, leveraging a regularly updated traffic signature library. Via the analysis of the transmission control protocol (TCP) or user datagram protocol (UDP), the R&S NAT transparency plug-in enables gleaning information from the operating systems behind a NATing device, which helps to uncover hidden devices. Second, the DPI core of the plug-in is capable of extracting metadata and can thus identify traffic attributes such as bandwidth, latency, speed and jitter. This helps in identifying a sudden peak in network usage due to unauthorized downloads of critical data, or impairment to the network due to an ongoing attack on its resources.
These features enable the R&S NAT transparency plug-in to provide IT administrators with information such as the number of devices connected to a NATing device, the NAT detection state, device groups and currently used heuristic methods, and more. The plug-in boasts high accuracy and is continuously updated to reflect the latest traffic and security trends. The information collected is centralized and structured in a simple and flexible form, and can be shared through the network as desired.
Bolstering BYOD with DPI insights
Equipped with insights on the number and types of devices on the network and the applications they run, IT administrators are able to implement better BYOD policies, formalizing unauthorized usages and introducing security measures for BYOD devices. They can monitor BYOD devices to ensure compliance and detect misuse of network resources. At the same time, routers and wireless access points can be monitored both for security threats and performance issues. Real-time detection of anomalies and threats enables the implementation of alerts and traffic blocking, with long term data being translated into improved security policies. Information provided by the R&S NAT transparency plug-in can also be translated into better LAN architecture, with NATing devices optimized in terms of numbers and distribution so that they are better aligned to current usage patterns.
In all, with the R&S NAT transparency plug-in, enterprises can rest easy knowing that they have in-depth and real-time visibility into any possible external or unauthorized device connecting to their network. As enterprises expand their capacity through NAT and BYOD, DPI can serve as the basis for guaranteeing that these capacities do not lead to their own pitfalls.
Download the product information sheet on our NAT/mobile tethering transparency plug-in for enterprise IT security.