See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/261489760

Implement network security control solutions in BYOD environment

Conference Paper · November 2013

DOI: 10.1109/ICCSCE.2013.6719923

CITATIONS READS
13 938

2 authors, including:

Khoula AL-Harthy
Middle East College
8 PUBLICATIONS   15 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

smartphone security View project

All content following this page was uploaded by Khoula AL-Harthy on 17 September 2015.

The user has requested enhancement of the downloaded file.

 Implement Network Security control solutions in
BYOD Environment
Khoula AlHarthy
Department of Computing
Middle East College
Muscat/Oman
khoula@mec.edu.om
Abstract—Bring Your Own Device (BYOD) security is the
way to protect organization’s network against Variety of
threats which come through mobile devices and access
channels. This research paper explains the implementation of
BYOD security solution in higher education institution in
Oman This security solution will help to protect the network
data from unauthorized access, as well as, controlling
unmanaged devices which are smartphones and mobile
devices. This research will follow these steps starting with
literature review, data collection, analysis, design the
network structure with suggested solution and
implementation for BYOD security solutions. As well as,
monitoring the network performance with the implanted
solutions to keep track if traffic flow with high availability and
security. This research paper will help to facilitate the work to
the network users through allowing BYOD as well as increase
the network availability, ability and security through 802.1x,
CA and RADius.
Index Terms— BYOD, Network infrastructure, BYOD
implementation, Security, BYOD solutions
I. INTRODUCTION
The dramatic increase of using the mobile device in the
work environment makes the IT members in each
organization start planning on how to deal with this
overload access to the network. Consumerization is not a
new topic in IT world. However, BYOD or Consumerization
increases organizations productivity because the staff keeps
working from their mobile devices whenever they can and
anytime out of working hours. Also, BYOD increases the
speed of work as well as customers satisfaction because of
good communication and fast respond. But then again, the
real concern about dealing with BYOD devices and
provide the flexibility to access the network with the
security at the same time. That’s because different threats can
appear through allowing BYOD such as losing the
smartphones will cause to loss the data in it and it also allow
unauthorized users to read. Also, damage the devices, worms
and harm application which cannot control by the
administrator.
Wael Shawkat
Department of IT
Middle East College
Muscat/Oman
Wshawkat@mec.edu.om
This paper is to design and implements a BYOD solution
which builds security strategy for educational institution. The
strategy is focusing in providing almost all details about
latest BYOD threats which effect the network and security
requirements to prevent these threats.
II. RELATED WORK:
Donahue, Tom in his book [1] has agreed that BYOD in the
work environment increased productivity but he added that
BYOD connection also enhance customer services as
employees can respond to the customer inquiries and deal
with problems from any place at any time. Additionally, the
network administrator can control the user devices and
monitor the business data without affecting the user
privacy in his personal information [2]. [1] Loss or theft of
mobile devices is the biggest risk that business could face
by implementing BYOD, because it leads to loss of data to
unknown user.
―With increased number for mobile device holders and
access to the Wi-Fi, the network administrator should
increase availability and uptime. Furthermore, the users start
to use their mobile device for video conferences; it needs to
add the bandwidth and uptime with reducing the possibilities
of downtime [3]. The BYOD risk can be covered into five
main risks Mobile applications gab, user’s policies, lack of
device- protection level, attacks and bandwidth capacity [4].
The Bandwidth is the most risk that IT professionals
thinking about, because it leads to reduce the network
performance and increase the downtime. [5] With increased
number of mobile users over the network the administrator,
the administrator need to make sure that everything should be
under his control and be able to manage mobile devices as
normal PC’s and laptops in the company. Although, the
security is acting as first priority risk that the IT professionals
should deal with it, especially with increasing number of
harmful mobile applications which easily provided to the
user. Moreover, accessing through wireless and using LAN
resources a s I P address and file server and others is
causing huge concern about how the administrator will be
able to apply the policies and access restriction.
 III. METHOD:
This section will describe the procedure that has been
considered to complete the steps that have been done to
complete the BYOD framework as in ―Fig.1‖: The first step
is data collection where the primary and secondary data
collection methods have been used to get all the details about
the users and the network. In the primary data collection the
interview and the questionnaire are the two methods which
were followed to gather the data and later in this paper the
results will be given and the finding that we got. After data
collection the second step will start which is analyzing the
current network and environment. Through analyzing we will
try to find the problems and possible risks network can face
because of BYOD [6]. The third step is design the network
with possible solutions that can help to reduce the risk and
locating the network devices. The fourth step, is
implementation and testing which we will configure the
network devices and system to control the mobile device
access over the network and test the efficiency of the
solutions.
In the end, the recommendation will be given for future
improvement because the BYOD is new systems and the
risk will keep appear in BYOD environment thus, the process
of improvement will keep cycling Analysis:
to increase the level of
reliability in the network.
Through the data collection process analyzed the different
types of data that has been collected during primary data
collection [6]. he data will be presented in two categories
which are qualitative data and quantitative data. The network
has two classifications of user's in the network which includes
students and staff. The network access is divided into four
parts. First part is the area which is only for students. Second
access part services area for the staff. Third access part is
server network area which provides sharing service for both
students and staffs. Lastly, the fourth one is the DMZ
(demilitarize zone) area which allocates the services to the
users who access from the internet. The Institution network
has two different networks which are wired and wireless
Data
collection
and
Literature
Monitoring Analysis of
and current
recommendation
network
Implementation
and testing Design
Figure 1: BYOD Project life cycle [6]
A. Authentication:
For wired and wireless networks there are different
authentication processes for the users when they are
accessing the network if the user use local computer
he/she will need to pass user authentication only because the
device has already joined the domain and it is under control.
Also, if the user plug network wire to his own PC and
connect to the network so he will need to pass two
authentication stages which is computer authentication
failed so it will not open any services to the user and deny the
access request Moreover, the authentication process of the
staff is different from students. When any staff member is
accessing through the wireless they will pass three stages of
authentications First stage is called hashing which is
authentication (encrypting the data), second stage is
computer authentication (Join to domain) and last stage user
authentication. All of this process is called WEP
authentication. [6][9]. This research paper will apply network
authentication to mobile users though RADius and CA which
will be explained in discussion part.
B. Firewall:
Forefront is hardware firewall which is used
in the institution. Is located at the front of the network
and monitors all incoming and outgoing data between the
network and the internet. The firewall is directing the access
either to DMZ (public data area) or private LAN base on
the level of authentications required and user pass.
The main advantage of this firewall is the firewall supplier
keeps updating the server by giving the divisions or
classifications of the websites. For example, games websites,
shopping websites or educational websites and others. Thus,
it blocks automatically a harmful websites and adds it to its
black list [6]. The main use of the firewall in this research is
checking the traffic which coming from wireless controller
and define if it authenticated, if yes so the firewall will apply
all the roles and access permission to these traffic.
IV. DATA ANALYSIS:
The Quantitative results show surprising results in some
points. During the interview the network administrator was
thinking that less number of users are currently accessing to
wireless network and using network resources. But the
results of the questionnaire show 73% of the participants are
using their own mobile device for internet browsing
through wireless network. Not that all, 46% of them are
using more than one smartphones and mobile devices. This
means that the organization needs to apply BYOD strategy as
soon as possible to be able to control user access through the
network lines. Moreover, currently the network administrator
is blocking accesses to the network resources on shared
drive, remote accessing, or active directory and allowing only
HTTP access which is web browsing.
 shows that more than 48% of the participants very often
access the network and 25% extremely often access the
network [6]

