back to article Don't let your networks speak to strangers

Run a scan over any company network and you will probably be surprised by what has been connected to it. Staff can be very creative, plugging in everything from printers to tablet devices to departmental servers and network-attached storage devices. They are not circumventing IT policies either, or so they think – just …

COMMENTS

This topic is closed for new posts.

Easy cheap fix

Don't allow unknown MAC's on the network.

Done.

4
1
Pint

Great stuff

Sounds great, what product do you recommend to do that?

We have 10,000 desktops.

2
0
FAIL

Re: Easy cheap fix

You may want to investigate ifconfig <interface> link for rooted iOS devices. Android probably has ifconfig <interface> hw ether, too.

Trivially easy to get around and this isn't just wireless APs, either. It'll work on secured ports on managed switches for wired ethernet. Never trust a MAC address to identify a host.

3
0
Silver badge

Only prevents honest people connecting.

ifconfig eth0 down hw ether 00:00:00:00:00:01

ifconfig eth0 up

...whups.

1
0

Solution ?

Fire the person who didn't do it when you had ten and could check them all by hand.

Still, easy enough to find all the devices that checked in with AD in the last N days, those'll be the only valid devices apart from a few special things you can add on later. Start by blocking outbound-to-the-internet from unknown MACs.

0
0
FAIL

Umm

Very good, but you are now not doing anything by accident, or because you don't know better, you are deliberately violating IT security policy. Go directly to the dole queue.

0
0
Silver badge

Go directly to the dole queue?

Or alternatively, implement proper security, treat a MAC as more of a session token than a permanent key, and don't end up firing a bunch of people who might be smarter than you and bring in more money for the company than you because you have to act like a BOFH.

This article is about random devices leaking information out. So, have a webcafe or BTOpenZone-style web login that pinpoints who is using what and where. You get a nice audit trail showing who did what, your employees can randomize their MAC as much as they like, and you don't have to act like a bastard who thinks they are running GCHQ, ultimately engendering disrespect from your colleagues and peers. That in itself can end up proving more dangerous to your network security than any toyphone or tablet.

2
0
WTF?

Go directly to the dole queue? Hell yeah.

"might be smarter than you and bring in more money for the company"

Dear gods. It's like working with a bunch of lawyers again.

Who, I might add, would be the first to suggest firing me should the company publiclaly have to admit to leaking customer details.

Even Schneider recomends firing someone publically to make sure security is taken seriously : http://www.schneier.com/essay-282.html

0
0
Silver badge

Holy christ..

..what part of "audit trail" did you not read? It means "log what your employees are doing with company resources".

If you then find said employees are doing nothing but browsing dodgy porn sites and fucking about, then you can do something about it. The device they use to do it with is hardly the problem, is it?

Some people are just itching for that little bit of power. Seriously, have you got a PFY working with you as an apprentice too?

1
0
Pint

Right

Tom,

You're either trolling or clueless. What product do you use to block the mac addresses of these 10,000 devices connecting to the internet again? You've not said. Also, these 10,000 devices access to DCs is via routers. As in, behind routers. Do you think your AD server is going to record their physical MAC address? Rather than the mac of the nearest hop to the DCs?

This is, of course, ignoring the elephant in the room, the fact that AD doesn't record the MAC addresses of devices which "check in" with it (whatever that's supposed to mean).

When in hole, stop digging.

0
0
FAIL

@AC re Great stuff

Try looking. There are commercial packages, appliances and Open Source solutions. If you have not got a reliable register of your systems, then you might consider deploying an asset management tools as well. For an estate the size of the one you say you have, I would be surprised that your company does not already have one!

It's all possible, it's just that it takes effort, which you should have been doing anyway.

0
0
Pint

@AC

So in other words, you have no idea. Thanks for playing.

0
0
Silver badge

Lax network management

For goodness sake, at least segregate your DHCP space.

