Prevent employees from bringing personal laptops and connecting to the network?

nitrobass24

[H]ard|DCer of the Month - December 2009
Joined
Apr 7, 2006
Messages
10,462
So i was at one of my clients the other day and they just have a 1-man IT staff and he doesnt really know a whole lot about networking, just a helpdesk dude.

And he said he was having bandwith issues yet i see employees here with personal laptops streaming video and stuff on the company's network.
He knows its an issue but doesnt know how to prevent it. I suggested Websense to block all streaming, but thats not really in their budget according to him.

They dont have wireless, but whats a good way for them to prevent someone from coming in and hooking up to their network?

They use a Server 2003 Domain (AD/DHCP/DNS).
 

B1zz

Gawd
Joined
Aug 1, 2003
Messages
932
i'll let some AD/Domain junkies chime in on the windows/domain front as far as possible ways to control this via group policy, but really the easiest way is to set switchport security(assuming cisco gear) and have pseudo network access control....maybe even shove non-authenticated ports into a gateway-less VLAN....that'd piss em off... >=D
 

Cax6ton

Limp Gawd
Joined
Jul 22, 2004
Messages
170
If it's the same computers all the time, create false reservations in the DHCP table for the machines that don't belong - give them bad gateway/DNS info, and they won't be able to go anywhere. It's not the best or easiest solution, but it will work for a few occurrences. It's not something you would want to have to do every week.
 

nitrobass24

[H]ard|DCer of the Month - December 2009
Joined
Apr 7, 2006
Messages
10,462
but with network access control couldnt someone just change their MAC and bypass that?
 

nitrobass24

[H]ard|DCer of the Month - December 2009
Joined
Apr 7, 2006
Messages
10,462
If it's the same computers all the time, create false reservations in the DHCP table for the machines that don't belong - give them bad gateway/DNS info, and they won't be able to go anywhere. It's not the best or easiest solution, but it will work for a few occurrences. It's not something you would want to have to do every week.

Yea im thinking something more global, just not only to prevent employees but visitors, contractors, etc.
 

Valnar

2[H]4U
Joined
Apr 3, 2001
Messages
4,034
If they can't afford Websense to block streaming or something similar at the firewall level, you certainly aren't going to like the "correct" answer which is NAC. That's much more money.

Although you could always do a poor man's NAC and just allow the MAC's of all known devices. It's not fun or easily manageable, but it will work. You'll need smart switches (like Cisco) to pull it off. And if they get by that, adding a second layer of authentication at the firewall level wouldn't hurt. But just like anti-piracy measures, it'll end up annoying the users too.
 

StarTrek4U

Gawd
Joined
Jan 8, 2003
Messages
1,011
There's not really a good way to do it via AD. I would do a couple of things...

First, create some sort of document/email/whatever that basically says if you bring your personal laptop in we're not going to allow you to visit these type of sites (youtube, facebook, whatever) and explain why. Then, look at using a DNS service such as open DNS to block those site categories. Your other option which will come up once YeOlde gets in this thread would be to get an untangle box or something similar and do webfiltering there as well.

Or, you can just say no personal devices. ;)
 

nitrobass24

[H]ard|DCer of the Month - December 2009
Joined
Apr 7, 2006
Messages
10,462
If they can't afford Websense to block streaming or something similar at the firewall level, you certainly aren't going to like the "correct" answer which is NAC. That's much more money.

Although you could always do a poor man's NAC and just allow the MAC's of all known devices. It's not fun or easily manageable, but it will work. You'll need smart switches (like Cisco) to pull it off. And if they get by that, adding a second layer of authentication at the firewall level wouldn't hurt. But just like anti-piracy measures, it'll end up annoying the users too.

If its annoying for the users to do their work instead of watching hulu they can find employment elsewhere.

NAC - i thought its just MAC filtering, is that not the case? got a good link?
 

blk95civicex

Limp Gawd
Joined
Feb 10, 2003
Messages
170
If this shop is as small as it sounds (no money for a "real" solution, no managed network gear, etc.), and they are not using wireless, why not just unplug the patch cords on the network gear from the network jacks that are being abused?

Essentially a hardware disable on all unused network ports. If people are unplugging their work PCs to use home PCs, then that is another problem all in its own.
 

