Personal computers on the corporate network

What happens on your network in the event that someone plugstheir own computer into one of your network wall points? If the point ispatched into the switch, is their computer automatically leased an IP address? Couldthey use that point to get internet access? Is the only way you find out thatsomeone has plugged a netbook computer into your network because you spot it oris there some automatic method by which you are alerted to an unauthorizedcomputer on your network?

When Windows NT4 was released, few people used computersthat they owned as the primary computer for work. This is partly because fewpeople owned portable computers back in the mid 1990’s and if they did, theyprobably didn’t drag them into work. Anyone who did was probably smart enoughto keep it sanitized from malware.

Spin forward to 2011, and more and more people are bringingtheir own computers into the office. Whereas IT pros used to worry about dataleakage due to people bringing their own USB sticks into the office, now theyhave people bringing their own computers into the office and they plug theminto the network.

I’ve heard stories about corporate networks where workersbring in small netbook computers and attach them to the network, sometimes byplugging a mini switch in or sometimes just using a drop cable to patch theminto a spare network port.

Unless you have implemented a technology like Network AccessProtection or you have configured DHCP to only lease addresses to known MACaddresses, it is possible that users might be able to gain access simply byplugging their computer into any available patch point.

Unmanaged computers are dangerous because they are morelikely to be infected with malware than standard corporate computers. Peopleare bringing in their own computer as a way of circumventing the policies thatapply to the managed computer that they’ve been assigned.

The first step in stopping people bringing their owncomputers into work is ensuring that you have a rock solid policy aboutstopping people bringing their own computers into work. You’ll also need to applythe policy across the board - this means that people in the IT department don’tget an exemption because they “know what they are doing”.

Unmanaged computers are dangerous because they are morelikely to be infected with malware. Malware that could attempt to replicate andspread itself across your organization’s internal network. Of course people whoown these computers will swear black and blue that their computer could neverbe infected with malware. But it is usually the ones who are most certain thattheir computer is free of viruses that have the nastiest ones lurking on theirhard disk drives.

Network Access Protection is a start. IPSec network isolation policiesare good. Some form of automatic detection of unauthorizedclients is even better.

You should take steps to ensure that only computers that youbelieve to be safe are able to access your organization’s internal networkinfrastructure. It won’t protect you against everything, but it will reduce thechances that someone’s malware infected netbook will cause untold damage toyour organization’s internal network.