How to handle Mobile Users

[MattWray]

We have a "guest" user that will be onsite for an indefinite amount of time. He brought his personal laptop and wanted to connect it to the network. I said No. Now we are in a situation, as he is friends with the president.

What do you all do? I am very nervous about bringing an outside machine into our network. I have managed to protect against all the viruses this year and last, I'd hate to bring this guy in and he infect us. He already showed me the updates microsoft sent him in his E-mail! If I clean his machine and make sure it's good to go, how will I know he won't install one of those updates that night and infect us the next day.

Would V-LANing work? They really want this guy in, so I'm kinda stuck between a rock and a hard place!

TIA!

Thanks,

Matt Wray

GFH

http://www.sss-steel.com

 

[netmanrick]

Sounds like a rock & hard place problem.
Our policy is no personal laptops. Our vendors have to
certify that any laptops they wisk to connect meet our
virus/patch requirements.
How about a connection to your firewall?

Rick Harris
SC Dept of Motor Vehicles
Network Operations

 

[RedTech]

I've been through this before..

What we do is this. Our policy is no personal laptops also, but there are those times that someone higher up strongly suggests that person needs inet access.

We have a seperate subnet and firewall that hosts a test machine, complete with dhcp, dns server. If it is really important that they have outside access, they can jump on that subnet. This way if for some reason they can infect, they disable a test box that has an image that can be blasted back on it in under 4 minutes. They also have NO contact to the subnet that pays the bills.

______________________________________

http://www.redtechnet.com

Real Solutions... For Real People
______________________________________
"Hi, I'm a sig virus. Please add me to the end of your sig and help me take over the world."

 

[glacierxx]

If he dosen't need his laptop to conduct work on your network give him a phoneline for dialup if all he wants is access to the internet.

"evil prospers when good men do nothing”

 

[noobtechie]

Just put him in a firewall's dmz. Go to this web site

http://www.wilders.org/index.htm

and check the free online virus and trojan scanners. Once he has been rechecked and it's free of infection put him in your domain.

Hope this helps.

============================
There is no place like 127.0.0.1

 

[MattWray]

The problem with that noobtech, is that he can remove his machine. I don't want him getting cleaned then taking it home and getting a virus that night. I think the best solution is definitely to go firewall route. Our firewall currently does not have an extra interface for a DMZ, while I wait for one to be ordered, any comments on the V-LAN option?
Thanks for all the responses. I'm the only network guy here, and it helps to bounce ideas off others. And everyone looks at me funny when I am bouncing them to myself!

Thanks,

Matt Wray

GFH

http://www.sss-steel.com

 

[jrbarnett]

Matt

Would it be possible to use the network bandwidth but not actually join the domain, so he has internet access. If he needs access to network resources, could that be done through a citrix server, for example (depends on facilities available at your site).

John

 

[MattWray]

John, I thought about doing that, but was a little wary because of things like Blaster that could replicate across the network. We do have Citrix available, though. I guess I'm just kind of paranoid about things. I've managed to keep our network clean through this last year of viruses and worms, I don't want to let one in "the back door" so to speak.
Thanks for the feedback...

Thanks,

Matt Wray

GFH

http://www.sss-steel.com

 

[rockjockb]

Matt-
You are between a rock and a hard place, but the responsibility of this has been taken off of your shoulders by the president. As a consultant (who gets paid by the hour), this is what I'd do:
-Give him a static IP.
-Use a network monitor and logs to monitor his machine for inappropriate activity, ie. viruses propigating, connecting to network shares, etc. If the monitor alarms anytime, shut him down.
-The monitoring is important for evidence

Since the prez is his friend, you will have to show the logs to prove that anything bad that happens was because of this machine. If something like a virus does happen, you have the evidence to show that the massive amount of overtime you are spending (and collecting on your paycheck) to fix stuff was due to the prez's friend. If appropriate, you might also note ...without the typical techie arrogance... that you advised against it.

If you are a salaried employee, I am reminded of a song by Napalm Death...it's called You Suffer.

 

[Crazyfitz]

We also have a policy of no outside computers being connected to our network unless there is compelling reasons to allow it. If an outside consultant needs access to network resources we provide a computer and logon account. The question not asked or answered here is why does he NEED to use his laptop on the network?

George
MCSA (Win2k) A+, Net +

 

[MattWray]

That is legitimate. He has lots of files that he works on that pertain to what he is doing at our site. I have ordered an extra ethernet interface for our PIX and I'm going to firewall him off. That should keep him away from us but allow him to access the Internet...

Thanks everyone for the great ideas...

Thanks,

Matt Wray

GFH

http://www.sss-steel.com