policy for employees bringing their own laptop?

[EmperorIQ]

Hey,

I want to know what you System Admins generally do regarding personal computers. Do you let employees bring their own laptops and plug it into the network, so they can transfer their work files over or no? What are the security problems involved with allowing this?

Thanks!

 

[Boscoh]

NOT IN A BILLION YEARS!

If you start doing that, you'll have a virus infested network in no time.

You also run the risk of someone copying something they shouldn't over to their personal machine. Their machine could also be configured as a DHCP server and start handing out bogus settings via DHCP. That happened at a friends workplace. A guy thought he'd show off and bring his linux laptop into work. His laptop was apparently configured as a DHCP server which handed out DNS settings pointing to non-existent machines (which I guess existed on his home network).

The company had a policy of no personal computers on the network, but apparently no technical safegaurds. The guy was fired, but the damage was done. It took them quite a bit of time to fix everything.

 

[EmperorIQ]

Thanks a lot man!

 

[spidey07]

No.

The network will not allow a computer without a vaild certificate to communicate with anything.

Security will also search your bag and if you try to bring a non-company laptop in it will be confiscated until your visit is over.

Any company in their right mind will not allow (by policy or by technology) will not allow personal or any non-company issued computer on their network.

 

[spherrod]

No - huge security risk. We've put a DSL line in and had that patched to a few locations for consultants or visitors who require Internet access but unless their system has been installed from our images then it's not allowed on the company network.

 

[masked1]

I concur with what you peeps say... its defo a security risk.

 

[dphantom]

We have a lot of speakers in who use laptops but we isolate them to a separate vlan isolating their traffic. They get Internet access and that's it.

 

[skyking]

Heading to the office today with a plan for setting up guest internet.
They will have no connection to any component, not even the broadband. They will get cable broadband on thier own switch, sorry, no printers

 

[nightowl]

Definately NOT recommended. Spidey, are you doing EAP-TLS for dot1x?

 

[spidey07]

Originally posted by: nightowl
Definately NOT recommended. Spidey, are you doing EAP-TLS for dot1x?

Yes.

 

[blemoine]

i work at a finacial institution and we don't even allow Company Laptops much less Personal machines from home. Chance of data walking off is 100% in some form or another. depending on the size of your office and profession it may be ok. An office with 4 people and 3 workstations may not have a problem with the extra machine to get some work done.

 

[EmperorIQ]

Originally posted by: Boscoh
NOT IN A BILLION YEARS!

If you start doing that, you'll have a virus infested network in no time.

You also run the risk of someone copying something they shouldn't over to their personal machine. Their machine could also be configured as a DHCP server and start handing out bogus settings via DHCP. That happened at a friends workplace. A guy thought he'd show off and bring his linux laptop into work. His laptop was apparently configured as a DHCP server which handed out DNS settings pointing to non-existent machines (which I guess existed on his home network).

The company had a policy of no personal computers on the network, but apparently no technical safegaurds. The guy was fired, but the damage was done. It took them quite a bit of time to fix everything.

what can a person do, or what are the harms involved when a DHCP server is configured on a laptop that was brought in from home, to a company's network?

 

[spidey07]

computers that request an address are likely to be answered first by the laptop, leading to a loss of IP connectivity for that host. It gets worse over time until no machines can get an address.

And tracking down a rogue DHCP server can be tough. You'll have to sniff the packets and trace down the mac.

 

[nweaver]

yes, but once you get the mac it's not too tough to trace through the L2 network and find the port...

 

[pcthuglife]

If people want to take data home from the office they'll do it with or without a personal laptop. I think the main issue is virus protection. I doubt the people's homes are guarded as well as the office network. Connecting an infected laptop to your network could mean serious trouble.

 

[stash]

Originally posted by: spidey07

Originally posted by: nightowl
Definately NOT recommended. Spidey, are you doing EAP-TLS for dot1x?

Yes.

Other than security searching bags, how do you handle a user who also brings a hub with his laptop?

