Close

HPE Aruba Networking Blogs

Gain Situational Awareness of Mobile Devices in Secure Locations

By Dolan Sullivan, Vice President of Federal at HPE Aruba Networking (Retired)

My guest blogger this month is Khuong Tang, a senior network and security engineer at Aruba. Tang works closely with DoD agencies to deploy secure mobility solutions. 

A fitness tracker that inadvertently revealed the physical movements of military personnel made media headlines a few years back. Federal IT teams have long been aware of the risk of radio frequency (RF) network blindness. Unauthorized communications in a secure zone can reveal personnel movements and create a conduit for data exfiltration.

The need for RF situational awareness has only intensified as the use of mobile and IoT devices has exploded across the government. The added challenge is that devices use many different radio technologies, including Wi-Fi, ZigBee, Bluetooth, and Bluetooth Low Energy (BLE), and a unified solution to detect and locate RF-emitting devices has been elusive. Moreover, high security Federal agencies have had to rely on the honor policy and reporting policy to limit the entry of RF-emitting devices.

Until now. There is an easier way to get situational awareness of all kinds of RF-emitting devices and mitigate the risk of unauthorized mobile devices in a high-security zone.

Aruba’s secure enterprise wireless LAN solution and Aruba ClearPass Policy Manager can be integrated with Bastille Networks, to address the huge security gap of RF-emitting devices. Federal IT agencies can now implement this innovative, integrated solution to establish an RF security policy based on real-time detection capabilities and establish automated alerts and enforcement.

Integrated Solution Automate Enforcement of RF Geofences

Bastille uses passive software-defined radio sensor arrays to detect and locate cellular, Bluetooth, Bluetooth Low Energy (BLE), and Wi-Fi devices. Devices are precisely located and in real-time. All RF-emitting devices, whether authorized or unauthorized within a campus or a forward deployed location, are accurately located on a floor-plan map.

Aruba Bastille mobile devices floorplan map

With Bastille and ClearPass, IT can establish geofences that include or exclude areas where devices are or are not allowed. If an RF-emitting device, whether it’s a personal mobile phone, a fitness tracker, or sensors on data center infrastructure, is found where it should not be or doing what it should not do, an alert is sent and an automated enforcement is applied.

Aruba Bastille RF Geofencing of RF Emitting Devices

Automated actions are taken based on the agency’s specified policies. When a mobile device crosses a geofence boundary, Bastille communicates with ClearPass to enforce new network access based on policies defined for that physical location.

If, however, a mobile device crosses a geofence boundary, such as a secure facility where no RF-emitting devices are permitted, Bastille will communicate with ClearPass. But this time, ClearPass will disconnect all wired terminals and desktops from the network, preventing data exfiltration. Other actions can be taken, such as alerting the IT service desk to document the violation or physical security team to track down the device.

With the integration of Aruba and Bastille, Federal IT leaders not only have situational awareness of all RF-emitting devices in their facilities, but also can immediately mitigate risk if a threat appears. And that’s more effective than relying on a policy of honor and good intentions.

Learn More

Watch the on-demand webinar “Get Rid of Shadow IT and RF Network Blindness: RF Geofence Policy Enforcement” with Bob Baxley, CTO at Bastille and Khuong Tang, Senior Systems Engineer at Aruba.

About the Author

Khuong Tang, Aruba FederalKhuong Tang is a senior network and security engineer with Aruba. Tang has 20+ years experience supporting global enterprise networks. He has a Master's Degree in Telecommunications and many industry certifications, including Aruba Networks ACMX, ACDX, ACCP, ACSP, CISSP, PMP, Cisco CCNP and CCDP).