A question for the enterprise IT/Network guys

deadlyapp · May 27, 2010

A question for you if you will.

I work for a decently large utility company with a pretty massive network infrastructure (AFAIK), but we hire contract security for our off site facilities. I've noticed that the security guard that comes in often jacks into our network to peruse the web as they will, and I've also seen them playing online games -WoW I believe.

Now I'm curious. On the network admin side of things, what can they see/tell from the guard's computer? I know they can look at logs, which would tell them the originating IP and MAC address (I assume) and using the targeted IP's see what sites.

I suppose they could also use those and filter by port to notice common internet games and such.

Is there anything else that they can tell? Honestly I'm surprised that we haven't heard something come down from IT that tells them to stop doing this, because frankly I don't think it is a network that should be connected to from a rogue non-company computer. I suppose it's possible that since the traffic is off-peak (it only seems to be the graveyard shift guard) they they just don't care, or that a bit of random traffic isn't worth caring about.

melchoir · May 27, 2010

If it was a priority the admins would justify an ACS system to management and implement it. This would stop the rogue PCs from doing anything meaningful when plugging into a random jack in your building.

As far as what can they see? If they were curious they should be able to see every single packet sent and received from the "rogue" PC across the network.

Also, I'm not sure why the admins are allowing outbound traffic that works with WoW. Firewall policies should be created for outbound traffic as well as inbound. This helps contain things like rogue PCs that get infected with malware that sends spam email from getting your domain on blacklists.

Tsavo · May 27, 2010

deadlyapp said:
A question for you if you will.

I work for a decently large utility company with a pretty massive network infrastructure (AFAIK), but we hire contract security for our off site facilities. I've noticed that the security guard that comes in often jacks into our network to peruse the web as they will, and I've also seen them playing online games -WoW I believe.

Now I'm curious. On the network admin side of things, what can they see/tell from the guard's computer? I know they can look at logs, which would tell them the originating IP and MAC address (I assume) and using the targeted IP's see what sites.

I suppose they could also use those and filter by port to notice common internet games and such.

Is there anything else that they can tell? Honestly I'm surprised that we haven't heard something come down from IT that tells them to stop doing this, because frankly I don't think it is a network that should be connected to from a rogue non-company computer. I suppose it's possible that since the traffic is off-peak (it only seems to be the graveyard shift guard) they they just don't care, or that a bit of random traffic isn't worth caring about.

They can see everything you are doing.

Pepsei · May 27, 2010

it is possible to do anything frankly.

they can choose to have a strict policy and lock down everything.... or open everything up.

SpatiallyAware · May 27, 2010

Most networks 50-1000 users don't have an active way of flagging stuff like this. Most likely the network guy 'keeps an eye' on traffic, and will eventually see those WoW connections.

That being said - WoW is really the least of the problem. Some idiot outside person bringing in a laptop and plugging it in is the major issue.

DisgruntledVirus · May 27, 2010

SpatiallyAware said:
Most networks 50-1000 users don't have an active way of flagging stuff like this. Most likely the network guy 'keeps an eye' on traffic, and will eventually see those WoW connections.

That being said - WoW is really the least of the problem. Some idiot outside person bringing in a laptop and plugging it in is the major issue.

Exactly.

Basically that is opening up the internal network to threats. Now, it's possible the admin (if he was smart) put that jack (and others like that) on a different network at a minimum. Basically putting it in a DMZ type zone (but not the DMZ), so it's not totally trusted nor is it totally untrusted. Depending on the size of the company they will have firewalls and ASA type appliances that will protect the "trusted" secure network.

nageov3t · May 27, 2010

SpatiallyAware said:
Most networks 50-1000 users don't have an active way of flagging stuff like this. Most likely the network guy 'keeps an eye' on traffic, and will eventually see those WoW connections.