Allocate two IP subnets, trusted and untrusted. Register all of the MAC addresses of your trusted devices and give out addresses in the trusted range. Any unknown or foreign MAC addresses get given addresses in the other range. Allocate different DNS server addresses and default routes to each subnet. Use short leases to make sure that someone using a fixed IP address will be spotted (by duplicate IP addresses) as soon as the addresses cycle round.

Control routing between the two subnets so that untrusted devices get no access to internal servers, and minimal access to the Internet and such devices as printers. There, does not matter what gets brought in, it is unlikely to do any damage. And you do not even need to invest in a large network infrastructure, as most switches will multinet quite happily.

Of course, if you are paranoid, you could just not give out any DNS address to unknown devices, or you could have something like Wireshark alerting whenever you get a source address in your untrusted address range.

In extreme security environments, lock network ports down at the switch to only a single device per port by MAC address, with the port being disabled if another device is attached. As soon as a user plugs something else in and locks the port, they either have to call the help desk (giving you a chance to rap them over the knuckles), or suffer the port not working forever.

I know that this can be defeated with LAA MACs, but if al you are trying to do is prevent users from attaching smart phones, printers and the like, these devices use fixed MAC address anyway. Most basic users would also not know how to change the MAC address in their PC either.

This is not far fetched. I've seen all instances of the above deployed in real customers, and most large organizations do something along these lines by default.

5
0
Anonymous Coward

is this to keep from having to deploy 802.1x

It's complicated, requires (newer) switches, and requires integration into the OS to be seamless/painless for the end users.

I've set it up before as a demo, but seem to remember it being a PITA.

0
0
Thumb Up

extended desktop lifecycles

Like!

0
0
Thumb Up

I've heard of Microsoft doing this on their network 5, maybe 6 years ago

...but I've never actually seen it put into practice. The article says SCCM can do this - anyone know how it's actually accomplished? Also, any other ways out there to do this without SCCM?

0
0
Anonymous Coward

Use 802.1X

Use 802.1X and an exemption process for devices you want to allow that don't support it.

1
0
Welcome

EAPOL is your friend

802.1x is familiar to many for wireless networking but it's also possible to do this on your wired Ethernet too. If the connecting device doesn't have the appropriate certificate and private key you can dump it into a dirty VLAN.

Just remember to check that your private keys aren't exportable - I found an unauthorised iPhone connected to an 802.1x WLAN once because the user was smart enough to export the key and certificate from his desktop and import it on the fondleslab.

0
0
Silver badge

re: exportable keys

If your users are local administrators, the keys are exportable. If they're really sneaky local administrators, they can export them without you being able to find out that they exported them.

0
0
Silver badge

How LJMU (.ac.uk) does it

For the unencrypted LJMU-specific network, you give them your student/staff user ID and password on the web login page. If you're using a smartphone, or if you just fancy having an encrypted connection, you connect to the encrypted eduroam SSID using your normal login credentials as the certificate.

Easy, simple (for end users at least), works well enough for over 40,000 students and staff (not counting the other educational establishments signed up to eduroam), and nobody has to get sacked for it.

0
0
FAIL

Cart, meet horse.

So users bring in devices and connect it to their network (it's not yours) because they find that it's a good way to work better. Is it completely out of the question that the IT people might say to themselves "Oooh, people working better, that's good. How can we make it as smooth and easy as possible?" rather than coming over all obstructive?

IT systems aren't run just to give BOFHs something to do between WoW sessions. They are there to facilitate work, and any IT worker who deliberately impedes the actions of those who pay his wages should be in that dole queue as fast as his little atrophied legs can carry him.

2
0
Silver badge
Stop

Horse, meet cart.

As the senior IT manager in my company, it falls to me to make sure everything works and continues working, while making sure our trade secrets don't get leaked to our competitors and that some phishing scammer in China doesn't rip off all our employees' and customers' credit cards. If I fail in that duty, I can expect to be sacked and even charged with criminal negligence.

