Frequently Asked Questions

Overview

What is the Byos Endpoint Micro-Segmentation Solution?


The Byos Endpoint Micro-Segmentation Solution was built to improve security posture and management of remote devices. It gives IT security teams control over remote workers connecting to uncontrolled, untrusted Wi-Fi networks, like those found in employees homes, hotels, coffee shops, and airports.


It has two parts:

1. the Byos µGateway

2. Byos Management Console


What is the Byos µGateway?

A hardened security stack on a simple plug-and-play USB device, the Byos µGateway provides protection from OSI layers 1 to 5 through hardware-enforced isolation. Each Byos µGateway isolates the connected endpoint onto its own micro-segment of one that protects it from compromised networks and other compromised endpoints on the network.


What is the Byos Management Console?

The Byos Management Console is the command-and-control SaaS-based console where IT teams to deploy and manage Byos µGateways at scale.

All security policy administration is handled centrally through the Management Console. With the ability to be self-hosted, cloud-based, or multi-tenanted, the Byos Management Console can be integrated with existing security environments and customized to meet specific business needs.

Using the µGateway

How do I install and use the µGateway?

The µGateway is installed by simply plugging it in and setting up the login credentials.

There is no installation needed because it is plug-and-play; it does not need drivers, software, or agents to run.The µGateway identifies itself as a USB-ethernet gadget.

After logging in, using the µGateway involves selecting the desired Wi-Fi network, connecting, and setting your desired security policies. If you're an enterprise user, your security policies have already been pre configured by your administrator.


Is the µGateway compatible with different operating systems? Does it work on any computer?

The µGateway is operating system-agnostic, having no OS requirements. It works with any OS of any age, including unsupported versions.


Will it affect my connection speed or device performance?

No, the µGateway does not share computing resources with the endpoint, meaning it doesn't affect performance. It also does not increase connection latency; the bottleneck in connection speed will always be the network it connects to, meaning it provides a seamless user experience.


Why do I need hardware? Why can’t it be software?

Conventional security software cannot protect a computer from threats on dirty Wi-Fi networks.

VPNs can only protect data in transit. EDRs and antivirus products protect the operating system and applications on the device. They have no way of isolating the device from the network. This is because security software resides in the operating system’s stack.

The μGateway provides hardware-enforced isolation of computer endpoints. It provides an additional layer of security, independent of what's running on the device.

For more technical information, read our blog post: The 10 Commandments of Hardware-Enforced Isolation


Does the µGateway run some sort of customized operating system?

Yes, Byos µGateway hardware runs a proprietary, hardened and customized Unix-based OS that has customized network services, signed hardware drivers, and a recompiled kernel to change its fingerprint.


Does the µGateway automatically tunnel the incoming/outgoing traffic?

The µGateway does not establish a VPN tunnel by default and does not require such a tunnel to function. The outgoing traffic is clean.

The µGateway isolates the endpoint from the local network, protecting the endpoint across OSI layers 1-5, while maintaining the same public IP address as the local network. The endpoint still has the ability to use all available networked resources (e.g. networked printer or outgoing airplay), but be invisible to incoming network scans

The µGateway does however allow a VPN tunnel to be layered on top of the already established Wi-Fi connection. The user can use their host VPN client or can take advantage of the µGateway's in-device VPN client to reduce the computing resource load on the host endpoint.

Security

What attacks and threat vectors does the µGateway protect against?

The µGateway protects against:


  • Man-in-the-Middle
  • DNS Hijacking
  • Wi-Fi Cloning
  • Network Identity Alteration
  • Packet Rerouting
  • Eavesdropping
  • Scanning and Enumeration
  • Fingerprinting and Exploiting
  • Spikes in Bandwidth Usage

For more information on how the µGateway protects the endpoint, read our Technical Datasheet or our Blog post:The 10 Commandments of Hardware-Enforced Isolation


So it’s just a personal firewall?


The bidirectional firewall is just one of the protection features of the μGateway. It also provides:

  • Intrusion Detection and Prevention (IPS/IDS)
  • Encrypted DNS Traffic
  • Wi-Fi Protection
  • Eavesdropping Protection
  • Infiltration Prevention
  • Traffic Volume Control
  • Attack Detection
  • Tracking and Ad Blocking

Can it stop/prevent phishing attacks?

