how to prevent laptop from accessing my network

385 pts.
Tags:
SECURE
here is the dialog:one user unplug his pc wire from the network ,and then plug the network cable into his laptop-he got access to the network!!!!which means the network is not safe...my QUESTION is how can i prevent such a thing from hapenning in future???

Software/Hardware used:
pcs,servers,switches,routers,printers,hard disk drives

Answer Wiki

Thanks. We'll let you know when a new response is added.

HI,

A couple ways

a pc policy that bites if violated.  That takes upper management involvement.  Have upper management sign a memo – distribute it – place it on a shared drive and re-educate the users on pc policy.  Eliminate excuses.

We have strict rules about bringing in thumb drives/laptops.  We also monitor contractors/vendors.  If a vendor needs to access the network via our systems – someone signs off – name of the person – reason – date – time. 

You need for your users to buy in.  And that is hard.  Kind a stick and a carrot approach.

We actually have static IP addresses, since we have less than 100 employees – it works for us.  If you don’t have a predefined IP address, you aren’t connecting.  I have most of ours memorized so if I were to see an odd tcp-ip address – I begin looking.

There is software that will look at the mac address of a piece of equipment determining if it can connect to the system.  We have used that to some extent.

Also our users are blocked from seeing the tcpip setup on their pc’s.  So entering a the current tcpip address on a new piece of equipment is harder. Not every user needs to be an administrator on their pc/laptop.

We also have wireless available-the wireless is password protected. That password changes often.

When a vendor requests access – we validate the virus software is up to date.

Also if you have RJ45 wall outlets – disconnect the cabling that connects in the computer room.

If you can make security everyone’s business – that will help.  Software/hardware will help.

One other issue, is you don’t know what information the user might have ‘stolen’ or put the company at risk.  What if that user now has payroll or sensitive data on his laptop – and it’s stolen or his/her kid places it on the web.

If I can help with forms or policies – let me know.  I can provide blanks and you can modify at your will.  Good Luck.

