Deny rouge computers

B

bealzz

Gawd
Joined
Jun 4, 2003
Messages
545
At the school board I work for, were starting to have problems with students bringing their laptops in and plugging into the network. Because were giving out DHCP they get an address and can use the network however they want without any group policy taking place. I was wondering if there is any way to block people\students\teachers from bringing in their laptops from home and using the network.
I dont want to do reservations for all our legit machines as that would mean 1000+ reservations, and weve already let the school know that no one SHOULD be bringing in laptops but not all rooms are monitored 24/7. Also switchport security on the switches is something we dont want to do either. Sorry for the limitations

Any help would be appreciated, thanks.
 
Don't you have some kind of setup to block networking if they are not joined to the domain? I'm guessing you'll need to setup a proxy server and have all traffic going through that.
 
I know it's a bit extreme, but you could force them to VPN to get to anything (meaning a VPN gateway would expose the rest of the network). Big overhead to do that though too. Listen to the other guys recommendations first, I'm not a network security pro yet... :D
 
couple of solutions:

only give out dhcp addresses for known mac addresses, easy to implement, easy to circumvent (they just manually assign themselves an address, possibly causing ip collisions).

you can also do some network filtering stuff based on mac addresses too, depending on what your (managed) switches and infrastructure support: only allow known macs, or do some vlan magic with known macs. circumvention - assign a known mac address to a rogue laptop, but this is slightly harder because you have to know an exact mac address, instead of just pick one from a range of ips.

or the authentication to enable networking that has been previously suggested.
 
You must log in or register to reply here.
Back
Top