Easy cheap fix
Don't allow unknown MAC's on the network.
Done.
Don't let your networks speak to strangers
Run a scan over any company network and you will probably be surprised by what has been connected to it. Staff can be very creative, plugging in everything from printers to tablet devices to departmental servers and network-attached storage devices. They are not circumventing IT policies either, or so they think – just …
-
-
-
Thursday 26th May 2011 22:01 GMT Tom Chiverton 1
Solution ?
Fire the person who didn't do it when you had ten and could check them all by hand.
Still, easy enough to find all the devices that checked in with AD in the last N days, those'll be the only valid devices apart from a few special things you can add on later. Start by blocking outbound-to-the-internet from unknown MACs.
-
Friday 27th May 2011 13:35 GMT Anonymous Coward
Right
Tom,
You're either trolling or clueless. What product do you use to block the mac addresses of these 10,000 devices connecting to the internet again? You've not said. Also, these 10,000 devices access to DCs is via routers. As in, behind routers. Do you think your AD server is going to record their physical MAC address? Rather than the mac of the nearest hop to the DCs?
This is, of course, ignoring the elephant in the room, the fact that AD doesn't record the MAC addresses of devices which "check in" with it (whatever that's supposed to mean).
When in hole, stop digging.
-
-
Friday 27th May 2011 14:26 GMT Anonymous Coward
@AC re Great stuff
Try looking. There are commercial packages, appliances and Open Source solutions. If you have not got a reliable register of your systems, then you might consider deploying an asset management tools as well. For an estate the size of the one you say you have, I would be surprised that your company does not already have one!
It's all possible, it's just that it takes effort, which you should have been doing anyway.
-
-
Thursday 26th May 2011 19:02 GMT Chronos
Re: Easy cheap fix
You may want to investigate ifconfig <interface> link for rooted iOS devices. Android probably has ifconfig <interface> hw ether, too.
Trivially easy to get around and this isn't just wireless APs, either. It'll work on secured ports on managed switches for wired ethernet. Never trust a MAC address to identify a host.
-
-
Thursday 26th May 2011 23:09 GMT M Gale
Go directly to the dole queue?
Or alternatively, implement proper security, treat a MAC as more of a session token than a permanent key, and don't end up firing a bunch of people who might be smarter than you and bring in more money for the company than you because you have to act like a BOFH.
This article is about random devices leaking information out. So, have a webcafe or BTOpenZone-style web login that pinpoints who is using what and where. You get a nice audit trail showing who did what, your employees can randomize their MAC as much as they like, and you don't have to act like a bastard who thinks they are running GCHQ, ultimately engendering disrespect from your colleagues and peers. That in itself can end up proving more dangerous to your network security than any toyphone or tablet.
-
Friday 27th May 2011 09:32 GMT Tom Chiverton 1
Go directly to the dole queue? Hell yeah.
"might be smarter than you and bring in more money for the company"
Dear gods. It's like working with a bunch of lawyers again.
Who, I might add, would be the first to suggest firing me should the company publiclaly have to admit to leaking customer details.
Even Schneider recomends firing someone publically to make sure security is taken seriously : http://www.schneier.com/essay-282.html
-
Friday 27th May 2011 11:50 GMT M Gale
Holy christ..
..what part of "audit trail" did you not read? It means "log what your employees are doing with company resources".
If you then find said employees are doing nothing but browsing dodgy porn sites and fucking about, then you can do something about it. The device they use to do it with is hardly the problem, is it?
Some people are just itching for that little bit of power. Seriously, have you got a PFY working with you as an apprentice too?
-
-
-
-
-
-
Thursday 26th May 2011 17:55 GMT Peter Gathercole
Lax network management
For goodness sake, at least segregate your DHCP space.
Allocate two IP subnets, trusted and untrusted. Register all of the MAC addresses of your trusted devices and give out addresses in the trusted range. Any unknown or foreign MAC addresses get given addresses in the other range. Allocate different DNS server addresses and default routes to each subnet. Use short leases to make sure that someone using a fixed IP address will be spotted (by duplicate IP addresses) as soon as the addresses cycle round.
Control routing between the two subnets so that untrusted devices get no access to internal servers, and minimal access to the Internet and such devices as printers. There, does not matter what gets brought in, it is unlikely to do any damage. And you do not even need to invest in a large network infrastructure, as most switches will multinet quite happily.
Of course, if you are paranoid, you could just not give out any DNS address to unknown devices, or you could have something like Wireshark alerting whenever you get a source address in your untrusted address range.
In extreme security environments, lock network ports down at the switch to only a single device per port by MAC address, with the port being disabled if another device is attached. As soon as a user plugs something else in and locks the port, they either have to call the help desk (giving you a chance to rap them over the knuckles), or suffer the port not working forever.
I know that this can be defeated with LAA MACs, but if al you are trying to do is prevent users from attaching smart phones, printers and the like, these devices use fixed MAC address anyway. Most basic users would also not know how to change the MAC address in their PC either.
This is not far fetched. I've seen all instances of the above deployed in real customers, and most large organizations do something along these lines by default.
-
Thursday 26th May 2011 21:57 GMT Markius
EAPOL is your friend
802.1x is familiar to many for wireless networking but it's also possible to do this on your wired Ethernet too. If the connecting device doesn't have the appropriate certificate and private key you can dump it into a dirty VLAN.
Just remember to check that your private keys aren't exportable - I found an unauthorised iPhone connected to an 802.1x WLAN once because the user was smart enough to export the key and certificate from his desktop and import it on the fondleslab.
