Chaoscorpz
Technical User
Hello,
I have a user whom is jacking in an unauthorized laptop/device into my network. We have a good idea of who it is, but need to provide evidence of the occurrences. This user is particularly troublesome as he has used his technical knowledge to undermine/discredit my IT department with administration. Time to spank a user.
What I need is to trace it down to a specific port on my switch-gear, and from there, a specific wall plate/location. If I could also glean any extra info out of the device that would be great as well. I've been given authorization from upper management to conduct a quiet investigation and have been assured it will be pursued with HR.
The user either unplugs one of the normal company PC's and users that jack, or has found an active one. The user gets an IP from my DHCP server, and goes on his merry way with the network.
I can tell that this is an unauthorized device since the device name does not follow my standard conventions, and the MAC address traces out to a different manufacturer than we use (from the DHCP server log).
This is what I have to work with:
Complete admin/root level access to everything on out network.
Windows 2000 DHCP servers
Windows 2000 Servers
Core switch gear is Cisco 3750's
Other Switch gear Cisco 3550's, and 3Com SuperStack III's
Cisco PIX firewalls for Internet access.
My skill set:
Familiar with MS servers & desktops.
Some UNIX/Linux knowledge.
Some 3Com experience
Some Cisco experience.
Determination to bust him.
I am, willing to drop dedicated appliance PCs to nail this user down. I've built dedicated appliance PCs before for use as firewalls, routers, print servers, etc.
To cover my bases I've dropped this into a couple of related forums.
Any ideas?
Thanks in advance,
IT
I have a user whom is jacking in an unauthorized laptop/device into my network. We have a good idea of who it is, but need to provide evidence of the occurrences. This user is particularly troublesome as he has used his technical knowledge to undermine/discredit my IT department with administration. Time to spank a user.
What I need is to trace it down to a specific port on my switch-gear, and from there, a specific wall plate/location. If I could also glean any extra info out of the device that would be great as well. I've been given authorization from upper management to conduct a quiet investigation and have been assured it will be pursued with HR.
The user either unplugs one of the normal company PC's and users that jack, or has found an active one. The user gets an IP from my DHCP server, and goes on his merry way with the network.
I can tell that this is an unauthorized device since the device name does not follow my standard conventions, and the MAC address traces out to a different manufacturer than we use (from the DHCP server log).
This is what I have to work with:
Complete admin/root level access to everything on out network.
Windows 2000 DHCP servers
Windows 2000 Servers
Core switch gear is Cisco 3750's
Other Switch gear Cisco 3550's, and 3Com SuperStack III's
Cisco PIX firewalls for Internet access.
My skill set:
Familiar with MS servers & desktops.
Some UNIX/Linux knowledge.
Some 3Com experience
Some Cisco experience.
Determination to bust him.
I am, willing to drop dedicated appliance PCs to nail this user down. I've built dedicated appliance PCs before for use as firewalls, routers, print servers, etc.
To cover my bases I've dropped this into a couple of related forums.
Any ideas?
Thanks in advance,
IT