Discuss This Question: 28  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • TomLiotta
    he got access to the network!!!!   Of course he did. That's what a network cable is for. Why all the exclamation points? It seems normal; nothing to be surprised about.   which means the network is not safe…   Why does it mean that? It seems (so far) to be doing what it's supposed to do. Access to the network from a port that is physically on the network is expected.   Now, if there are important resources on the network, and those can be accessed without any authentication, or similar vulnerabilities are apparent, please describe them. Otherwise there doesn't seem to be a problem yet.   Tom
    125,585 pointsBadges:
    report
  • secOfficer
    well,may be i did not explain the problem in a good shape,what i meant is; he should not be able to connect  to the network just like that,,his device is kind of strange to the network-it is not identified yet... supposing there is a big network-hundreds of computers,servers,printers,switches and routers....isn't there a good way to just refuse such strange devices to connect to the network automatically .. the device -which here is his laptop-- should be identified and get authorized access by the network administrator ~~~~````!!!!
    385 pointsBadges:
    report
  • TomLiotta
    isn’t there a good way to just refuse such strange devices to connect to the network automatically ..   No.   But you are missing the point. The "network" shouldn't care whether devices are attached or not. However, resources on the network should definitely care.   hundreds of computers,servers,printers,switches and routers….   Those are resources. Those are what you would protect.   Now, you might monitor and track devices that connect. You might maintain a database of authorized devices and send notifications when unauthorized devices are detected. You might have intelligent switches and routers that can filter traffic and be updated dynamically to isolate unrecognized devices.   But I'm not sure how you would do that. Just about anything you would use to identify a device can be spoofed. The only thing that can be "detected" across a network is an electrical signal. Programming can cause any desired signal to be transmitted.   In the end, you need to control your resources, not your "network". If a process on a device tries to access a "computer" on your network, the computer should reject a connection unless proper credentials are provided. If resources on your network refuse access, why do you care?   Technically, there are some reasons to care. But so far you don't seem to have any reason. You can't stop someone from plugging in a cable. And if the cable is already 'live', it will take a reasonably intelligent switch along with intelligent configuration and management to disable the port if an unrecognized device attaches.   Tom
    125,585 pointsBadges:
    report
  • secOfficer
    thank you for your patient ,,,,all waht i am  trying to say is: i do not want any other device-except the 112 pc, and 32 laptops....which are all defined and identified to the network-- to access the network and get used of the network....HOW can i do so?? thanks indeed.....
    385 pointsBadges:
    report
  • TomLiotta
    HOW can i do so?   You probably can't.   Please describe every networking control device in your network -- routers, switches, firewalls, etc. Also, what expertise do you have available for programming each of those devices? Also, what budget do you have available for this project? It can become expensive.   A security policy that forbids attaching unauthorized devices and that is enforced (with termination if necessary) is probably the best first step.   Tom
    125,585 pointsBadges:
    report
  • carlosdl
    You could probably configure MAC address filtering in your DHCP server(s), but more details about your environment may be needed to give a more precise answer.
    68,405 pointsBadges:
    report
  • TomLiotta
    ...configure MAC address filtering in your DHCP server(s),...   That's a reasonable step, but if no DHCP request is made...?   Many IT people wouldn't care about DHCP. It doesn't take much knowledge to set an static IP address. Beyond that, MAC addresses can be spoofed. Intelligent switches might be a potential obstacle for unauthorized devices where DHCP might not even notice.   Where I was going was proper security of resources. For example, a file server isn't likely to know the MAC address of a client. It could be made difficult to access by unauthorized devices.   So far, the requirement is so broad as to be meaningless. We don't know why 'printers' and 'switches' for two examples are an issue. What are they being protected from? Simple access wouldn't seem to be an issue. But access to a secured output queue on a printer server or access to routing tables on a router are specific enough to discuss.   It gets tricky trying to describe detailed guidelines when the difference between 'network' and 'resource on the network' is too advanced. The requested outcome is simply too broad. Fundamentals are missing. It makes me think of the opening statement of the site FAQ, and I wonder if we're addressing a problem or conducting a class.   Tom
    125,585 pointsBadges:
    report
  • carlosdl
    Well, Tom, I don't think we could ever get enough information to give the OP the complete procedure to secure his network resources from an inside "attacker", but I guess he is probably going give up trying to get help here if we don't give him at least something to start a discussion.
    68,405 pointsBadges:
    report
  • TomLiotta
    @carlosdl -- But read the first words of the question again. Is this a real 'question'? Or a hypothetical (homework? interview?) case? If we can't get meaningful factual data about the network, does a network actually exist that has a problem? I haven't seen any indication yet. Getting useful responses back has been difficult. It might just be a language barrier. Tom
    125,585 pointsBadges:
    report
  • carlosdl
    Haha, I can't believe I overlooked it.You're right, Tom, it doesn't seem to be a real question...
    68,405 pointsBadges:
    report
  • ToddN2000
    Ok, I'm not a network person but if it's the same user turning off their PC and hooking up a laptop there is a  bigger issue.  Their authority did not change and their sign on and ID would still be the same. It would seem more like a trust issue with the employee trying to steal data. If they have valid network access to the data for their job I do not see how you can stop them from using another device. The only other though is encrypted data and encryption keys controlled by the admin.
    8,215 pointsBadges:
    report
  • TomLiotta
    The question is interesting, and I'm willing to maintain a dialog. It's possible to learn a lot in this for myself.   But I need to see more from secOfficer, not only to define the issue better but to show that it's a real problem. A basic inventory of routers/switches/firewalls should be possible. It's also required for a proper answer.   This question won't result in a single "Answer". It's going to have multiple parts, each of which would need different experts.   Tom
    125,585 pointsBadges:
    report
  • secOfficer