show the result of often users use network service

Figure 2: Analysis of user level of usage over the network

Do you use more than one mobile device to access to the network?

Figure 5: Percentage show access the network

With all of these g i v e n d a t a main target will be

increase the network capability to be up all the time and
increase the security and manageability of it resources. But
there will be a barrier which is the restriction of social
customs and deal with social sensitivity regards privacy.

Figure 3: Analysis of user level of usage over the network V. DISCUSSION

Questionnaire is asking the participants of what exactly
they access in the network. And the result of the users as
shown in ―Fig.4‖ that almost the users are accessing the
wireless network for internet browsing and e-mailing was
above 66% access. Some of the participants selected access to
shared drive or database but actually till now they do not
have the permission to access remotely or over any device to
these parts of the network. [6]
which of the following services is mostly accessed by you through your
mobile device?
Current network includes 6 running servers which are Active
Directory (Domain Controller), Exchange server (Mail
server), Moodle server, two storing servers one for student
and other for staff and last one is frontend server which is
(Firewall server). Moreover, it provides two main
connections which are wired and wireless which students and
staff. Each technical lab is separated in different VLAN so
any students’ practices will not affect the real network
performance or configurations such as projects labs, database
labs and Network Labs. Moreover, the wireless connection
also divided into two VLANs which is one for staff and
other for the students and that because for each
category different privileges and security level should go
through it. [6]

