Solved

How do I prevent and/or detect a user from adding a router to the network

Posted on 2009-05-06
4
322 Views
Last Modified: 2012-05-06
I have a network setup at a church.  We are running Windows Server 2003 with a Sonic Wall TZ170 router/firewall which is the DHCP server.  All is configured properly and everything runs well until some genius decides to bring in their own router and plug it into the system.  The basic problem is that they don't know the difference between a wireless access point which I wouldn't care about and a router.  Once someone does this it creates havoc on the system and takes us hours to locate the device.  How can I either block another router from going onto the network or at the very least easily detect and determine it's location?  The simple answer is to tell everyone not to do such things but that has not worked.
0
Comment
Question by:PhilR714
4 Comments
 
LVL 10

Expert Comment

by:lanboyo
ID: 24314260
The short answer is that it depends entirely upon how much work you want to go to to police this. Also more knowledge of your network is needed. What type of Ethernet switches do you have?

I assume that the user plugged in the router on the lan side of the router instead of the man side and the new DHCP server gave your real users bad IP addresses and gateways, or it added a new host with the IP of your default gateway.

If the user does not make an attempt at hiding the router/access point then it is possible to scan for the mac addresses of the router vendors.

A new switch device, which is what these things are on the LAN side, can be prevented on Cisco switches by the global command:

spanning-tree portfast bpduguard

This will cause any port with spanning tree portfast,  to error disable any port that gets a new switch or hub added to it. You can also put a mac limit on the switch so that switches without spanning tree are disabled as well.

You can also scan wireless networks using a dedicated box to make sure that no new access points appear on the network, but if the church is close to other homes and businesses, this is not an exact science.

If your ethernet switches support it you can set up mac filters that prevent any devices that you do not explicitly allow onto the network.  As you allow guests onto the network this would seem to be a rather annoying amount of work.

You can isolate the guest portion of the network by putting any devices you do not control on their own network, perhaps using your own access point with the wan point facing your network and the man point facing them. This only works if your Ethernet switches support vlans and you can give them a separate vlan or their own switch. Users could still break things for other guests.

The corporate solution for this type of thing is 802.1x. This is a big step and requires all workstations to have an 802.1x supplicant in order to talk on the network.


0
 
LVL 16

Expert Comment

by:SteveJ
ID: 24315071
Turn off DHCP. Assign IP addresses to legit users, block all other unassigned IP addresses on the Sonic wall. If anyone wants to "add" to the network, they can find you.

Yes, it's a pain. But without throwing dollars and technology at it, you don't have much choice.

Good luck,
Steve
0
 
LVL 2

Expert Comment

by:ngaba
ID: 24336340
You can also set up max mac address counts on each interface on the switch. This will only allow x amount of mac-addresses for that switch port. If you set it to 1, and someone plugs a router in and use their pc as well, it will shut the port down.
0
 

Accepted Solution

by:
PhilR714 earned 0 total points
ID: 24340009
All of the switches are unmanaged so there isn't anyway to configure them  I doub't they are going to want to go to managed switches.  The users are not making any attempt to hide the router.  Most of them don't know that they are routers anyway.  They think they are putting in a wireless access point.  As much as I hate to say it I may have to go with the static IP addresses that SteveJ suggested.  It is a very big building with Cat% jackes everywhere so at anytime someone could plug something in.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now