Uncovering hidden devices: using DPI to deliver tethering transparency for enterprise networks

Stephan Klokow portrait

by Stephan Klokow
published on: 07.09.2021

Reading time: ( words)
Categories: Network security

Bring your own device (BYOD) is the policy of allowing employees to use their personal computing devices for work. Even before the COVID-19 pandemic, 95 % of enterprises were implementing BYOD in some form or another. However, its uptake has only been accelerated by the pandemic, as more organizations adopt work-from-home policies. As the post-pandemic normal involves a hybrid work model, BYOD will inevitably continue being the standard.

Tethering for BYOD

Connecting BYOD devices to an enterprise network requires tethtering, a process that translates public IP addresses into private ones and vice versa. Tethering is done using network devices such as DSL modems, routers, wireless access points or wireless access controllers. These tethering and hotspot devices enable laptops and smartphones to access the public internet while keeping their private addresses hidden. Tethering became particularly useful in internet protocol version 4 (IPv4) given the limited number of IPv4 addresses, especially across LAN and WAN networks with hundreds of desktop and mobile devices connecting to the internet simultaneously.

Tethering: a hidden threat?

While tethering has its benefits, it is not without risks. Most simply, tethering can lead to network performance impairment. As external devices not owned or monitored by an enterprise are able to partake in an enterprise network, the use of hidden BYOD devices via tethering can result in enterprise network resources being overused or abused by unauthorized devices and applications.

More significantly, devices hidden behind tethering can lead to various network security issues. These can be broadly divided into two kinds: negligence and sabotage. Security issues due to negligence arise from situations in which internal and external users unintentionally introduce threats into the network. This can happen in a variety of ways. Personal devices brought onto the enterprise network using tethering could be infected with malware or they could be incompatible with the broader security apparatus and procedures of an enterprise and so create an insecure access point to the internal network. This could ultimately result in an enterprise's data being compromised or their applications being undermined.

Alternatively, the network security issues borne by tethering can be deliberate and malicious. Both internal and external users can intentionally sabotage a network with cyberattacks – either attackers on the public internet being able to map themselves into the enterprise's private network or users with private IP addresses being able to link the enterprise with the public web for nefarious purposes. Be it through the injection of malware or spyware, spurring a DDoS attack using various network devices, or through session hijacking and man-in-the-middle attacks, a malicious actor could access and damage web servers and application servers on the WAN while corrupting or stealing enterprise data and infecting other devices on the LAN. A perpetrator could be doing this to access data with crucial business or political implications, steal credentials for criminal purposes, or simply disrupt and cripple a rival enterprise.

Securing tethering through the network

For these reasons, it is a prerequisite for any enterprise using tethering to know what is taking place on its network. In other words, an enterprise IT administrator needs visibility into real-time IP traffic flows across all devices and applications being used on an enterprise network. One solution to accomplish this is the R&S mobile tethering detection plug-in, which is an extension of ipoque's R&S®PACE 2 deep packet inspection (DPI) engine. The R&S mobile tethering detection plug-in provides visibility into devices involved in tethering, enabling the proactive detection of unauthorized devices and usage of network resources.

DPI, the technology underpinning the R&S mobile tethering detetction plug-in, looks at data packets for in-depth information about network traffic. There are two main aspects to its operation. First, there is traffic classification, by which it determines the protocol or the application associated with a data flow, leveraging a regularly updated traffic signature library. Via the analysis of the transmission control protocol (TCP) or user datagram protocol (UDP), the R&S mobile tethering detection plug-in enables gleaning information from the operating systems behind a tethering and hotspot device, which helps to uncover hidden devices. Second, the DPI core of the plug-in is capable of extracting metadata and can thus identify traffic attributes such as bandwidth, latency, speed and jitter. This helps in identifying a sudden peak in network usage due to unauthorized downloads of critical data, or impairment to the network due to an ongoing attack on its resources.

These features enable the R&S mobile tethering detection plug-in to provide IT administrators with information such as the number of devices connected to a tethering and hotspot device, the tethering detection state, device groups and currently used heuristic methods, and more. The plug-in boasts high accuracy and is continuously updated to reflect the latest traffic and security trends. The information collected is centralized and structured in a simple and flexible form, and can be shared through the network as desired.

Bolstering BYOD with DPI insights

Equipped with insights on the number and types of devices on the network and the applications they run, IT administrators are able to implement better BYOD policies, formalizing unauthorized usages and introducing security measures for BYOD devices. They can monitor BYOD devices to ensure compliance and detect misuse of network resources. At the same time, routers and wireless access points can be monitored both for security threats and performance issues. Real-time detection of anomalies and threats enables the implementation of alerts and traffic blocking, with long term data being translated into improved security policies. Information provided by the R&S mobile tethering detection plug-in can also be translated into better LAN architecture, with tethering and hotspot devices optimized in terms of numbers and distribution so that they are better aligned to current usage patterns.

In all, with the R&S mobile tethering detection plug-in, enterprises can rest easy knowing that they have in-depth and real-time visibility into any possible external or unauthorized device connecting to their network. As enterprises expand their capacity through tethering and BYOD, DPI can serve as the basis for guaranteeing that these capacities do not lead to their own pitfalls.

Stephan Klokow portrait

Stephan Klokow

Contact me on LinkedIn

Stephan holds a degree in computer science and has more than 13 years of leadership experience in IT as well as product and software development. Since 2017, he has been the director of DPI at ipoque. As part of his professional career, he has been responsible for the development of digital products and solutions for smart home and IoT technology and has lead national and international IT projects. When he's not at work, he spends time with his family. You might also bump into him on the soccer field or at the gym.

Email: stephan.klokow@rohde-schwarz.com

Related material

ipoque blog - discover the latest news and trends in IP network analytics

Sign up for our newsletter

Stay informed about the latest news and insights from ipoque