Preventing mobile hotspots in the work place

We have some issues with our corporate wifi at the moment. Solutions are in the pipeline, but require budget and will likely be a few months...

During this time, employees are launching their own hotspots when they need internet access (for both corporate and personal devices). The concern is that corporate devices on these hotspots do not pass through any of our usual LAN->WAN (and vice versa) security measures or montoring.

What could we do to mitigate this risk, beyond user education and asking nicely?
Roger AdamsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Roger AdamsAuthor Commented:
To clarify, the wifi is still working most of the time and staff should be using that (or LAN cables) for secure network and internet access...
To connect through a hotspot, one has either to
-have dhcp enabled or
-be able to modify the network gateway ip address of the wireless NIC

So you could set fixed IPs for the wireless NIC and no one would be able to change that unless he is
-local admin
-or member of the group "network configuration operatrs"

Surely, if you use DHCP, this would be a drastic change with other downsides.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Roger AdamsAuthor Commented:
I like that. But that would prohibit all WiFi use outside of the corporate office(?). Some of which may be legitimate remote working...
Virus Depot: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. View our webinar recording to learn how to best defend against these attacks!

Roger AdamsAuthor Commented:
Is there any solution to at least be able to detect and identify any hotspots?  This could help the IT support team to shut them down and give some data for a user awareness programme
Detection, sure. You could use two approaches: Monitor IP changes (technically possible) and/or sniff wireless networks yourself using wardriver tools, so that you can physically locate them.

To your first question: Sure, that's a problem. Though we can provide them with technical measures to connect to certain wlans only, that would mean we would have to maintain a list of those.
Roger AdamsAuthor Commented:
Thanks. In response to your latter comment. Would that be done through GPO, or 3rd party applications?
I'd like to give a slightly different take: If I understand you correctly, corporate devices are allowed to connect to the internet outside of corporate offices. So, what is the difference if they do the same while in the office?

That's not to say it doesn't matter. I'm saying that you need to have desktop security software on the corporate devices which protect them no matter where they are. Because if they get infected outside of the office, your corporate network will be compromised when they come into the office. All it takes is an outbound https connection from one of those laptops to a command-and-control computer somewhere in the world.

As far as personal devices go: I don't see how you can control that, but you can have a policy that they can't be used for work.

I would recommend a clear written policy and education for everyone, not just those who are caught using MiFi. If people understand how big the risk really is, perhaps they'll think about it before connecting.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Architecture

From novice to tech pro — start learning today.