Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How do I prevent and/or detect a user from adding a router to the network

Posted on 2009-05-06
4
Medium Priority
?
333 Views
Last Modified: 2012-05-06
I have a network setup at a church.  We are running Windows Server 2003 with a Sonic Wall TZ170 router/firewall which is the DHCP server.  All is configured properly and everything runs well until some genius decides to bring in their own router and plug it into the system.  The basic problem is that they don't know the difference between a wireless access point which I wouldn't care about and a router.  Once someone does this it creates havoc on the system and takes us hours to locate the device.  How can I either block another router from going onto the network or at the very least easily detect and determine it's location?  The simple answer is to tell everyone not to do such things but that has not worked.
0
Comment
Question by:PhilR714
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 10

Expert Comment

by:lanboyo
ID: 24314260
The short answer is that it depends entirely upon how much work you want to go to to police this. Also more knowledge of your network is needed. What type of Ethernet switches do you have?

I assume that the user plugged in the router on the lan side of the router instead of the man side and the new DHCP server gave your real users bad IP addresses and gateways, or it added a new host with the IP of your default gateway.

If the user does not make an attempt at hiding the router/access point then it is possible to scan for the mac addresses of the router vendors.

A new switch device, which is what these things are on the LAN side, can be prevented on Cisco switches by the global command:

spanning-tree portfast bpduguard

This will cause any port with spanning tree portfast,  to error disable any port that gets a new switch or hub added to it. You can also put a mac limit on the switch so that switches without spanning tree are disabled as well.

You can also scan wireless networks using a dedicated box to make sure that no new access points appear on the network, but if the church is close to other homes and businesses, this is not an exact science.

If your ethernet switches support it you can set up mac filters that prevent any devices that you do not explicitly allow onto the network.  As you allow guests onto the network this would seem to be a rather annoying amount of work.

You can isolate the guest portion of the network by putting any devices you do not control on their own network, perhaps using your own access point with the wan point facing your network and the man point facing them. This only works if your Ethernet switches support vlans and you can give them a separate vlan or their own switch. Users could still break things for other guests.

The corporate solution for this type of thing is 802.1x. This is a big step and requires all workstations to have an 802.1x supplicant in order to talk on the network.


0
 
LVL 16

Expert Comment

by:SteveJ
ID: 24315071
Turn off DHCP. Assign IP addresses to legit users, block all other unassigned IP addresses on the Sonic wall. If anyone wants to "add" to the network, they can find you.

Yes, it's a pain. But without throwing dollars and technology at it, you don't have much choice.

Good luck,
Steve
0
 
LVL 2

Expert Comment

by:ngaba
ID: 24336340
You can also set up max mac address counts on each interface on the switch. This will only allow x amount of mac-addresses for that switch port. If you set it to 1, and someone plugs a router in and use their pc as well, it will shut the port down.
0
 

Accepted Solution

by:
PhilR714 earned 0 total points
ID: 24340009
All of the switches are unmanaged so there isn't anyway to configure them  I doub't they are going to want to go to managed switches.  The users are not making any attempt to hide the router.  Most of them don't know that they are routers anyway.  They think they are putting in a wireless access point.  As much as I hate to say it I may have to go with the static IP addresses that SteveJ suggested.  It is a very big building with Cat% jackes everywhere so at anytime someone could plug something in.
0

Featured Post

Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

664 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question