    thanks guys,,it seemed that you had a long usefull discussion,while i was offline,,any way-the problem is real and not invented or imagined-and here once more the issu:i do not know much about the specification of the network asset--all what i am knowing is that, it is a big network with many network assets as i mentioned earlier..and the issue happened while i was having a holiday,then a friend -who is working with me in the same office- told me what happened (( an employee unplugged the network wire off his pc, then plugged it to his laptop and started surfing the internet...))so as  a first reaction i told my friend we shoukld do something to protect the network--by the way,we are new emplyess-my friend and i-so we want to do something usefull to our network and to our self--- this is all the story??? what shall i  do  ????
    385 pointsBadges:
    report
  • TomLiotta
    i do not know much about the specification of the network asset...   Then there is probably little you can do. It's possible that carlosdl's suggestion to limit DHCP to a list of known MAC addresses will be the limit.   To secure your network fully, you will need a well qualified network technician and a full understanding of all of the components in your network.   Tom
    125,585 pointsBadges:
    report
  • surenthar
    Hi Secofficer, just some add on info. Are you using any third party software for authentication purpose? example . AD, squid proxy, packetfence and so on?
    25 pointsBadges:
    report
  • ToddN2000
    Is all this person doing is surfing the internet ? If this is against company policy then the simple thing is to block the port to the outside or block the sites. Some companies I know block sites like e-Bay and other shopping sites. That surfing should be done away from work. Trying to ban individual sites can be time consuming. Ecspecialy when it comes to adult sites that can have malware, spyware, keyloggers and who knows what else. There are so many new site daily you will never be able to keep up. 
    8,215 pointsBadges:
    report
  • jinteik
    next thing is there a policy to state that users are not allowed to bring in their own equipment to office or is there an internet policy? if yes you can report the case to HR and get them in trouble too so that it will be a lesson for the rest.
    17,330 pointsBadges:
    report
  • TomLiotta
    If you don’t have a predefined IP address, you aren’t connecting.   Not connecting... to what? Are you saying that no one can plug a live Ethernet cable into an unknown laptop in your office if the laptop has an unknown IP address? What kind of cable does that?   Note the actual statement of the problem that actually happened:   ...plugged it to his laptop and started surfing the internet   So the question -- "Not connecting... to what?" The issue wasn't "connecting to our network resources" nor "accessing data on our network". It was simple use of TCP/IP. You don't have to connect to anything but a live cable to do that. No authentication, no authorized MAC address, no assigned TCP/IP address. You can't stop that NIC from sending signals through the cable.   You can, however, restrict where those signals can go once they're on the wire. But that requires some specific device programming for specific types of network devices. And there is also this:   i do not know much about the specification of the network asset–all what i am knowing is that, it is a big network with many network assets as i mentioned earlier..   Now, if you can describe how this person might program some unknown type of intelligent switch or perhaps some unknown type of (Linux based?) router to do the task, and ensure that it's done for every connection point in the network, it would be useful to all of us.   Beyond that, I strongly agree with the 'enforced policy' approach. A monitored log of connected devices could show when strange devices were attached. If that violates policy, then action should be taken. I'm not sure anything useful beyond that can be done without bringing an experienced network technician in.   Tom
    125,585 pointsBadges:
    report
  • graybeard52
    You might want to look into various DLP options offered by companies like Ironport and Sophos.  Sophos has a network control option that might do what you want.
    3,115 pointsBadges:
    report
  • secOfficer
    THANK YOU ,, i will learn more about our network and i will come back 
    385 pointsBadges:
    report
  • secOfficer
    thanks DTaglion thats really usefull
    385 pointsBadges:
    report
  • secOfficer
    to" DTaglion".....If I can help with forms or policies – let me know. I can provide blanks and you can modify at your will. Good Luck. yes please can you help me making an application policy ??
    385 pointsBadges:
    report
  • theorn
    Buy a Mikrotik 70.00 US Dollars, setup a VLAN and close down ports, Doesn't get much safer than that.
    80 pointsBadges:
    report
  • secOfficer
    thank you "theorn", i do not think we could reach up to buy such  a device...i think there is a smart solution in how to arrange and configure the network and whole building ...there is a computer room , distributed pc, routers, switches , printers, spread all over the place,,,we can come up with simple smart idea wich solve the issue without buying such a device.. really thank you for your coopeation ....
    385 pointsBadges:
    report
  • TomLiotta
    @secOfficer:   If you're now deciding to create and use policies, then start with visiting professionals.   From SANS -- Information Security Policy Templates From InfoSysSec -- Standards and regulations and Security Policy Writing Styles & Guides From CPCS Technologies -- Sample Network & Computer Security Policies And a concise simple one you can download/review from The Institute of Internal Auditors (IIA) -- Sample Computer Network and Internet Use Policy   That last one is a good start because it shows how simple things should be while covering most things you'll be interested in for your question. It might only require a couple added sentences. You might also choose to drop some of it and make minor edits.   Tom
    125,585 pointsBadges:
    report
  • TomLiotta
    i do not think we could reach up to buy such  a device…   Why not? MikroTik devices are not expensive.   we can come up with simple smart idea wich solve the issue without buying such a device..    No, you can't. That's the whole point of everything that's been added to this thread so far.   You asked how to stop someone from plugging a live network cable into a new laptop and from then accessing the internet. Unless you already have such devices that you can program to detect that new device and to then drop its packets, there is nothing you can do to stop it.   You can set up logging on your routers/switches and monitor those logs on a regular basis. That would let you catch it after it happened. And you can create a policy for your users to read and to agree to. That won't stop it from happening, but it lets your users know the consequences. The policy must state the consequences and you must be prepared to enforce the policy, by terminating the users employment if necessary.   Otherwise, you need to acquire capable devices (that can cost much more than the MikroTek devices; solid RSA DLP appliances can cost from $5000 US to over $10000 US each, plus software.). And you need to install them at the proper points on your network and configure them to do what you need.   Tom
    125,585 pointsBadges:
    report
  • secOfficer
    thank you "TomLiotta"it seems to be good websites, i will reply and discuss later
    385 pointsBadges:
    report
  • dino007
    Hi, you can contact me at DTaglione@SilverSpringsCitrus.comI have forms/policies...that might help you.
    95 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following