Dynamic Network Segmentation for BYOD Clients
Objective
Using dynamic network segmentation, all BYOD (bring your own device) clients inside an internal company network are tracked. Their access to company-critical resources, for example an internal file server, is restricted.
Employees and visitors connect their own private devices to the company network. Since these devices are not covered by company security policies, they should not be trusted and may be used to compromise the security of the company network.
BYOD clients are identifiable by their behavior in the network. In this example, we assume that WhatsApp is not allowed on internal devices. Therefore, any device generating WhatsApp traffic is classified as a BYOD.
The internal file server is contained in a dedicated static network object. A dynamic network object tracks BYOD clients by storing their MAC addresses. Because of the persistent nature of MAC addresses, there is no need to specify a timeout and devices can be tracked as BYOD for an unlimited amount of time. The maximum size of the dynamic network object has to be set sufficiently large to store all device entries.
Creating the Static Network Object for the File Server
Create a static network object that characterizes your internal file server.
The following table shows the required settings of the static network object:
Name |
Network |
IP Addresses |
MAC Addresses |
---|---|---|---|
|
Internal |
Included: MAC address of the internal file server |
Creating the Dynamic Network Object for BYOD Clients
Create a dynamic network object that stores the BYOD clients.
The following table shows the required settings of the dynamic network object:
Name |
Network |
Size |
Timeout |
---|---|---|---|
|
External |
|
|
For detailed instructions on how to create a global dynamic network object, refer to Creating Dynamic Network Objects.
Note
Make sure that the size of the dynamic network object is large enough to store all device entries.
Tip
A timeout of 0 means that the entries are not removed automatically.
Creating the Rule Set
Configure two global rules:
Rule 1 enters the MAC addresses of all hosts that generate WhatsApp traffic into the dynamic network object.
Rule 2 blocks all traffic from hosts in the dynamic network object to the internal file server.
The following table shows the required rule settings:
Rule |
Source |
Destination |
Condition |
Actions |
---|---|---|---|---|
|
|
Classification |
Dynamic Network Object |
|
|
|
Final Action: Reject Traffic and Stop Processing |
For detailed instructions on how to create a rule, refer to Creating Global Rules.
Click the APPLY CHANGES button at the top of the menu bar to activate your configuration changes.
Result
BYOD clients in the company network are tracked and denied access to the internal file server. At the same time, they are still able to use the company network for other purposes, such as connecting to the Internet.