The likes of me are not here to make life easier for the likes of you. My job is to make sure everything keeps working in a stable and secure manner. If you can guarantee to me, from your at least degree-level IT education, that any personal device you bring in and connect to my company network is 100% free of spyware, malware and other unwanted goodies, and I can have it from you in writing that you alone accept full and sole liability for any damages occurring as a result of you plugging your device into my network, I'll let you connect it.

Otherwise, while I bear the responsibility and the liability if something goes wrong, all the users on my network can abide by the rules I've put in place for it, rules which are ultimately designed to protect everyone who works here from both criminals and competitors.

1
1
Anonymous Coward

Incentivised to hamstring the business?

Sounds like a matter of incentives - you don't have responsibility for overall P&L so it doesn't affect your bonus if the company is outsold by competitors with more responsive IT and less directive company cultures. Or indeed if it goes out of business - you made sure it didn't do it because of IT, right?

Tying up IT to the mainstream company to get the business and IT sides integrated is important to make sure you have the full picture. E.g. You're protecting against competitors stealing your secret stuff, but you're not protecting the company from losing sales to competitors with lower costs due to more responsive IT, etc. who can price lower than your shop can manage due to its big IT overhead and rules, bureacracy, etc. Unless you play where everyone else is like you, which again is business strategy.

General points, not you in particular.

1
0
Silver badge

Additional solution

"If users persist in connecting their own PCs to your network, you can take advantage of the same managed desktop techniques used to support home workers and temporary staff: virtual desktops with access to separate virtual LANs."

Or just fire the fucking idiot for gross misconduct - it's generally stipulated in the rules and regulations in the terms of employment (must confirm to IT policy etc) that you are not allowed to do it.

0
1
Silver badge

The only place I've ever seen a rule as strict as that...

...was the UK Census 2001. They barely allowed you to bring your own pens in just in case you had some kind of James Bond recording device embedded in it. Seriously, all phones off and checked in at the door, any equipment brought in (including aforementioned pens) to be checked by security.

Now unless you're working with that sort of data (and the vast majority of people aren't), then why the hell are people so fond of pretending to be working in, oh, the UK Census?

There are other ways, as some people here have pointed out. But, it seems some people just want to be a BOFH.

1
0
Silver badge

@M Gale

OK, UK Census.

But how about -

National Government: DVLA, HMRC, DWP, IPS (passports), MOD, GCHQ

Local Government departments: Electoral Role, Council Tax, Benefits system

Health system: All your health records.

Commercial: Your Bank, Utility companies, anybody who holds your bank details, your telecom provider.

Other: Basically, any personal data covered by the Data Protection act which makes it an offence as a data holder not to take all relevant precautions to keep the data secure.

Now, what were you saying about critical data and the requirement for strict network control?

I've worked in UK bank's IT departments where the network control was much more severe than UK government agencies, with serious risk of disciplinary procedures, sacking, and even report to the police for prosecution under the Data Protection legislation for anybody who does not follow the rules about connection policy. This included things like PDAs, USB memory keys, and anything that could possibly be a communication device.

Now where I am currently working, I'm not even allowed to plug a non-approved keyboard into their systems!

0
0
Silver badge

@Peter Gathercole

My thoughts exactly. The rules aren't there just to piss you off they are there to secure the data and to provide a standardised hardware platform for support purposes - something that costs enterprises a bloody fortune. You therefore can't have Jonny Fanboi rocking up with his homebuild gaming rig, laptop, tablet etc and expecting to connect it to your network.

As for the previous responder not having come across rules that stipulate that you cannot attach your own hardware to the corporate network and that it is a disciplinary offense that may result in dismissal, I would suggest that he cannot have worked in many true enterprises because that rule has been present in every one I've worked at over the course of the last 15 years. How would M Gale like their financial records, medical records etc sprayed all over the internet because some numpty was allowed to connect their kit to the network?

0
0
This topic is closed for new posts.

Forums