That being said - WoW is really the least of the problem. Some idiot outside person bringing in a laptop and plugging it in is the major issue.

yeah... one of our security guards was using his laptop and the company network to download torrents /facepalm

after we got a cease and desist letter and couldn't trace it back, we locked down our wireless to authorized users only and everyone had to submit the MAC address of their laptop/netbook/etc to get it associated with their UN and whitelisted.

child of wonder · May 27, 2010

Maybe they have Network Access Protection set up so that if an outside PC gets on the network all it can do is get to the internet.

xSauronx · May 27, 2010

loki8481 said:
yeah... one of our security guards was using his laptop and the company network to download torrents /facepalm

the admin i worked for at a community college ran into similar issues...a handful of times people disconnected a classroom pc and plugged their laptop in to download movies and such.

one of the guys work study students was browsing music and torrents directly from the pc in the admins office... /facepalm

CraigRT · May 27, 2010

This is why we disable DHCP at my company and filter everything via static IP.

sourceninja · May 27, 2010

That's why we run http://www.packetfence.org

It's also why we use those little plastic things that physically block ports (and require a key to be removed) where we don't want anyone even trying to plug in.

her209 · May 27, 2010

CraigRT said:
This is why we disable DHCP at my company and filter everything via static IP.

Must be a small place.

her209 · May 27, 2010

sourceninja said:
That's why we run http://www.packetfence.org

It's also why we use those little plastic things that physically block ports (and require a key to be removed) where we don't want anyone even trying to plug in.

What's stopping someone from unplugging the cable from the PC and plugging it into a switch?

sactwnguy · May 27, 2010

We had someone at my work think they could bypass the proxy by using the vendor wireless to do torrents. We allow all traffic on that subnet out to the internet but still send the traffic through a port on a firewall. We then log every connection to our RSA SIEM, we had him tracked down and escorted out in 15 minutes. Every workplace is different with the level of security they have but never assume you can out smart the IT guys.

nageov3t · May 27, 2010

her209 said:
What's stopping someone from unplugging the cable from the PC and plugging it into a switch?

the way our wired network works, if the mac a port is running to is changed, the port shuts down.

ViviTheMage · May 27, 2010

Sounds like the admins have the network pretty open to begin with, so they must not care.

sourceninja · May 27, 2010

her209 said:
What's stopping someone from unplugging the cable from the PC and plugging it into a switch?

Well, we use port-security traps with packetfence. Now I didn't set this system up, so I may be wrong but this is my understanding.

When a brand new mac address is found on a port if fires a port-secuirty trap. That port is switched to a vlan that can go nowhere but our registration page. If you do not have a valid account you are basically stuck there forever. If you do have a valid account then you are moved to the appropriate vlan.

It also scans network traffic and if any rules are violated, you are moved to a isolated vlan. For example if you were using bittorrent you would be stuck on a isolated vlan and an alert is generated.

Beyond that it does some kind of fingerprinting and can automatically detect printers, game consoles, access points, etc and automatically denies or allows them. This prevents students from plugging in a linksys router in their dorm room.

So in the case of taking a working machine and un-plugging it and plugging in your own switch, the switch, I would expect your extra switch would not be configured to send port traps. So no new machines could be authenticated if connected to that switch. Basically unless you plugged into the same port with the same 'device fingerprint' and the same mac address you are stuck on a isolated vlan.

Again, I am not a network engineer. This is just what I've picked up talking to our guys.

OutHouse · May 27, 2010

opensource.com is a great tool to block just about any website that you choose

OutHouse · May 27, 2010

sourceninja said:
Well, we use port-security traps with packetfence

yes, we run that and we get a email everytime a new PC is found on our network. when we put it in we found several instances of people in offices with a xbox/wii/ps plugged into our network.

Genx87 · May 27, 2010

They obviously dont care because they arent blocking the traffic. If they dont care, I wouldnt care either.

A question for the enterprise IT/Network guys

Diamond Member

Senior member

Platinum Member

Lifer

Lifer

Lifer

Lifer

Diamond Member

Lifer

Lifer

Diamond Member

No Lifer

No Lifer

Member

Lifer

Lifer

Diamond Member

Lifer

Lifer

Lifer