Darragh Delaney

Detecting mobile devices on your network after the holiday season

December 27, 2012 6:00 AM EST

It’s that time of the year again when a lot of us exchange gifts with our loved ones. For some of the lucky ones, smartphones and tablets are a popular choice again this year. While this is great for the end-users, it may not be great fun if you manage a network and some of these devices start connecting to your network after the holiday season. Mobile devices are causing more and more problems on networks. While data loss is still the greatest fear with mobile devices, more and more people are concerned that BYOD is becoming the main source of malware on their networks.

Before users are allowed to connect to a corporate network, they should be briefed on the importance of keeping their devices updated. Device updating should be one part of an overall policy for the use of BYOD devices. But, what happens if users just arrive in with their new gadgets and connect them to the network without informing anyone, can they be detected or be blocked?

I have looked at mobile device management (MDM) solutions in the past and they focus on providing mobile connectivity, user account administration and device management. However, a lot of these technologies are new and most people don’t have anything implemented yet. If you don’t have a MDM solution in place, then you could look at something to monitor your network that can detect mobile devices.

  • MAC address detection and alerting

Every wired and wireless device is configured with one or more unique MAC addresses.  The first three octets (in transmission order) identify the organization that issued the identifier.  This is known as the Organizationally Unique Identifier (OUI). Keeping a database of unique MAC addresses on your network can be a useful way of detecting new stuff. Look out for systems that can do this automatically and alert when a new device is detected. Once you detect a new device, lookup the first three octets using one of the many online OUI searches that are available.

  • Web traffic analysis

One of the primary reasons users want to connect their devices to networks is to gain access to the Internet. Even if the end-user does not try and access websites themselves, most mobile devices are constantly trying to connect to online services for updates. This Internet (HTTP) traffic can be a valuable source of data for detecting mobile devices on your network.

Buried in this HTTP traffic are pieces of data called user agent strings.  These strings of data contain information like application type, operating system, software vendor, or software revision. These user agents are used a lot by online service providers who can vary content depending on the type of device that is accessing it as some websites will have specific content for mobile devices. There are many guides out there which can be used to implement something on a website which can detect specific devices accessing web pages.

This data can also be used to detect mobile devices on a network. Capturing this data is the tricky part. You need to look at implementing a packet capturing solution which can extract user agent data from network packets. Ideally you would setup port mirroring on a network switch and monitor all traffic going in and out of your Internet connection.  Once you have your user agent data captured you can then search and report on what type of devices are connecting to your network.

Do you have any other solutions for detecting mobile devices on networks? Comments welcome.