Unauthorized Devices on Network

SashenG

SashenG

Member
Joined
Feb 16, 2017
Messages
28
Reaction score
1
Hi All,

Please can someone advise me on how I can stop any unauthorized devices on my company network,
so basically , stopping anyone with a laptop plugging into my LAN and accessing the internet/network.

When it comes to Phones, accessing the WIFI will only be possible if given the password, so not too worried about that,
Just concerned if anyone comes in with a laptop and plugs in - I need to stop that from occurring.

Any advise would be appreciated.,

Regards,
 
First off, disable any unused ports. It won't stop someone from disconnecting a printer for example and connecting their PC but its good practice to disable all unuusd ports.

A quick and dirty way to do this (if your switches support it) is to lock down the switch ports per MAC address. Its not that secure and can be bypassed but its better than nothing.

To implement this correctly you need to use a NAC product (network access control). This locks down the switch ports, and when the desktop is authenticated correctly the port is enabled. Non authenticated machines can then be configured to only get access to a guest vlan for example.

With the phones on your network, do they get access to the corporate network via WIFI, or just the internet? If they get access to the corporate network with just a WIFI password then this is a very bad security practice - devices should be using certs to gain access, and not (shared) WIFI passwords.

There are plenty of decent products that let you roll this out but your switches will need to support 802.1x

If money is tight have a look at this open source product:
www.packetfence.org

PacketFence - Network Access Control by Akamai

Enterprise NAC for network security, device compliance, and guest access. Cloud or self-hosted. Trusted by organizations worldwide.
www.packetfence.org www.packetfence.org
 
Last edited:
SashenG said:
Hi All,

Please can someone advise me on how I can stop any unauthorized devices on my company network,
so basically , stopping anyone with a laptop plugging into my LAN and accessing the internet/network.

When it comes to Phones, accessing the WIFI will only be possible if given the password, so not too worried about that,
Just concerned if anyone comes in with a laptop and plugs in - I need to stop that from occurring.

Any advise would be appreciated.,

Regards,
Click to expand...
Easiest method?
Disable DHCP on the Router.
Setup Static IP addresses and add the Router address as the Gateway address on any device's Network Adapter/Nerworking Settings.. You can also use the Router as DNS or any other public DNS Servers.

So if nobody knows the details, they can't connect.
 
|tera| said:
Easiest method?
Disable DHCP on the Router.
Setup Static IP addresses and add the Router address as the Gateway address on any device's Network Adapter/Nerworking Settings.. You can also use the Router as DNS or any other public DNS Servers.

So if nobody knows the details, they can't connect.
Click to expand...

Obviously very cheap, but negative is then when those devices need to connect elsewhere, like WFH.
 
supersunbird said:
Obviously very cheap, but negative is then when those devices need to connect elsewhere, like WFH.
Click to expand...
Don't really get your point?
The WFH folk have their own connections. The Internal company network is configured on its own.

If Company Workstation1 is setup in a Static method and WFH1 needs access to it, it still goes over the Internet straight to it. Either via RDP/VPN or whichever method. Vice versa too.

Being on Static doesn't remove Internet access, it just allows nobody to attach to the LAN and use the internet.
 
|tera| said:
Don't really get your point?
The WFH folk have their own connections. The Internal company network is configured on its own.

If Company Workstation1 is setup in a Static method and WFH1 needs access to it, it still goes over the Internet straight to it. Either via RDP/VPN or whichever method. Vice versa too.

Being on Static doesn't remove Internet access, it just allows nobody to attach to the LAN and use the internet.
Click to expand...

He is saying when a work laptop, on lets say the 172 range, gets a static IP on the WiFi the user will take it home to their 192 range network and have no connection.
 
