Are employees or guests connecting unauthorized computers to your network?

by | Mar/26/2008

An IT professional discovered an unauthorized computer on the network!  “I know all our computer names and I knew this one did not belong.  I immediately called our consultants thinking we were being compromised. They said the computer was in our office.  I searched through the office and found that one of the (employees) brought in a (outside representative) into the office and set her up in one of our offices. She was allowed to plug her laptop in to our network and proceeded to access the internet.”   I frequently come across offices that freely offer for visitors to “plug in to the network” to check e-mail or access the Internet. Same with offering visitors wireless access.  The people offering access to complete strangers obviously have no idea of the danger.

What if there are virus infections on the outsider’s computer? What if those viruses infect your network?

What if the user performs an illegal behavior using the Internet? The police will come to your office looking for the perpetrator.  If you provide an unsecured wireless network, the suspect may have been outside your business in a truck in the middle of the night when he broke the law using your Internet access.

Take steps to control this including:

  • Teach everyone in the organization how dangerous it is to connect unauthorized computers to the network – wired or wireless.
  • If the executives agree to deny guest computers all together
    • Have a strong written policy that people sign saying that NO computers will ever be connected to the internet without the IT professional’s prior approval
    • Securely encrypt wireless networks (and if your IT professional still thinks WEP encryption is secure, have them search Google for WEPCRACK sometime)
    • Your IT professionals may choose to use other technology solutions that monitor for unauthorized connections and potentially deny them access such as http://www.laneye.com.
    • Encourage your guests to sign up for their own connections such as Verizon, Sprint, or AT&T broadband access. These connections can be used in almost all populated areas.
  • If executives feel they must offer access to guest computers during conference meetings and/or other times
    • IT may implement a form of endpoint security that makes sure the connected laptop meets specific requirements (updates, anti-virus, etc) before being allowed to connect
    • IT may implement password security using, for example, RADIUS or Cisco authentication for guest computers.
    • Put any unprotected wireless access points on a hot tub timer so they turn themselves off automatically after an hour or two.

In addition, I see many IT professionals come up with the idea of signing up for a separate broadband connection such as a DSL or Cable link for the exclusive use of guests for Internet access.  Yes, this will help protect our network from the guest’s computer and is similar to connecting the guest computer to a DMZ so they are outside our firewall.  Keep in mind, however, that the risk is that if the guest (or a program on their computer) performs an illegal act, the police will trace the traffic back to your company either way.