Questions

How can I stop valid users with home laptops from acquiring a netconnection

+
0 Votes
Locked

How can I stop valid users with home laptops from acquiring a netconnection

Disaster Recovery
I have just been hired by a small company that has outsourced its switch and router management to its IP Phone vendor. I have users that bring in home laptops and plug them in to the network. This cannot continue as I have HIPPA data on my network. Is there a way to prevent these rogue devices from network access.

I can't through the normal switch management (no administrative access) so the sticky MAC is out. I have users that believe policies don't apply to them. I need to keep these devices from getting a connection.


I have just been hired by a small company that has outsourced its switch and router management to its IP Phone vendor. I have users that bring in home laptops and plug them in to the network. This cannot continue as I have HIPPA data on my network. Is there a way to prevent these rogue devices from network access.

I can't through the normal switch management (no administrative access) so the sticky MAC is out. I have users that believe policies don't apply to them. I need to keep these devices from getting a connection.
  • +
    0 Votes
    JPElectron

    I don't see how your the person to 'solve' this problem, when you don't have access to the tools needed to solve it? Sounds like if the business really wants this restriction in place (and I agree it's not a bad idea) then the company that controls the switch and router's is the one to do it. Honestly, it sounds like the IP phone vendor should be fired for incompetence - but hey.

    You might mitigate people connecting to the Internal network by providing an alternative, free WiFi off a separate public IP or separate ISP connection, and then get management to agree on a penalty/disciplinary action for those found connecting to the internal network - but good luck policing that.

    +
    2 Votes
    dzammit2

    The proper way to do this is using 802.1x

    You need to explain to your customer and the phone company that access to the switch is required to do the job.

    If the phone company does not give you access, ask them to at least configure a trunk on the existing switch and introduce another switch which you would have access to. A Catalyst 2950 should do the job in most cases.

    +
    0 Votes
    Charles Bundy

    If you have access to DHCP lock it down by MAC. Likewise DNS. Do you have physical access to rack? If so make certain that nothing has a patch cord if it terminates to an open wallplate jack.

    I will say at the end of the day anyone who is clever and has physical access can bypass things by simply swaping out a hot seat with their MAC spoofing laptop. This is regardless of what you control including the switch infrastructure. Thus it requires management backing and may not be a technical problem, if you catch my drift...

    +
    0 Votes
    rcugini

    This company is just asking for a lawsuit. Medical information should NEVER be on any network, ever. Having said that, if they won't put it on a backup and on a machine in HR's office, it should be put into a password protected crypto-luks or pgp style container.

    The users who are simply using the network at lunch break or who are doing work on their own devices aren't at fault. Having that data hanging out there is 100% of the company's fault.

    At least put the offending data on its own subnet. Another thing you can do is to use 2 routers off of the connection. One for high security DMZ type of network data, another for normal use. This is having 2 networks instead of one.

    +
    0 Votes
    GSG

    If medical information is not on the network, then how can our clinicians chart, share data between systems, comply with meaningful use, etc... I have over 100 interfaces that take data transmitted across the network from one system to an engine where the data is translated and passed on to a receiving system. If it wasn't passed across the network, it would have to all be done by paper.

    Medical Information does have to go across networks, but they have to be secure and encrypted and only available through the proper, password protected systems, and no one can just plug in a random device and get on the network.

    +
    0 Votes
    Martin G.

    What you're looking for is a NAC (network access control) solution. Since you don't really control your network, you need to let your boss(es) know that you need to work with the people who control your network and a security firm that deals with cyber security.

    Be careful because your phone vendor may came back and say that your company doesn't need to do all sorts of fancy stuff to get your network protected, implement the wrong, or worse, an incomplete solution giving everyone a false sense of security.

    +
    1 Votes
    TheChas

    If you cannot get access to the tools you need, the next best option is to work with management and make an example of one of the policy violators. Any policy is only as good as the enforcement mechanism.

    First, the policy for not using personal devices has to include a clear statement of disciplinary actions that will be taken if users violate the policy. This will need to have HR and legal sign-off to protect the company. Then, require everyone with network access to read and sign the updated policy.

    Then, start monitoring and logging unauthorized access. Provide either the users manager or HR with the information. If you can work it out so that they catch a user in process even better.

    Once word gets around that users are being disciplined for using their own devices, that should reduce if not eliminate improper access.

    Chas

    +
    0 Votes
    apnp

    dont allow them in the building. Instruct the guard at the front door to not allow them (personal computing devices) into the building!

    +
    0 Votes
    cpguru21

    with no DHCP server available. this may not be for everyone but for us it is manageable. I keep track of everything in a spreadsheet (I know archaic but effective and like i said for us its manageable) I also hide the SSID of my wireless just (and only) to avoid the questions of "can I have the password to the wireless....".

    We are fairly lax security here so we also have an older ibook that is configured to access the network. Sometimes employees bring their kids in and they are allowed to use this.