-
Friday 27th May 2011 08:25 GMT Ian Johnston
Cart, meet horse.
So users bring in devices and connect it to their network (it's not yours) because they find that it's a good way to work better. Is it completely out of the question that the IT people might say to themselves "Oooh, people working better, that's good. How can we make it as smooth and easy as possible?" rather than coming over all obstructive?
IT systems aren't run just to give BOFHs something to do between WoW sessions. They are there to facilitate work, and any IT worker who deliberately impedes the actions of those who pay his wages should be in that dole queue as fast as his little atrophied legs can carry him.
-
Friday 27th May 2011 09:41 GMT Steven Roper
Horse, meet cart.
As the senior IT manager in my company, it falls to me to make sure everything works and continues working, while making sure our trade secrets don't get leaked to our competitors and that some phishing scammer in China doesn't rip off all our employees' and customers' credit cards. If I fail in that duty, I can expect to be sacked and even charged with criminal negligence.
The likes of me are not here to make life easier for the likes of you. My job is to make sure everything keeps working in a stable and secure manner. If you can guarantee to me, from your at least degree-level IT education, that any personal device you bring in and connect to my company network is 100% free of spyware, malware and other unwanted goodies, and I can have it from you in writing that you alone accept full and sole liability for any damages occurring as a result of you plugging your device into my network, I'll let you connect it.
Otherwise, while I bear the responsibility and the liability if something goes wrong, all the users on my network can abide by the rules I've put in place for it, rules which are ultimately designed to protect everyone who works here from both criminals and competitors.
-
Friday 27th May 2011 12:18 GMT Anonymous Coward
Incentivised to hamstring the business?
Sounds like a matter of incentives - you don't have responsibility for overall P&L so it doesn't affect your bonus if the company is outsold by competitors with more responsive IT and less directive company cultures. Or indeed if it goes out of business - you made sure it didn't do it because of IT, right?
Tying up IT to the mainstream company to get the business and IT sides integrated is important to make sure you have the full picture. E.g. You're protecting against competitors stealing your secret stuff, but you're not protecting the company from losing sales to competitors with lower costs due to more responsive IT, etc. who can price lower than your shop can manage due to its big IT overhead and rules, bureacracy, etc. Unless you play where everyone else is like you, which again is business strategy.
General points, not you in particular.
-
-
-
Friday 27th May 2011 08:25 GMT M Gale
How LJMU (.ac.uk) does it
For the unencrypted LJMU-specific network, you give them your student/staff user ID and password on the web login page. If you're using a smartphone, or if you just fancy having an encrypted connection, you connect to the encrypted eduroam SSID using your normal login credentials as the certificate.
Easy, simple (for end users at least), works well enough for over 40,000 students and staff (not counting the other educational establishments signed up to eduroam), and nobody has to get sacked for it.
-
Friday 27th May 2011 09:21 GMT Mark 65
Additional solution
"If users persist in connecting their own PCs to your network, you can take advantage of the same managed desktop techniques used to support home workers and temporary staff: virtual desktops with access to separate virtual LANs."
Or just fire the fucking idiot for gross misconduct - it's generally stipulated in the rules and regulations in the terms of employment (must confirm to IT policy etc) that you are not allowed to do it.
-
Friday 27th May 2011 11:53 GMT M Gale
The only place I've ever seen a rule as strict as that...
...was the UK Census 2001. They barely allowed you to bring your own pens in just in case you had some kind of James Bond recording device embedded in it. Seriously, all phones off and checked in at the door, any equipment brought in (including aforementioned pens) to be checked by security.
Now unless you're working with that sort of data (and the vast majority of people aren't), then why the hell are people so fond of pretending to be working in, oh, the UK Census?
There are other ways, as some people here have pointed out. But, it seems some people just want to be a BOFH.
-
Friday 27th May 2011 14:43 GMT Peter Gathercole
@M Gale
OK, UK Census.
But how about -
National Government: DVLA, HMRC, DWP, IPS (passports), MOD, GCHQ
Local Government departments: Electoral Role, Council Tax, Benefits system
Health system: All your health records.
Commercial: Your Bank, Utility companies, anybody who holds your bank details, your telecom provider.
Other: Basically, any personal data covered by the Data Protection act which makes it an offence as a data holder not to take all relevant precautions to keep the data secure.
Now, what were you saying about critical data and the requirement for strict network control?
I've worked in UK bank's IT departments where the network control was much more severe than UK government agencies, with serious risk of disciplinary procedures, sacking, and even report to the police for prosecution under the Data Protection legislation for anybody who does not follow the rules about connection policy. This included things like PDAs, USB memory keys, and anything that could possibly be a communication device.
Now where I am currently working, I'm not even allowed to plug a non-approved keyboard into their systems!
-
Sunday 29th May 2011 08:17 GMT Mark 65
@Peter Gathercole
My thoughts exactly. The rules aren't there just to piss you off they are there to secure the data and to provide a standardised hardware platform for support purposes - something that costs enterprises a bloody fortune. You therefore can't have Jonny Fanboi rocking up with his homebuild gaming rig, laptop, tablet etc and expecting to connect it to your network.
As for the previous responder not having come across rules that stipulate that you cannot attach your own hardware to the corporate network and that it is a disciplinary offense that may result in dismissal, I would suggest that he cannot have worked in many true enterprises because that rule has been present in every one I've worked at over the course of the last 15 years. How would M Gale like their financial records, medical records etc sprayed all over the internet because some numpty was allowed to connect their kit to the network?
-
-
-
This topic is closed for new posts.
Biting the hand that feeds IT
