Solved

How do I prevent and/or detect a user from adding a router to the network

Posted on 2009-05-06
4
327 Views
Last Modified: 2012-05-06
I have a network setup at a church.  We are running Windows Server 2003 with a Sonic Wall TZ170 router/firewall which is the DHCP server.  All is configured properly and everything runs well until some genius decides to bring in their own router and plug it into the system.  The basic problem is that they don't know the difference between a wireless access point which I wouldn't care about and a router.  Once someone does this it creates havoc on the system and takes us hours to locate the device.  How can I either block another router from going onto the network or at the very least easily detect and determine it's location?  The simple answer is to tell everyone not to do such things but that has not worked.
0
Comment
Question by:PhilR714
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 10

Expert Comment

by:lanboyo
ID: 24314260
The short answer is that it depends entirely upon how much work you want to go to to police this. Also more knowledge of your network is needed. What type of Ethernet switches do you have?

I assume that the user plugged in the router on the lan side of the router instead of the man side and the new DHCP server gave your real users bad IP addresses and gateways, or it added a new host with the IP of your default gateway.

If the user does not make an attempt at hiding the router/access point then it is possible to scan for the mac addresses of the router vendors.

A new switch device, which is what these things are on the LAN side, can be prevented on Cisco switches by the global command:

spanning-tree portfast bpduguard

This will cause any port with spanning tree portfast,  to error disable any port that gets a new switch or hub added to it. You can also put a mac limit on the switch so that switches without spanning tree are disabled as well.

You can also scan wireless networks using a dedicated box to make sure that no new access points appear on the network, but if the church is close to other homes and businesses, this is not an exact science.

If your ethernet switches support it you can set up mac filters that prevent any devices that you do not explicitly allow onto the network.  As you allow guests onto the network this would seem to be a rather annoying amount of work.

You can isolate the guest portion of the network by putting any devices you do not control on their own network, perhaps using your own access point with the wan point facing your network and the man point facing them. This only works if your Ethernet switches support vlans and you can give them a separate vlan or their own switch. Users could still break things for other guests.

The corporate solution for this type of thing is 802.1x. This is a big step and requires all workstations to have an 802.1x supplicant in order to talk on the network.


0
 
LVL 16

Expert Comment

by:SteveJ
ID: 24315071
Turn off DHCP. Assign IP addresses to legit users, block all other unassigned IP addresses on the Sonic wall. If anyone wants to "add" to the network, they can find you.

Yes, it's a pain. But without throwing dollars and technology at it, you don't have much choice.

Good luck,
Steve
0
 
LVL 2

Expert Comment

by:ngaba
ID: 24336340
You can also set up max mac address counts on each interface on the switch. This will only allow x amount of mac-addresses for that switch port. If you set it to 1, and someone plugs a router in and use their pc as well, it will shut the port down.
0
 

Accepted Solution

by:
PhilR714 earned 0 total points
ID: 24340009
All of the switches are unmanaged so there isn't anyway to configure them  I doub't they are going to want to go to managed switches.  The users are not making any attempt to hide the router.  Most of them don't know that they are routers anyway.  They think they are putting in a wireless access point.  As much as I hate to say it I may have to go with the static IP addresses that SteveJ suggested.  It is a very big building with Cat% jackes everywhere so at anytime someone could plug something in.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question