Dynamic Network Segmentation for BYOD Clients

Objective

Using dynamic network segmentation, all BYOD (bring your own device) clients inside an internal company network are tracked. Their access to company-critical resources, for example an internal file server, is restricted.

Employees and visitors connect their own private devices to the company network. Since these devices are not covered by company security policies, they should not be trusted and may be used to compromise the security of the company network.

BYOD clients are identifiable by their behavior in the network. In this example, we assume that WhatsApp is not allowed on internal devices. Therefore, any device generating WhatsApp traffic is classified as a BYOD.

The internal file server is contained in a dedicated static network object. A dynamic network object tracks BYOD clients by storing their MAC addresses. Because of the persistent nature of MAC addresses, there is no need to specify a timeout and devices can be tracked as BYOD for an unlimited amount of time. The maximum size of the dynamic network object has to be set sufficiently large to store all device entries.

Creating the Static Network Object for the File Server

Create a static network object that characterizes your internal file server.

The following table shows the required settings of the static network object:

Name

Network

IP Addresses

MAC Addresses

File Server

Internal

Included: MAC address of the internal file server

Creating the Dynamic Network Object for BYOD Clients

Create a dynamic network object that stores the BYOD clients.

The following table shows the required settings of the dynamic network object:

Name

Network

Size

Timeout

BYOD Hosts

External

10000

0

For detailed instructions on how to create a global dynamic network object, refer to Creating Dynamic Network Objects.

Note

Make sure that the size of the dynamic network object is large enough to store all device entries.

Tip

A timeout of 0 means that the entries are not removed automatically.

Creating the Rule Set

Configure two global rules:

  • Rule 1 enters the MAC addresses of all hosts that generate WhatsApp traffic into the dynamic network object.

  • Rule 2 blocks all traffic from hosts in the dynamic network object to the internal file server.

The following table shows the required rule settings:

Rule

Source

Destination

Condition

Actions

Any

Any

Classification
Included Applications/Protocols: WhatsApp

Dynamic Network Object
Operation: Add
Host Identifier: MAC Address
Who: Client
Target Dynamic Network Object: BYOD Hosts

BYOD Hosts

File Server

Final Action: Reject Traffic and Stop Processing

For detailed instructions on how to create a rule, refer to Creating Global Rules.

Click the APPLY CHANGES button at the top of the menu bar to activate your configuration changes.

Result

BYOD clients in the company network are tracked and denied access to the internal file server. At the same time, they are still able to use the company network for other purposes, such as connecting to the Internet.