StarTrek4U

Gawd
Joined
Jan 8, 2003
Messages
1,011
Policy's only go so far

True, that was more the "I know this won't work" wink.

It depends on the size of the org, as others have said you can use MAC filtering however your switches need to support it and it is a PITA to manage. Since both Untangle or OpenDNS can be had for free they may be easier to implement & manage vs some of the other options here.
 

calvinj

[H]ard|Gawd
Joined
Mar 2, 2009
Messages
1,738
I'm surprised stonecat hasn't chimed in yet.

If they already have a firewall in place take an business class desktop (HP, Dell, Etc), put a second nic in it and install Untangle. When you install untangle put it in bridge mode so it sits in between the firewall and the switch this way you can filter out streaming and stuff like that from the untangle. The Web Filter & Protocol Control are free and do a decent job of this. I have it on a guest access network setup and it has stopped various things from happening that shouldn't be happening.

The other option that would be cheaper yet.. OpenDNS. I like it if you want to set the same policies across the board. No facebook means no facebook. My problem is there in some cases I need to let some people have access to stuff like facebook and that's where untangle plays a little bit better card than openDNS.
 

Valnar

2[H]4U
Joined
Apr 3, 2001
Messages
4,034
Unless the OP is using wrong terminology, he not only wants to stop web abuse, but stop them from connecting to the network. That means a layer-2 solution that OpenDNS or Untangle can't do. The cheapest L2 solutions are unplugging cables and MAC filtering. The more expensive (or outrageously expensive) involve 802.1x and NAC.

Of course my favorite is layer 8. Confiscate the laptops. :D
 

dx2

Gawd
Joined
Jan 6, 2005
Messages
545
If this shop is as small as it sounds (no money for a "real" solution, no managed network gear, etc.), and they are not using wireless, why not just unplug the patch cords on the network gear from the network jacks that are being abused?

Essentially a hardware disable on all unused network ports. If people are unplugging their work PCs to use home PCs, then that is another problem all in its own.

Bingo. pragmatic and it solves the problem.
 

YeOldeStonecat

[H]F Junkie
Joined
Jul 19, 2004
Messages
11,330
I'm surprised stonecat hasn't chimed in yet..

Morning! :D
Actually busy onsite today helping Flotech dudes install some Canons at a client of mine, and I'm putting Untangle in their network to prep for a 20 meg Comcast pipe here next week.

Started skimming the thread, since I focus on SMB more, I really don't have much for suggestions here....a NAC is the best way to do it, but I don't know the size of this guys company...probably out of budget.

Other ways...little tricks of doing this or that....lot of effort for a little SMB 1 man show with little results.

Best approach IMO, is for company management to create an Employee Computer Use policy, dole it out to their staff..and start enforcing it...visually. Start realizing that having staff being in their own PCs is a security thread to the network..and the business. You don't know what's on employees home laptops....and a companies sole IT guy shouldn't be wasting time "checking out/cleaning" employees home PCs for this purpose.

Dang...5 hours later...I get to finish/post this thread.
 

gimp

[H]F Junkie
Joined
Jul 25, 2008
Messages
10,535
there may be a way to only allow specific MAC address to receive a DHCP lease.
Although this would, of course, create a lil more work when a new machine is put on the network, one is replaced, etc.

phsyically disconnect the walljacks at the patch panel would certainly be another way, unless as stated, they unplug their work computer to hook up their personal computer, which would be a whoooole other issue.
 

nitrobass24

[H]ard|DCer of the Month - December 2009
Joined
Apr 7, 2006
Messages
10,462
Yea im trying to stay away from something that creates more work.
Im meeting with the owner tomorrow so i will see if I can convince him that its an issue worth spending money on and see if he will spring for a NAC.
 

YeOldeStonecat

[H]F Junkie
Joined
Jul 19, 2004
Messages
11,330
How big is this company....like..how many PCs?
Is it difficult for management there to police things visually?
 

nitrobass24

[H]ard|DCer of the Month - December 2009
Joined
Apr 7, 2006
Messages
10,462
Its a quasi-govt entity

Yes it is hard because not everything is in the same building. IE most places have to mgt.

Hence the reason why they need something that does not rely on people
 
Top