On 11/08/2010 2:39 PM, David wrote: > On 8/11/2010 1:47 PM, Stefan Monnier wrote: >>> At $work, we're having more and more problems with people bringing >>> laptops etc from home and plugging them in to the network. The company >>> policy has always been against this, but it was never really enforced. >>> I want to change that. >> What's the intention of this policy? >> I ask because, depending on the intention, the best attack may be >> very different. >> >> As a user, I'd look for ways to workaround any technical restriction you >> can try to impose (e.g. clone the MAC of my office's desktop), so to >> deter people like me, you'll want to combine technical measures with >> social measures, or maybe you'll want to add measures that check that >> the machines whose MAC you know are indeed who you think they are. >> >> Or rather than prevent it, you may want to focus on detecting it, so >> that you can know who does it. >> >> Furthermore, you may want to offer some way for users to use their home >> laptop in a way that's accepted by corporate policy (e.g. providing >> a parallel "unsecured" network), so as to reduce the incentives for >> users to break policy. >> >> >> Stefan >> _______________________________________________ >> mlug mailing list >> [email protected] >> https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca > Let me say, I'm not trying to be a BOFH. (Though there are days when it > seems appealing.) If there is a valid case for giving a device access > to the corporate network, it will be done. > > Looking back at it, the goal is two fold: > - to detect illegal devices > - block illegal devices > > I recently found out someone decided they would use their personal > laptop instead of the workstation provided to them to do their work. > It's been two months! The excuse I received was "I know what I'm doing, > nothing will happen". This is what I want to stop. > > > > > > > > > > > > > > > _______________________________________________ > mlug mailing list > [email protected] > https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
Personally, I would do it more in a passive / monitoring way. I assume your business has mostly similar hardware for their employees (all dell, all IBM, or large groups of one or two brand/model computers), so MAC addresses from "foreign" vendors should be very easy to detect. You could have an IDS service such as SNORT running on your gateway that alerts you when an unauthorized MAC address is detected on your network, but still allow it to access the internet and such. Through the address it got, you should be able to tell from which vlan/floor the connection is from and take a quick look around to see "who it is" (as depending on the business, you probably wouldn't want to annoy a visiting business person, or shutdown a VIP by accident), and depending if the usage is valid or not (i.e. a VIP 'who didn't know', or a low level employee browsing on company time), you can decide to either let it go, or then add his MAC to a blacklist. I suppose it depends on how big your company is. At a location with <1000 users over 10 floors, it's not too bad to manage and we rarely have people bringing in their own computers, but if you're in a large enterprise with a more lax environment / younger employees, it might be much more time consuming to do it the way I mentioned. _______________________________________________ mlug mailing list [email protected] https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
