FUIT: Is your company's internet too slow or restrictive? Hello portable WiFi hotspot!

The Situation: Sandi is a sales rep for TRI, Inc. that travels often enough to have a corporate laptop that she also uses at her desk when in the office, but restrictions on what she can access are annoying.


The Situation

Sandi is a sales rep for TRI, Inc. that travels often enough to have a corporate laptop that she also uses at her desk when in the office. She has a portable WiFi hotspot (like the Verizon MiFi) for when she's on the road. When she travels, everything she does works just fine. She can work via the VPN and various external websites that she needs to use, as well as do all the personal things that she wants to do to kill time or stay connected on the road. She can access Dropbox to share files between her laptop and her home computer, use Facebook, download songs via iTunes, or watch videos on Hulu.

(Maybe she even reformatted her machine so she could install some apps? :)

But when she goes to the office, only the work-related sites and activities are available to her. The Powers have restricted the corporate network so that only certain things can be done, and to open up Hulu would require a business case and a small roll of red tape. Not that Hulu needs to be open, but there are also completely legitimate cases of sites that are blocked that Sandi can otherwise use. Some, like her personal SalesForce.com account, are IT Consumerization challenges all by themselves (Yes, sales reps regularly get personal SalesForce accounts rather than deal with corporate systems. If only the corporations knew...). The point is, Sandi is hamstrung in the office. 

To some degree that's understandable, but not to the users like Sandi. She thinks this just interrupts what she's used to doing, and tries to avoid the office altogether. Still, when she's not on the road, she needs to be at her desk, so she has to go in.


Realizing that the entire problem revolves around the corporate network, Sandi decides to go around The Powers and simply use her MiFi to operate as if she wasn't in the office at all. She still gets to work with people closely, it's just that her network connection is a bit different than everyone else's. 

Plus, since her MiFi can support up to 5 connections (some others can do more or less, but this instance is using the Verizon MiFi as an example), she and four of her coworkers can all take advantage of the less restrictive network. Sandi is now "Office Hero Sandi" and users spend their time alternating between coffee breaks and reruns of "My Mother, The Car" on Hulu.

A match made in TV Land

The Powers Should

First, The Powers should identify this as a real threat/problem. Users can do this right now. Today. I do it. Brian does it. Anyone with a MiFi or a phone that has a built-in hotspot can do it. I know lots of people will disagree and say users aren't smart enough, but it only takes one.

Consider this: If they happen to be plugged in to the corporate network while accessing the WiFi too, they've now bridged the corporate network to the internet. It just takes one person to do that in an uninformed or irresponsible way. One gamer who opened up his WiFi IP address as the DMZ address that is now wide open to the internet (gamers have that dangerous amount of knowledge between novice and skilled that can screw up corporate IT). Keep in mind, too, that a single device can support multiple connections, so one person can enable several others to also circumvent policies and protection.

So what can the powers do? Certainly a policy saying "don't use MiFi's in the office" isn't good enough. Is the solution to just open things up to all the users? That would solve the problem, I guess, but not in a good way. Plus, some people would still feel like Big Brother was breathing down their necks and continue using the other method. Remember, employees really don't care about company policies or why they're in place. 

To be honest, this one isn't that easy to answer, so I'll put it out there to you. Keep in mind, this is not speculation. It's happening. I'm not saying it's happening everywhere and en masse, but it is happening. It doesn't have to be a corporate-provided device, either, so there's a BYOD concern, too. Yikes! What do you think?


Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

My office has a policy against MiFis. We also have a policy against non-company owned equipment in the building.

Existence of either of these (without prior permission) is a fireable offense.


Aaron, how do you enforce that policy?


I was talking to a friend last night about this that works for a bank, and I learned that they have a no wifi policy for the entire organization. Not only do they have that policy, but they enforce it using a solution from AirTight Networks that effectively jams the signal of unauthorized devices.

That's an oversimplification, but I can't get this image of the radar screen getting JAMMED from SpaceBalls, so I'm going with it.

So, I asked him about other devices that don't use WiFi, like plug-in 3G cards. Those, apparently, are allowed, but they have other solutions in place to make sure that a bridge can't occur between the 3G connection and the local network.

Now, banks are a unique case, and they have both the money and the requirement to put in these kinds of solutions. I'd still wager that at the majority of companies in the world, this kind of thing is possible. Still, if The Powers want to avoid it, it appears that there are solutions. I bet they're not cheap, but there are solutions.


"There's only one man who would dare give me the raspberry: Lone Star!"



Our office isn't to big, we'd see them.


Attack the problem head-on. If there is a site Sandi needs to get to but can't, due to filter restriction provide a self service mechanism to get around it.  MS Threat Management Gateway for example  has a feature that will allow a logged override exception to bypass the filter.  IT reviews overrides and with business signoff whitelists the stuff everyone is overriding to make this less of a chore in the future.  As far as  Internet speed that's really a no brainer. Internet bandwidth is relatively cheap, add more to make the office Internet much faster than a mi-fi.


Newer devices and applications are build to connect to and over the Internet, not a LAN. Enter the NEW LAN: it is an office facility to connect to the Internet end only to the Internet. It uses client isolation (no direct connection between client devices), so the security situation is exactly the same whether a device is on the office or somewhere in the world, whether one of your own or of an outsider. The NEW LAN (wried or wireless) avoids mobile charges and improves performance. Access to local servers (which are on the data center LAN, a different network!) goes through the firewall, but takes a bypass to avoid the ISP link.


As princess Leah said to Darth Vader, " The tighter you close your grip, the more systems will slip through your fingers". Rather than trying to impound transient workers devices, take Ernst's advice above and offer unrestricted internet access, while never letting foreign devices connect to the corporate network. If a road warrior comes into the office, VLAN their connection to the internet LAN and allow them to access the office resources exactly as they would if they were on the road. Only allow non-transient devices to connect to the corporate LAN, utilizing rogue AP wireless detection and remediation to take care of the mobile AP's, and restict the corporate devices from allowing a wireless (or USB) connection to non-corporate resources.


Most motherboards have a control to shut layer 1 when a second Network interface is brought up- Modify your PC's BIOS to disable packet switching across interfaces. Dell and HPs both have apps from the manufacturer you can use for this.

When you run your VPN, force it as the default gateway so all traffic is run through your VPN concentrator and internet filter.


Exactly as Ernst said.  This issue is a combination of a technology & HR issue, and can't be solved by technology alone.

You do what you reasonably can with policies & technology.  The remaining holes need to be filled in by HR.  ie.  yep, it's technically possibly for you to do this.  But if you do, forget any chance at a raise, and after getting caught a few times, prepare for firing.

It's all about putting in enough controls to bring the risk down to a level that management is willing to live with.