On 08/11/2010 02:39 PM, David wrote: > On 8/11/2010 1:47 PM, Stefan Monnier wrote: >>> At $work, we're having more and more problems with people bringing >>> laptops etc from home and plugging them in to the network. The company >>> policy has always been against this, but it was never really enforced. >>> I want to change that. >> > Let me say, I'm not trying to be a BOFH. (Though there are days when it > seems appealing.) If there is a valid case for giving a device access > to the corporate network, it will be done. > > Looking back at it, the goal is two fold: > - to detect illegal devices > - block illegal devices > > I recently found out someone decided they would use their personal > laptop instead of the workstation provided to them to do their work. > It's been two months! The excuse I received was "I know what I'm doing, > nothing will happen". This is what I want to stop. > > > The people who say 'I know what I'm doing' are the ones that worry me the most. I manage a network outside of the office and I handle it with reserved IPs in ISC's dhcpd. All other equipment gets an invalid and unroutable address. Each morning I get an EMail with the previous day's dhcprequests. If your policy if finding and blocking, that will work for non technical people. Tech people will very quickly either clone the MAC of just assign themselves a static IP. If you assign IPs sequentially, you can block all the rest at the firewall, but that won't stop someone from assigning themselves the static ip and infecting all of your networked equipment.
Jared's solution is the best, but 802.1x is complex and will take you some time to setup. There are OSS solutions to implement it, checkout PacketFence. Gary B > > > > > > > > > > > > _______________________________________________ > mlug mailing list > [email protected] > https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca >
_______________________________________________ mlug mailing list [email protected] https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