Non-technical Answer:

The µGateway cannot prevent the user from clicking on links. However it will limit the lateral movement of the attacker or malware when it attempts to spread to other resources, like enterprise applications and servers inside of the corporate network.


Technical Answer:


The µGateway operates transparently to the user, protecting the endpoint acros OSI model Layers 1-5, without the use of a client or agent installed on the host computer. Because of this, there is no way for the μGateway to determine whether or not a link or file is malicious upon execution.


However, what the µGateway does is attack containment. Because the μGateway is the ingress/egress point of all traffic, when the piece of malware or attacker attempts to move laterally to their command and control on an uncommon port, protocol, IP address, or country, the µGateway will flag this and block it.


Is the traffic still susceptible to attack at the router?

If the attacker owns the Wi-Fi router, the µGateway will alert the user if there is any suspicious rerouting of packets, and prevent the connection from being intercepted, cloned, bypassed or hijacked.


What about DNS traffic?

The µGateway has a self-hosted DNS server, connecting directly with the desired internet root servers. All DNS requests are encrypted, preventing DNS leakage and preserving privacy

Existing Solution Comparison

How does the µGateway compare to a VPN?

VPNs only protect data in transit; they do not protect the endpoint from the local network, leaving VPN users vulnerable to attacks. In comparison, the µGateway provides device protection by isolating it from the network and providing multiple protection services.


With the µGateway users are not susceptible to the recent vulnerabilities found with VPNs like VPN pivoting, DNS leakage, improperly stored log files, etc. Check out our blog post - The Problem with VPNs to learn more about the shortcomings of VPNs.


In a maximum security environment, The µGateway complements an Enterprise VPN. However, in a small-medium business or Zero Trust security environment, the Byos µGateway is a suitable option to replace existing VPNs.


The µGateway extends a Zero Trust access to any Wi-Fi network.


If there is no VPN running, is the µGateway susceptible to snooping or eavesdropping?

Without a VPN layer of encryption, normal HTTPS traffic is still encrypted by TLS. An attacker is not able to eavesdrop on the µGateway device because the μGateway has static ARP tables and performs constant checks for changes in the packet route or packet injection attempts.


How does the µGateway compare to a Secure Web Gateway?

A Secure Web Gateway is a security stack in the cloud that sits between the user and the internet, filtering malicious internet traffic. It does higher layer, more intrusive security processing like Deep Packet Inspection, Antivirus, Data Loss Prevention, etc.


It does not provide any protection from the threats that exist in the Local Network. Devices using a SWG are still connected to the same Wi-Fi network as potential attackers and these devices are still exposed to these threats.


Does the µGateway replace my antivirus?

The µGateway does not provide the same protection as an antivirus.


An antivirus is software that exists within the operating system of your device, scanning files and downloads as they are clicked on, protecting the user from malicious execution. It cannot however isolate your device from the network and most pieces of malware are written to avoid common antivirus engines.


The µGateway sits at the ingress and egress point of communication, protecting devices from the network, analyzing traffic patterns as it moves in and out of the device. The Byos μGateway protects against man-in-the-middle, port scanning, enumeration, and DDoS attacks. It masks the device’s MAC address by continuously randomizing it, stopping eavesdropping attacks and attempts to reroute your traffic, and provides a bidirectional firewall.


The µGateway also provides DNS-level ad and tracker blocking, detects hidden signs of cyberattacks such as changes in packet routing or network traffic volume. It also prevents the user’s network connection from being intercepted, cloned, bypassed, or hijacked.

Byos For the Enterprise

What are the benefits for an IT team with hundreds or thousand remote and traveling endpoints?


The Byos Management console provides IT managers with:


  • Centralized fleet management for efficient security policy definition and enforcement
  • Granular network access control and streamlined provisioning for all categories of endpoint devices
  • Reduced dependence on expensive mobile data packages for travelling and employees and elimination of loaner device programs
  • Full visibility and control over all remote device network connections

Can I create different security policies based on groups?


