Link to home
Start Free TrialLog in
Avatar of LTWadmin
LTWadminFlag for United States of America

asked on

How to block a device on the network

I have an unidentified device pulling an IP address off and on - throughout the day (likely a smart-phone) and want to temporarily prevent it from pulling an address so I can determine who's it is.  All I have is the Mac Address.  Could I do this via my firewall (SonicWall) or via my DHCP server settings?  Thanks.
Avatar of Jay Dubya
Jay Dubya
Flag of United States of America image

You may want to look at your router, log in to the routers configuration page and see if you can block that MAC address from obtaining a valid IP. Assuming this is a home computer and you have full access to that equipment...
ASKER CERTIFIED SOLUTION
Avatar of fluk3d
fluk3d
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of LTWadmin

ASKER

godd31: sorry I should have mentioned that we don't own/have access to our ISP provided router...
fluk3d - thanks.  I'm actually just concerned with flushing out the device once it stops functioning...
Also should mention the IP is DHCP provided (i.e. not in my reserved/static IP list)...
so have you looked up the MAC on the IEEE website so we can get a better idea what the device actually is?

when you say just concerned with flushing out the device once it stops functioning... what exactly does that mean?
fluk3d: I was hopeful about the OUI lookup but it came up unrecognized.  If I posted the address here could I expose the device to exploit?
fluk3d: my thinking was that if I can deny the device an IP, someone would walk in with a complaint sooner or later...  
no need to post address of the device I wouldn't reccomended it. You are really limited on your options. Dpeneding on what type of sonicwall you have either a NSA/TZ series the only other thing I could think of is to allow it on the network, and setup a syslog server, and track what sites it goes to see you can get a better idea.

Are you using a commerical AP, is this even a wireless connection that the rogue device is connecting to?
TBone2K: I know the IP also but wouldn't the device just pull another address from the DHCP server?
As I said, if you have the MAC you should be able to set up a reservation and block it at the firewall. At least that way it can't get outside access. No access to the router required.
Setup a DHCP reservation but for the gateway but 127.0.0.1 or some bogus IP for the DHCP options. The device will not be able to get online, and eventually someone will complain. As for denying the device an IP I have yet to see a SonicWALL device do that, and if your DHCP server is running windows I'm sure there might be a way
fluk3d: makes sense but I'm surprised I'd be limited in my options other than to send an email address to suspect device owner's asking them to check their MAC addresses...  Having a technique for doing this will allow me to watch for rogue devices as I have our SpiceWorks system setup to alert me anytime an unidentified device connects to the network here...

Not a networking expert so my apologies to all for any apparent stupidity... :)
fluk3d: Again to all more info sorry.  The DHCP server is a Windows 2003 based server...
TBone2K: Okay - I'll have a look.  Stand by...
If you wanted to harden your system you could look into 802.1x for your network devices which will use a RADIUS/NAP server to authenticate credentials (domain/user) and then allow access to the network.

At least this way you can have a log of which user logged in and what time and the credentials they used will be key to finding out who provided access to that device.
If you need help setting up a dhcp reservation in windows let us know.

-e
fluk3d: always looking to harden - great suggestion thanks.
Most wireless routers and access points I've ever seen (if not all) have a MAC address filter, which will allow you to prevent a given MAC address from connecting to the wireless network.  Assuming you only have one or two wireless access points or routers, that'd probably be the easiest (assuming, of course, it's actually a wireless device and not cabled to the network).
Points awarded for convenience to me at this point.  Haven't had a chance to look into your suggestions yet but thanks.