Hi all,
I have a business owner with a somewhat unique technical request.
From a wireless network perspective, we have already moved personal mobile and portable devices - tablets, personal laptops, watches, phones - to their own staff (essentially guest) wireless network. So company owned equipment is on a private, secure wireless network ("Production"), and personal equipment is on a less private, less secure wireless network ("Staff"). Personal equipment cannot get to anything on the Production network. Production equipment cannot get to anything on the Staff network. Zero trust.
On the "Staff" wireless network, he wants to be able to track what they are doing on their phones, tablets, watches, etc... not just generic "some people go to espn.com", but specific "Fred went to espn.com on his iPhone and spent 25 minutes there."
So, the captive portal part of this is straightforward enough. I can even tie it to a RADIUS server, so they have to log in with a valid username and password from Active Directory. But past that, how can I achieve the tracking part of the equation? Essentially, we know that the iPhone with the MAC address of ("address") is logged in as "Fred". How can I generate meaningful logs and tracking data from there so we can see how much time "Fred" spent on his personal devices during the work day?
I'm guessing this becomes some 3rd party piece of software, like Zenarmor?
The next part that concerns me is, we presently do this on workstations in the domain environment, but we use Smoothwall to do it and in order to prevent SSL certificate trust issues (that look like a "man in the middle" attack) we publish an SSL certificate from a CA for the organization to all the workstations as being a trusted certificate, so when that certificate shows up in the SSL chain it's still trusted. Obviously for personal devices this isn't realistic or feasible. So I was looking at the idea of using DNS lookup logging as the means to track what destinations a personal device is going to. Is this possible with ZenArmor? With Unbound? With some combination thereof?
Thanks, in advance!
--
Paul
I am not going to Show the Solution to this - Even if this was possible, I would Refrain from doing so.
Thankfully, things Like this are forbidden in Germany but:
I remember that in 1995 I implemented Internet Access for a Bank group when exactly this was requested by the auditing Department. I took the Time to teach them a lesson: I proceeded to discuss all the technical details on how this was to be done during a three hour Meeting. At the end of the Meeting, I told them IT would immediately start implementing it as soon as they presented a written consent by the works Council.
The Expression on their faces was priceless after recognizing that I meant that dead serious.
@meyergru I did something not quite as elaborate but with the same intent. Demanded written consent before implementing Smartfilter. Another one of these spy-on-employees tools. It was never deployed.