Hello Kevin.
I had a similar problem before with one of my customers who wanted to prevent
anyone in his network to connect more network devices (Access Points, Routers,
Switches or Hubs) and we spend a while coming out with a solution.
We considered that the best way to do so is by following this procedure:
1. Enable a policy to be signed by the employees regarding the proper use
of the network resources in which you include and remark that �no other network
devices except from those installed by the company are allowed to be plugged
in�.
2. Using a NIC Card inventory, configure the DHCP server to only provide a
designated address to previously registered MAC addresses.
3. Log unsuccessful DHCP requests and use a monitoring tool to track for
attempts.
4. In case that more control is needed, los the user�s traffic by MAC
address. An increase in the traffic can point to a saturated node.
This procedure will not completely secure the network against other network
devices but it will deal with most of the people who want to try that. Here we
are dealing with people with different reasons and abilities. Employees who
simply think they can solve a problem (like connecting their laptop to the
Internet) by plugging a device like an Access Point would think it twice
considering that there is a policy in the company that prohibits that and that
their image in the company would be damaged.
In the case of more expertise people who think they cannot be detected by
connecting a device, the fact that they understand that the company it�s
tracking and logging this kind of activities will make them think twice. Most
of the common users so not understand the capabilities of the log files and the
alarm systems (as we don�t understand casinos) so the fact that somebody in the
company it�s tracking this kind of activities would mean just a fear or even
�super advanced detection tools�. As long as they don�t understand the
mechanism, they won�t do it.
In case a user wants to plug a device by using the company�s DHCP server, by
logging the unsuccessful negotiations (cause they�re not registered into the
valid MAC addresses list) you might be able to tell which office or node it�s
being jacked. This log files would give you an idea of which people is able to
break the policy and plug other devices, therefore you can focus your attention
on those nodes and maybe a simple phone call asking them if there is something
wrong with that computer (because you can see a strange behavior) would stop
them in the future.
By now must of the common users should be scared enough to stop this
activities, perhaps some few users with superior computer knowledge may try to
come with a solution to plug devices into the network anyways; this is when the
Network Administrator should be really worried for the reasons to do so. If
this is the case and it�s very important to the company�s network to prevent
such activities, then a network traffic monitoring software could be configured
on site to log unusual increases of traffic on a given node.
In case they successfully plug the device and then connect more devices to it,
then the network traffic on that node would increase abnormally. This is when a
check needs to be done to confirm that the network resources are being used
properly. By pin-pointing the correct node to analyze, the network
administrator can track the sites and services being used to determine the
further steps to take.
Now, it�s important to realize that this steps will not completely stop the
problem but they are an inexpensive solution to that problem. The CIO should
consider the budget, time and value of the information to decide whether or not
go further (it�s always recommended to secure as much as possible).
I hope this works for you and please mail me back for any further question.
Victor Serrano.
Network and Security Systems Professional.
www.victor-serrano.com