Creating groups and establishing policies are handled in the same manner that Active Directory handles groups and policies. Every validated remote µGateway is automatically added to the default group and immediately receives the policies established for that default group. This makes deployment and provisioning a straightforward, plug-and-play process.


In addition to creating groups with varying access and management rules, administrators have the ability to establish more granular access policies, such as those for executives, security teams and others. Administrators can configure security policy profiles for groups of users or devices using different connection parameters: domain names, country-based servers, select IP addresses, ports and protocols, and time-based access.


How do I provision new users?


Provisioning users is simple, with no need to physically install software on users’ devices. The provisioning process is decentralized and Byos offers several delivery options based upon your organization’s needs.

Byos can drop ship µGateways to:


  • A single office location for distribution to remote users
  • Multiple office locations for distribution to remote users
  • Individual remote users

The Master License Key, which holds the licensing structure, is emailed to the administrator. The individual device license keys can then be sent via email to remote µGateway users. This is a secure process with no risk, as the license information is not contained in the key.



Once users have received both the μGateway device and their license keys, they can activate the solution. First, the user plugs in the μGateway and creates their local account login credentials. Once completed, the user simply logs into the locally running end-user dashboard where the license key is uploaded. Upon license key upload, the device receives and decrypts the license information and then communicates with the Byos license server, which validates the license. Once the license is validated, the user is automatically added to their organization’s Byos Management Console. The administrator is notified of the μGateway activation and the μGateway is now enrolled under the organization’s security policy program.


Can the use of the µGateway be enforced by the IT department to restrict normal Wi-Fi connection?


There are two different ways enforcement can be managed.

In a managed device environment, the most strict enforcement method is for IT to disable the in-device Wi-Fi antennas of their company-issued devices through a GPO-like policy, only allowing incoming network connections from the µGateway.

The less intrusive enforcement policy is to monitor µGateway usage. The Management Console gives µGateway usage statistics per user and per group; general usage patterns, last login time, last connected network are some of the statistics used to gauge usage and employee reception to µGateway issuance.


Is this suitable for a BYOD program?


A BYOD program is a perfect use for the Byos Endpoint Micro-Segmentation Solution.

As a security administrator, you want a) visibility into network traffic patterns and b) control over what BYOD devices can access when the employee is using it for work purposes. When the employee is not working, you don’t care. However, you do care if they clicked some malicious link or contracted a malware virus from the public Wi-Fi when they weren’t working.

This is what the µGateway facilitates: immediate security policy compliance and enforcement through a simple to use, plug-and-play USB device. All security policy administration is handled centrally through the Management Console.

If your remote developer only needs access to cloud-based applications located in Canada, USA, Japan, and Scandinavia, then why should they be able to access resources in Belarus if it is not critical to completing their job? This is the premise of the Byos platform: granular access control through one unified point - the µGateway.


Does the µGateway record logs?


The µGateway does not keep logs of any user traffic, does not perform deep packet inspection on the internet traffic as it moves through, and does not break TLS encryption of the users' session.


What is Endpoint Micro-Segmentation?


TL;DR


When you connect to any public network, you are on the same network as all of the other devices. When you connect with the µGateway, you are on your own micro-segment within that public Wi-Fi network.

Longer answer:

The best way to understand Endpoint Micro-Segmentation is to first understand what Network segmentation is. Within any corporate network, network segmentation strategies and principles create isolated network segments, each with a subset of devices and resources connected to them. All printers might be connected to one segment, all employee computers connected to another segment, and the guest network as another.

The problem with this strategy is that it doesn’t go deep enough. If there is an infected device within the company computer network segment, it is highly probable that all other devices on that segment will become compromised. The best way to think about a Public Wi-Fi network is as another segment of the corporate network. However this time, the public network is out of the control of the IT team.

When you connect with the µGateway, you are on your own micro-segment within that public Wi-Fi network. The µGateway is a Network Gateway that has been shrunk to a portable USB-device and has its own Wi-Fi module. The communication between the µGateway and the device is raw TCP/IP, which is a network in itself. There is no way for an attacker to access the users device from the network, completely eliminating the endpoint’s exposure.

Have more questions? Speak with one of our Sales Engineers.

Contact Us