Rickster said:
He is saying when a work laptop, on lets say the 172 range, gets a static IP on the WiFi the user will take it home to their 192 range network and have no connection.
Click to expand...
That doesn't make sense either.
The Work WiFi is a completely different SSID/Network than the Home network.
You manage it as two different connections.
The user won't need to do anything. Going home and connecting there still remains automatic.
Edit: I see you mentioned laptop. Just use a connection switcher. Multiple freeware apps available.
www.raymond.cc

5 Tools to Manage Multiple Network Connection Profiles - Raymond.CC Blog

Every home or work network you connect to can conceivably have different settings for the connection. At home you might use a WiFi connection with default or automatic settings, for work you might have a manually set IP address and gateway or custom DNS servers. Each different network...
www.raymond.cc
 
Last edited:
|tera| said:
That doesn't make sense either.
The Work WiFi is a completely different SSID/Network than the Home network.
You manage it as two different connections.
The user won't need to do anything. Going home and connecting there still remains automatic.
Edit: I see you mentioned laptop. Just use a connection switcher. Multiple freeware apps available.
Click to expand...
It wont work trust me, as it happened to me the other day as a client's network used static IP on the WiFi, when i got home I couldn't connect to my home WiFi unless I changed it to Automatic.

Phones arnt affected by this as each SSID you connect to can be customized but now that im thinking of this you can set up an alternate IP.

Main profile for office and alternate for Home but then that's limited to two networks. (Obviously more assuming most networks are on the 192 range but then again you might run into IP conflicts unless a high number IP is chosen (192.168.0.200)

Best way is to use a firewall with a user login portal.
 
Rickster said:
It wont work trust me, as it happened to me the other day as a client's network used static IP on the WiFi, when i got home I couldn't connect to my home WiFi unless I changed it to Automatic.

Phones arnt affected by this as each SSID you connect to can be customized but now that im thinking of this you can set up an alternate IP.

Main profile for office and alternate for Home but then that's limited to two networks. (Obviously more assuming most networks are on the 192 range but then again you might run into IP conflicts unless a high number IP is chosen (192.168.0.200)

Best way is to use a firewall with a user login portal.
Click to expand...
Check my edit above. It does work.
 
Rickster said:
Ah but not natively.
Click to expand...
That's not a good excuse. There's a thousand different things on a PC that isn't available as stock/native.
It depends on the business. If they have cash to spend, sure, level up. If not. My suggestion should work.
 
|tera| said:
Don't really get your point?
The WFH folk have their own connections. The Internal company network is configured on its own.

If Company Workstation1 is setup in a Static method and WFH1 needs access to it, it still goes over the Internet straight to it. Either via RDP/VPN or whichever method. Vice versa too.

Being on Static doesn't remove Internet access, it just allows nobody to attach to the LAN and use the internet.
Click to expand...

I am not talking about VPNing, I am talking about other networks not having same static IPs.

The OP is not even worried about wifi, just physical LAN (go read OP again), now you just add complexity and third party software where not required. At least you had said they must only do that on the physical LAN, that would have been better but still leaving the other physical network problem.

One should rather go this way with OP:
Everything even vaguely important on the network should be behind credentials, so is your main problem only someone then abusing the internet? Anyone with the wifi password can do the same too technically. So please expand on why you are worried about unauthorized devices on the LAN, then we can address that.
 
Last edited:
gregmcc said:
First off, disable any unused ports. It won't stop someone from disconnecting a printer for example and connecting their PC but its good practice to disable all unuusd ports.

A quick and dirty way to do this (if your switches support it) is to lock down the switch ports per MAC address. Its not that secure and can be bypassed but its better than nothing.

To implement this correctly you need to use a NAC product (network access control). This locks down the switch ports, and when the desktop is authenticated correctly the port is enabled. Non authenticated machines can then be configured to only get access to a guest vlan for example.

With the phones on your network, do they get access to the corporate network via WIFI, or just the internet? If they get access to the corporate network with just a WIFI password then this is a very bad security practice - devices should be using certs to gain access, and not (shared) WIFI passwords.

There are plenty of decent products that let you roll this out but your switches will need to support 802.1x

If money is tight have a look at this open source product:
www.packetfence.org

PacketFence - Network Access Control by Akamai

Enterprise NAC for network security, device compliance, and guest access. Cloud or self-hosted. Trusted by organizations worldwide.
www.packetfence.org www.packetfence.org
Click to expand...
Have you ever used Packetfence? I was looking at it a while ago and I'd be interested to hear what it is like to 'live with.'
 