Figure 4: the most services that is used in the network

In concept of increase security over network access and

network resources also it should make sure that these services
are available to the users. During the questionnaire ―Fig.5‖ it Figure 6: Current network.
 the idea of separate access between student and staff into
different VLANs are increase the level of security and
reduce the risk of ability of the students to access to staff
data. For that, the suggested solution is create separate VLAN
which specify rang of IP address to it. Thus, any mobile
device access will go through this VLAN which will be
secured by set of policies and permissions.
Figure 7: New mobile VLAN in the network
Data flow in the Mobile VLAN:
802.1x a new Wi-Fi encryption standard and it are the most
secure as well. 802.1x is used to increase the network
protection against many network attacks such as Dos. In this
proposed network as in ―Fig.7‖ the mobile user will access
through the wireless access point and it will be secured by
using 802.1x standard and using AES over CCMP which is
used to reach the highest speed in data transmission and
encryption then it will crows the switch and the need to be
authenticated. To allow smartphones users to access through
the wireless network of the enterprise the administrator
decide to add two main roles in Windows server 2008
(Active Directory) which are Certificate Authority RADius
[7] Remote authentication dial-in user services. Both of the
roles will work to authenticate the mobile users. When the
mobile user access through the access point it will specify
as RADius client so at that point the RADius will centralize
the authentication and the authorization to the user and help
To increase the security of all access details over the network
[7].
Figure 8: Traffic flow in Mobile VLA
As well as, the certificate authority will help to verify the
mobile user access and validate their transmission [8].
The firewall and access point controller are playing big rule.
Where the access point controller authenticated the mobile
user and make sure that he access through the right SSID.
After that, the firewall will define the traffic apply the needful
roles then direct it to mobile VLAN which restrict the
permissions on resource access and access limitations. The
new updates of the firewall help to define the mobile serial
numbers that access though the network and generate a report
of all activities of the devices.
VI. CONCLUSION:
The research presents a set of principles that any organization
should follow before implementing the BYOD framework.
As a consequence of these principles one is provided with
availability, usability, mobility and security. A summary of
all findings that has been listed through the research steps
indicates that the BYOD framework should be applied
in phaseswhich is not the typical case as in other systems in
which the IT team will configure and then train the users how
to use it. Upgrading the network infrastructure and adding
mobile VLAN with using 802.1x as encryption algorithms
and support RADius and CA for authentication was only the
first step of implementing BYOD in the organization and few
more steps are required to achieve secure BYOD. Such as,
upgrade the storage capacity to handle data three times more
the capacity that it currently can. Monitor the wireless
performance and wireless bandwidth. All mobile devices such
as smartphones and tablets are now able to access through
wireless connection. Finally, it will recommend choosing
BYOD management system which is compatible with the
majority of mobile platforms.
ACKNOWLEDGMENT
I would like to thank the MIDDLE EAST COLLEGE which is
the sponsor of my research. management, IT teams and
colleagues for all their support. Thanks to Dr. Ahmed Norri
and Dr. Mohammed Alani for their comment and support.
REFERENCES
[1] mark, S., Lewis , P., & Thornhill , A. (2012). Research Methods
For Business . UK: Pearson Books.
[2] Symantec/BYOD. (2012, Nov 19). Retrieved Mar 13, 2013, from
Symentec: http://www.symantec.com/products-
solutions/solutions/detail.jsp?parent=mobile&child=byod_
mobile
[3] Philip, C. (2013, April 30). etworking-byod-enterprise. Retrieved
May 22, 2013, from Nemertes:
https://www.nemertes.com/reports/networking-byod-enterprise
[4] RADIUS. (2012, March 29). Retrieved April 17, 2013, from
teachnet.microsoft: RADIUS,, ,
[5] BYOD Policy. (2013). Retrieved May 11, 2013, from
bitpipe.com:
http://docs.media.bitpipe.com/io_10x/io_108916/item_660
292/Solution%20Brief-
Top%20Five%20Considerations%20for%20
a%20BYOD%20Policy.pdf – 2012
[6] AlHarthy. Khoula, Master thesis, Proposed Network Security
framework: Case study in BYOD , Coventry University, 2013
[7] active directory certificate services step- by-step guid. (2013., Jan
7). Retrieved Feb 13, 2013, from technet.microsoft.com:
http://technet.microsoft.com/en-
us/library/cc772393(v=ws.10).aspx
View publication stats
[8] Keith W. Miller, George F., H., & Jeffrey, V. (n.d.). BYOD:
Security and Privacy Considerations,. MIT conference,
IEEE (p. 3). Bostan: IEEE.
[9] Philip, C. (2013, April 30). etworking-byod-enterprise. Retrieved
May 22, 2013, from Nemertes
[10] Sean Chung, Sam Chung, Teresa Escrig, Yan Bai, Barbara
Endicott-Popovsky, "2TAC: Distributed Access Control Architecture
for "Bring Your Own Device" Security," biomedcom, pp.123-126,
2012 ASE/IEEE International Conference on BioMedical Computing
(BioMedCom), 2012