Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stop un-authorized Network access with-in office


  • Please log in to reply
7 replies to this topic

#1 waqasabdullah2015

waqasabdullah2015

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 07 April 2015 - 11:48 PM

Hi Everyone,

 

I am new on this forum, please help me in my problem.
We have our multi-floor office. which has network for office usage. Now question is that:
"If an employee plug-in into our first floor data switch port with his own cable for his personal laptop, and his buddy do the same thing on 2nd floor and they share their data"

Is there anyway to stop this happening, I mean no one can use office network system for their private use like in above scenario. It would be great if it could be achieve easily.

 

Thanks



BC AdBot (Login to Remove)

 


#2 Kilroy

Kilroy

  • BC Advisor
  • 3,391 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:08:31 AM

Posted 08 April 2015 - 04:49 AM

Have HR fire them both for using company resources for personal use.  Seriously, a lot of "tech issues" are really HR issues.

 

Implementing a technical solution to prevent this isn't worth it.  Your network switches would have to be configured to block equipment by MAC address, require a certificate to connect, or active monitoring of the switches.  Either blocking solution would be a full time job to implement and support.  A low tech solution would be to remove the patch cable connecting the wall jacks they are using to kill the ports in the wall.  The problem is that they will then bring in their own switch or router and piggy back off of their work machine connection.

 

The main part of your problem is that you would have to prevent their traffic from going across your network.  Since if you controlled DHCP by MAC address they would just get a 169.254.x.x address and be able to connect to each other, or manually assign a static IP address.  This will keep them off of the Internet, unless they manually set an IP address on your network, which could result in duplicate IP addresses.

 

Bottom line, this is an HR issue and needs to be dealt with from that angle.  Have their manager tell them to stop and fire them if they don't.

 

If management says no big deal, inform management that by them bringing in their personal equipment that they could possibly infect the company network.  Do  this in writing or e-mail as you will want proof of their response later.  If an infection does strike your network and management didn't take action, you want them to be held responsible, though you will suffer greatly trying to fix a user caused issue that could have been prevented.


Edited by Kilroy, 08 April 2015 - 04:55 AM.


#3 waqasabdullah2015

waqasabdullah2015
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 08 April 2015 - 05:35 AM

Thanks Kilroy,

I understand that they should be punished to not to do so. but problem is that many like them are doing this and we don't know them. is there any utility which enlist mac address of any pc or device attached into our network, so we can compare with the authorized one, and monitor those bugging mac-addresses and finally catch them.?
 

Pls advise?

 

Thanks



#4 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Members
  • 1,145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:07:01 PM

Posted 08 April 2015 - 06:47 AM

Hi,

Most switches log MAC addresses as it the first stop for them to provide proper data transfer.

First, force your management people to issue a clear BYOD policy. That makes it clear what is illegal/legal one.

 

Best idea is to use certificates and bind network connections to work PCs only.

You must be aware that spoofing MAC is very easy. So the first job is to make sure employees cannot access network configuration and commands like IPCONFIG (You may have to set group policies for that and restrict the rights to the right group)

 

Then make sure workpcs are provided with static IPs rather than DHCP leased IPs. (Then assign the MAC to IP mapping if possible)

Do setup proxy server on the network and route all traffic through it, so that you can check at will.

 

If the switch is a manageable one, configure it to whitelist the currently connected MAC addresses to the corresponding connected ports (and disable/deny new ones to restrict access, 'log' to find who are misusing the network). Also whitelist the MAC address at router/server if possible. {assuming the connected MACs are from workpcs only, else its better you do it by physically verifying the addresses.

 

All changes  may be made during non-work hours.

Lastly, keep in mind that disgruntled employees can do nasty works, be prepared!

 

Parts scribbled from my CCNA notes ;)


Edited by Nikhil_CV, 08 April 2015 - 07:00 AM.

Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!
                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:

#5 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 08 April 2015 - 10:34 AM

Simplest way, beyond what is already mentioned, is to using your dhcp server to do ip reservations.  This is where you associate the mac address of a known piece of equipment with a ip address.  Limit the dhcp scope to just those ips and you have eliminated the "plug and play" of these devices.

 

Assuming you have managed switches configure them for port authentication.

http://en.wikipedia.org/wiki/IEEE_802.1X



#6 technonymous

technonymous

  • Members
  • 2,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:31 AM

Posted 09 April 2015 - 09:21 AM

Why aren't these switches behind locked doors? What's stopping John Doe from putting a hidden tap or a rogue AP on your network?



#7 Kilroy

Kilroy

  • BC Advisor
  • 3,391 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:08:31 AM

Posted 10 April 2015 - 09:14 PM

technonymous, I'm sure the switches are in a secure location.  The problem is that the wall jacks are patched to allow access.  Not patching the jacks just causes issues with users who have a legitimate need to connect.

 

IP reservations won't stop this.  All they need to do is run an IPCONFIG on a working machine to get all of the numbers that they need to get on the network, or if they don't need the Internet the auto assigned IP address, 169.254.x.x will allow them to communicate with other devices on the same network.

 

Playing whack a mole with this just isn't worth the time or effort as it would be a full time job.  Back in the day I administered networks with static IP addresses for everything.  It was a nightmare.  We had three different people installing equipment.  If someone didn't follow the procedure to document all machines a duplicate IP address issue would occur without fail, normally at a remote site requiring us to drive back out to find the machine and fix the issue..  As I stated before this is an HR/Policy issue, a technical solution will cost too much money to implement and maintain.

 

User's don't understand why there are IT policies and procedures.  These users think that they aren't causing any harm, they are just using their own personal machines to swap data.  They don't see that they could bring a virus infection into the company.



#8 technonymous

technonymous

  • Members
  • 2,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:31 AM

Posted 10 April 2015 - 10:00 PM

Well it sounded like a couple of guys accessing a rack on different floors rofl. If you have wide open wall receptacles that lead to a patch panel and switch, then all the security has to be done on the switch. Back in the day it was popular to just jack in. Not a lot of thought went into security. A person connecting and pulling an IP could turn around and setup their wifi as a AP. Then you got a parking lot of people piggy backing on your network. Yes, I agree locking this down would be a nigthmare as you eloquently put it, whacking a mole constantly. It would be a full time job assigning static IP's and vlans etc. It all depends on how robust the switches are too and they cost a small fortune. This is why wireless mesh is far more superior and easier to manage this sort of thing. You got a wifi AP's backed by a RADIUS server, either you got access or you don't. If they really want to throw money at this and have it go away I would go full on Wifi Open Mesh and disconnect all jacks. Desktops need to be upgraded to wifi, but atleast you know where you stand. Then you have to think about setting up a WIPS server for cloud control management. However, that part is becoming much easier these days. With open mesh you can do air surveys audits and even setup the software to send an e-mail when something is detected. Wifi is the future.


Edited by technonymous, 10 April 2015 - 10:02 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users