SashenG said:
Hi All,

Please can someone advise me on how I can stop any unauthorized devices on my company network,
so basically , stopping anyone with a laptop plugging into my LAN and accessing the internet/network.

When it comes to Phones, accessing the WIFI will only be possible if given the password, so not too worried about that,
Just concerned if anyone comes in with a laptop and plugs in - I need to stop that from occurring.

Any advise would be appreciated.,

Regards,
Click to expand...
All can be done server side with GPO. Anyway anyone without a network user account should not be able to access the network, else time to fire the network administrator for being an idiot.
 
|tera| said:
Easiest method?
Disable DHCP on the Router.
Setup Static IP addresses and add the Router address as the Gateway address on any device's Network Adapter/Nerworking Settings.. You can also use the Router as DNS or any other public DNS Servers.

So if nobody knows the details, they can't connect.
Click to expand...
While this might stop someone from just plugging in and getting onto the network, its trivial to bypass and would take a 'hacker' about a minute to work around.

The only real secure solution is to use 802.1x

Have you ever used Packetfence? I was looking at it a while ago and I'd be interested to hear what it is like to 'live with.'
Click to expand...

I have not used this but read good things about it. We use McAfee NAC.
 
supersunbird said:
I am not talking about VPNing, I am talking about other networks not having same static IPs.

The OP is not even worried about wifi, just physical LAN (go read OP again), now you just add complexity and third party software where not required. At least you had said they must only do that on the physical LAN, that would have been better but still leaving the other physical network problem.

One should rather go this way with OP:
Everything even vaguely important on the network should be behind credentials, so is your main problem only someone then abusing the internet? Anyone with the wifi password can do the same too technically. So please expand on why you are worried about unauthorized devices on the LAN, then we can address that.
Click to expand...
Not in the mood to defend and argue so early in the week. It's up to the OP to decide.
gregmcc said:
While this might stop someone from just plugging in and getting onto the network, its trivial to bypass and would take a 'hacker' about a minute to work around.

The only real secure solution is to use 802.1x



I have not used this but read good things about it. We use McAfee NAC.
Click to expand...
It shall be as decided by time and space :p
 
|tera| said:
That's not a good excuse. There's a thousand different things on a PC that isn't available as stock/native.
It depends on the business. If they have cash to spend, sure, level up. If not. My suggestion should work.
Click to expand...

On my Windows 10 laptop, if I set a static ip/subnet/dns on my wired or wireless connection, those same static entries carry over no matter what SSID I connect to, or no matter what wired connection I plug my into my RJ45 port.
 
Disable unused ports.
Turn on MAC port security.
Use 802.1x if you can.
Use private vlans in conjunction with some kind of authentication required on your firewall/gateway.

Disabling DHCP will do absolutely nothing from stopping a bad actor from getting onto the network.
half a second of tcpdump will show what's going on in the network.

Wireless is a slightly different game, which you should probably be more worried about, especially if your security is a password which anyone can pass along word of mouth or sniff out, if you've got unpatched devices or have WPS enabled.
You can generally have physical control of network ports and cables, but wireless signals are a bit harder.
 
Faux_Grey said:
Disable unused ports.
Turn on MAC port security.
Use 802.1x if you can.
Use private vlans in conjunction with some kind of authentication required on your firewall/gateway.

Disabling DHCP will do absolutely nothing from stopping a bad actor from getting onto the network.
half a second of tcpdump will show what's going on in the network.

Wireless is a slightly different game, which you should probably be more worried about, especially if your security is a password which anyone can pass along word of mouth or sniff out, if you've got unpatched devices or have WPS enabled.
You can generally have physical control of network ports and cables, but wireless signals are a bit harder.
Click to expand...
What about MAC address whitelisting?
All devices which have not been whitelisted in MAC config (which most routers support) will not be able to access the network.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X