    Just a few thoughts. If I ever switched to DHCP I would probably do what charles suggested with DHCP/Mac Address binding.

    Another note: I was easily able to justify canceling our Firewall Outsourcing and replacement of all firewalls which I can manage and have full admin access to (the old FW management company, while the were good at what they did, did not allow me access) for a one time cost cheaper than 1 year cost of outsourcing. the redundant fees for support is way down and overall 2 years and we will be on the plus side of cost savings.

  • +
    0 Votes
    JPElectron

    I don't see how your the person to 'solve' this problem, when you don't have access to the tools needed to solve it? Sounds like if the business really wants this restriction in place (and I agree it's not a bad idea) then the company that controls the switch and router's is the one to do it. Honestly, it sounds like the IP phone vendor should be fired for incompetence - but hey.

    You might mitigate people connecting to the Internal network by providing an alternative, free WiFi off a separate public IP or separate ISP connection, and then get management to agree on a penalty/disciplinary action for those found connecting to the internal network - but good luck policing that.

    +
    2 Votes
    dzammit2

    The proper way to do this is using 802.1x

    You need to explain to your customer and the phone company that access to the switch is required to do the job.

    If the phone company does not give you access, ask them to at least configure a trunk on the existing switch and introduce another switch which you would have access to. A Catalyst 2950 should do the job in most cases.

    +
    0 Votes
    Charles Bundy

    If you have access to DHCP lock it down by MAC. Likewise DNS. Do you have physical access to rack? If so make certain that nothing has a patch cord if it terminates to an open wallplate jack.

    I will say at the end of the day anyone who is clever and has physical access can bypass things by simply swaping out a hot seat with their MAC spoofing laptop. This is regardless of what you control including the switch infrastructure. Thus it requires management backing and may not be a technical problem, if you catch my drift...

    +
    0 Votes
    rcugini

    This company is just asking for a lawsuit. Medical information should NEVER be on any network, ever. Having said that, if they won't put it on a backup and on a machine in HR's office, it should be put into a password protected crypto-luks or pgp style container.

    The users who are simply using the network at lunch break or who are doing work on their own devices aren't at fault. Having that data hanging out there is 100% of the company's fault.

    At least put the offending data on its own subnet. Another thing you can do is to use 2 routers off of the connection. One for high security DMZ type of network data, another for normal use. This is having 2 networks instead of one.

    +
    0 Votes
    GSG

    If medical information is not on the network, then how can our clinicians chart, share data between systems, comply with meaningful use, etc... I have over 100 interfaces that take data transmitted across the network from one system to an engine where the data is translated and passed on to a receiving system. If it wasn't passed across the network, it would have to all be done by paper.

    Medical Information does have to go across networks, but they have to be secure and encrypted and only available through the proper, password protected systems, and no one can just plug in a random device and get on the network.

    +
    0 Votes
    Martin G.

    What you're looking for is a NAC (network access control) solution. Since you don't really control your network, you need to let your boss(es) know that you need to work with the people who control your network and a security firm that deals with cyber security.

    Be careful because your phone vendor may came back and say that your company doesn't need to do all sorts of fancy stuff to get your network protected, implement the wrong, or worse, an incomplete solution giving everyone a false sense of security.

    +
    1 Votes
    TheChas

    If you cannot get access to the tools you need, the next best option is to work with management and make an example of one of the policy violators. Any policy is only as good as the enforcement mechanism.

    First, the policy for not using personal devices has to include a clear statement of disciplinary actions that will be taken if users violate the policy. This will need to have HR and legal sign-off to protect the company. Then, require everyone with network access to read and sign the updated policy.

    Then, start monitoring and logging unauthorized access. Provide either the users manager or HR with the information. If you can work it out so that they catch a user in process even better.

    Once word gets around that users are being disciplined for using their own devices, that should reduce if not eliminate improper access.

    Chas

    +
    0 Votes
    apnp

    dont allow them in the building. Instruct the guard at the front door to not allow them (personal computing devices) into the building!

    +
    0 Votes
    cpguru21

    with no DHCP server available. this may not be for everyone but for us it is manageable. I keep track of everything in a spreadsheet (I know archaic but effective and like i said for us its manageable) I also hide the SSID of my wireless just (and only) to avoid the questions of "can I have the password to the wireless....".

    We are fairly lax security here so we also have an older ibook that is configured to access the network. Sometimes employees bring their kids in and they are allowed to use this.

    Just a few thoughts. If I ever switched to DHCP I would probably do what charles suggested with DHCP/Mac Address binding.

    Another note: I was easily able to justify canceling our Firewall Outsourcing and replacement of all firewalls which I can manage and have full admin access to (the old FW management company, while the were good at what they did, did not allow me access) for a one time cost cheaper than 1 year cost of outsourcing. the redundant fees for support is way down and overall 2 years and we will be on the plus side of cost savings.