Rogue Laptops on Network

[acrobson]

Hi People,

We have a problem with unknown laptops appearing on the network. We use DHCP meaning as soon as they plug in they get an IP address. We have unpatched any non-used network points; however they then just unplug a desktop and use its network cable.

Does anyone know or use any utilities that can either take the laptop down or determine where it is etc.

We have attempted to gain access with remote tools etc however there using Norton from what we can tell and it's blocks us obviously!

We used to have this problem a while back where students purchased laptops through the college, with this we just named the laptops with a unique ID and recorded there MAC address and blocked them that way.

All ideas welcome!

[Nij.UK]

we use machine authentication using 802.1X here so its impossible for rouge laptops to just plug in...

Also could you not check on your switches which port the laptop is connecting to and then find the person in question.... this is only useful if you are talking about 1 person, if there are many then it dont make sense.

http://netdisco.org/ This is also a very powerful tool but im unsure how much it costs...

Cheers

N

[Geoff]

You want some form of Network Access Control (NAC). You can use PacketFence to do this.

It works like this. Basically when you first connect an 'unknown' laptop, you'll end up being sent to PacketFences captive web portal (just like a wifi hotspot). You then need to authorise it with a valid domain login (you can restrict this to a paticular group if you like, just staff for example). It'll get scanned with Nessus (if you want) and assuming it gets a clean bill of health it'll be allowed on the network. From then on it'll be monitored through snort and periodically scanned. If it fails a scan, or triggers a snort alert you deem 'bad' it'll be arp poisioned off the lan. You can then go shout at whoever authorised it.

[acrobson]

You want some form of Network Access Control (NAC). You can use PacketFence to do this.

It works like this. Basically when you first connect an 'unknown' laptop, you'll end up being sent to PacketFences captive web portal (just like a wifi hotspot). You then need to authorise it with a valid domain login (you can restrict this to a paticular group if you like, just staff for example). It'll get scanned with Nessus (if you want) and assuming it gets a clean bill of health it'll be allowed on the network. From then on it'll be monitored through snort and periodically scanned. If it fails a scan, or triggers a snort alert you deem 'bad' it'll be arp poisioned off the lan. You can then go shout at whoever authorised it.

Thanks Geoff, i have seen that before, i am in the position of trying to implement it with my Network manager, however he has a long Research & Development process, which is more than likely going to be the summer holidays, apparently.

This has just confirmed that we do need something like!