What happens on your network in the event that someone plugs their own computer into one of your network wall points? If the point is patched into the switch, is their computer automatically leased an IP address? Could they use that point to get internet access? Is the only way you find out that someone has plugged a netbook computer into your network because you spot it or is there some automatic method by which you are alerted to an unauthorized computer on your network?
When Windows NT4 was released, few people used computers that they owned as the primary computer for work. This is partly because few people owned portable computers back in the mid 1990’s and if they did, they probably didn’t drag them into work. Anyone who did was probably smart enough to keep it sanitized from malware.
Spin forward to 2011, and more and more people are bringing their own computers into the office. Whereas IT pros used to worry about data leakage due to people bringing their own USB sticks into the office, now they have people bringing their own computers into the office and they plug them into the network.
I’ve heard stories about corporate networks where workers bring in small netbook computers and attach them to the network, sometimes by plugging a mini switch in or sometimes just using a drop cable to patch them into a spare network port.
Unless you have implemented a technology like Network Access Protection or you have configured DHCP to only lease addresses to known MAC addresses, it is possible that users might be able to gain access simply by plugging their computer into any available patch point.
Unmanaged computers are dangerous because they are more likely to be infected with malware than standard corporate computers. People are bringing in their own computer as a way of circumventing the policies that apply to the managed computer that they’ve been assigned.
The first step in stopping people bringing their own computers into work is ensuring that you have a rock solid policy about stopping people bringing their own computers into work. You’ll also need to apply the policy across the board - this means that people in the IT department don’t get an exemption because they “know what they are doing”.
Unmanaged computers are dangerous because they are more likely to be infected with malware. Malware that could attempt to replicate and spread itself across your organization’s internal network. Of course people who own these computers will swear black and blue that their computer could never be infected with malware. But it is usually the ones who are most certain that their computer is free of viruses that have the nastiest ones lurking on their hard disk drives.
Network Access Protection is a start. IPSec network isolation policiesare good. Some form of automatic detection of unauthorized clients is even better.
You should take steps to ensure that only computers that you believe to be safe are able to access your organization’s internal network infrastructure. It won’t protect you against everything, but it will reduce the chances that someone’s malware infected netbook will cause untold damage to your organization’s internal network.