Which could lead to this scenario if you have host-based firewalls: http://www.microsoft.com/technet/community/columns/secmgmt/sm0805.mspx

I'm making a big assumption that your clients are running firewalls, so if they aren't, nevermind

 

[spidey07]

802.1x will stop the hub scenario.

That MS marketing BS to push their solution.

All security experts agree they are taking the wrong approach and its too full of holes. In a perfect world you would use both kinds - client server based and network based.

-edit-

good link though

 

[Boscoh]

We limit each port to the number of MAC addresses normally required on that port, statically map the MAC's to that port, and disallow new ones. That would render their hub and laptop ineffective. They'd have to find out the MAC of the computers already plugged in, then clone it, then turn off the computer they cloned, and plugin to the network. It's unlikely someone will do that where I work, but it is far from fool-proof.

802.1x can be used in conjunction with the above method, but also tack on hardware and client authentication. In other words...if your MAC is not allowed on the network, or your computer doesn't have a certificate, or you dont know a password, you dont get access to the network...much less the servers and PC's sitting on that network.

 

[stash]

That MS marketing BS to push their solution.

What solution are you referring to?

 

[stash]

We limit each port to the number of MAC addresses normally required on that port, statically map the MAC's to that port, and disallow new ones. That would render their hub and laptop ineffective. They'd have to find out the MAC of the computers already plugged in, then clone it, then turn off the computer they cloned, and plugin to the network

Yes, this is the exact scenario outlined in the link. However, I do not see why the attacker would need to turn off the 'victim', the machine whose MAC they cloned. If you map a single MAC to a port, if the attacker clones it, the switch wouldn't be able to tell, would it?

Which would then bypass the problem of getting a cert, since the victim has already done the authN for you.

 

[spidey07]

Originally posted by: STaSh

That MS marketing BS to push their solution.

What solution are you referring to?

Microsoft's BS NAP solution.

-edit-

While I believe their efforts are good, the way they are approaching it thorougly proves they are clueless on security.

 

[stash]

Care to elaborate on how you reached the conclusion that NAP is BS? Are you on the TAP program for NAP? Where are these security experts?

I'm not trying to be a troll, I'm honestly curious why you think this, especially since NAP uses existing technologies, including 802.1x.

Edit: constructive feedback would be useful, since the product is still in development. One of the PMs for NAP is onsite with my customer this week, so valid criticisms besides 'it's bullshit' would be beneficial.

 

[spidey07]

It's been a while since I looked at it (6 months)

From my understanding it manipulates the routing table on the PC which anybody with some knowledge can circumvent. I just remember reading the full white paper and laughing. I've got a presentation I did on both aspects, I'll see if I can dig it up.

The security experts are myself and those in my field. Then again we may be biased because we're network security experts and look at it from a "the network must protect itself" no matter what the host or OS attached is.

 

[stash]

That is for the DHCP scenario, which is why there is large note at the beginning of that section.

Because DHCP quarantine is based on entries in the IPv4 routing table, it cannot prevent a malicious user who is a local administrator from manually changing the IPv4 routing table and gaining full network access

Should've kept reading to the sections on NAP with 802.1x or IPSec. In these scenarios, the network is protecting itself. This also is helpful for computers on your network that you consider trusted (because they have a MAC corresponding to a port on a switch, a certificate, etc) but are not secure and should not be on the network. Examples being systems whose AV is out of date or non-functional, systems missing OS patches, etc.

802.1x is great for mitigating most of the problem of preventing people from getting on the network. But once they are on, there is no additional protection to the network if those clients do not meet security requirements. NAP works with 802.1x to provide this additional protection.

 

[spidey07]

Stash,

This could be a very good discussion, but mind you I aim for standards based solutions. Even though I love Cisco, i don't like proprietary solutions.

Unfortunately this early in the game there is no true standards to mitigate all aspects. 802.1x is a huge one and is succesful on wireless. If we can apply that to wired we'll be OK.

"We" predicted this divergence between Cisco and Microsoft back in 2003 I believe. That they were taking two separate paths and it looks like its coming true.

It all comes down to "I don't trust anything communicating, how do I trust and secure?"

I'd suggest a new thread on "rogue machine prevention" as its very hot right now.