Vendor/Customer wants internet access

[dennisbbb]

This is all too common. A vendor or customer come in the premise, boot up their notebook, obtain ip thru dhcp, and connect to the internet. While online, they run their network sniffer to sniff internal traffic or scanner to see what's on your domain network.

My question is, is this generally allowed allow in your company? Do you get paranoid when someone outside the company is "inside" your network?

 

[gbaughma]

No. If I were to catch someone running a sniffer on my network, they would be escorted out by security. Period.

But, then again, since where I work is HIPAA compliant, they shouldn't be able to do that, if I have my ducks in a row.

Of course, I can't keep them from running a sniffer...

Bottom line; YES. I get VERY testy/paranoid/ticked if someone's messing with MY network.



Just my 2¢

"In order to start solving a problem, one must first identify its owner." --Me
--Greg

 

[dkediger]

This is what I use the DMZ on the firewall for. If they "need" (read want) access to an internal file or a printer, well, I've got a few spare USB drives that work fine to transfer stuff.

 

[mrdenny]

We have a seperate network setup for conference rooms, vendors etc that need internet access.

We purchased a DSL account and have a dedicated Cisco router connected to it. All the conference rooms have a network port connected to the DSL and we can switch a desk over to the DSL by changing the patch cable in the IDF. This keeps visitors off of our network unless we want them on it.

Denny
MCSA (2003) / MCDBA (SQL 2000) / MCTS (SQL 2005)

--Anything is possible. All it takes is a little research. (Me)

http://www.mrdenny.com

 

[zarkon4]

We have assigned IP address on our network. We have only a small range of DHCP addresses available and none of them are allowed access to the internet. Not only that but they are unable to view any data on servers unless they have a login to the domain.
We get alot of vendors in here and they try to access through our wireless as well. We have locked that down as well.

 

[Grenage]

I'm with gbaughma. If we discovered a guest running a sniffer on our network, they would be introdced to the window. We generally don't allow foreign computers onto the company network.


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[sstoppel]

We have a DSL internet connection connected to a WAP for vendors and consultants.

No machine that my department didn't build is allowed on my net.

Anyone sniffing my net would be thrown out and his supervisor called.

 

[gbaughma]

Isn't it funny how we take ownership of our networks?

Goodness knows, I do. I designed it; it has over 100 computers and thin clients, and about 25 printers. Each floor has its own wiring closet, connected via fiber optic. It rocks; and I'm proud of it.



Just my 2¢

"In order to start solving a problem, one must first identify its owner." --Me
--Greg

 

[audiopro]

I would support you guys and keep all intruders out.
While all is working well it is the company's network, when something goes wrong it is yours.

Keith

http://www.studiosoft.co.uk

 

[dennisbbb]

audiopro: So true so true.. it is my butt with the slightest complaint from even the dumbest user. As the admin, we are the protector, the police, as well as the educator. So it really ticks me off to see some trying "to see what we got". As for me, the worst part is, we have to treat these guests with respect, and give them internet access.

 

[audiopro]

I had an app a few years ago which failed.
User says, "If I keep pressing F11 numerous times, it crashes".
I poked him in the eye to see if he crashed!

Keith

http://www.studiosoft.co.uk

 

[hilfy]

I don't work in DNS, but I know what the rules are...We don't allow any computer not owned by the company to connect to the network. If one does, things are locked down so that they can't connect to anything, even the internet.

We have monitoring software running so that anyone running a sniffer or similar software is caught pretty quickly. In the last 6 months, we've fired two people for running password finder programs - one was malicious, but the other one was just dumb and wanted to know if the program would work.

-Dell

A computer only does what you actually told it to do - not what you thought you told it to do.

 

[chiph]

Since I work as a software developer, I find I have an occasional need to run a sniffer (Ethereal, usually). Good thing no one has come around wanting to know why!

Chip H.


____________________________________________________________________
If you want to get the best response to a question, please read FAQ222-2244 first

 

[LadySlinger]

We have two separated networks protected by a firewall. One is strictly a wireless network, the other a wired network.

The wired network is what all of our servers, computers printers, etc are on.

The wireless is for guest computers only and they are blocked by the firewall from sniffing or even touching at any of our servers/printers, etc.

 

[dennisbbb]

hilfy: I like your environment. King of your domain.

ladySlinger: That's a nice setup. I guess we here just have to start building that topology, and not become easily frustrated and paranoid everytime someone foreign stick their cable into our jacks.

 

[gbaughma]

Well, I work in the Health Care/Corrections field. Nobody has any *reason* to bring a computer in here.

Even the doctors who sometimes come in, and *need* access to our network and files (or examiners, etc) are given a short-term login and password for our wireless network.

I have a Zyxel gateway with an account printer on it; I print them a user name and password that is good for 24 hours, then they're locked out again.

Yes... absolutely, if I found someone running a packet sniffer, one of two things would happen.

1) Employee - Terminated. Period. It's right in our policies.
2) "Visitor" - Escorted off of the property by security, never to return. Period.



Just my 2¢

"In order to start solving a problem, one must first identify its owner." --Me
--Greg

 

[Diancecht]

I'm a consultant. I use to connect my laptop at customer home. I browse the Internet, in fact, I cannot imagine how can I work without that. I use their printers. Last week I ran three sniffers because I needed to monitorize http traffic for the application I was asked to optimize.

What's wrong with that? Cannot design a secure net that allows guests? And you feel proud of it? Wasn't usability a great quality for a network? Should it be for join or not to join?

Cheers,
Dian

 

[Grenage]

What's wrong with that?

Everything, unless it's been approved!


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[dennisbbb]

Dianceht: I hope you ran the sniffers with their knowledge, otherwise, I would be pissed.

Yes, the network is secured, inside and out; however, user packets are compromised internally when they sign on to their online web accounts since some of them are sent via clear text. As the admin, keeping an eye on sniffers internally is an ongoing process. When it is an "outsider" who's sniffing, you can understand the tension.

 

[gbaughma]

Cannot design a secure net that allows guests?

Of course I can design a secure network that allows guests. I do it at hotels.

However, a "guest" would indicate that they have *permission* to be on the Network, as well as being set up with any credentials they need.

A "guest" would never have any reason to run a packet sniffer on my network. A *consultant* that I bring in might, under my supervision, if I were having unsolvable network problems or traffic issues.

The reality of it is, however, that a "guest" would never need to be sniffing about on my network. It *IS* part of our secure network to make sure that things like that don't happen, because it compromises everyone ELSE'S security.

Now, considering the original post....

A vendor or customer come in the premise, boot up their notebook, obtain ip thru dhcp, and connect to the internet. While online, they run their network sniffer to sniff internal traffic or scanner to see what's on your domain network.

.... that is not a guest. That is a hacker. They are being nosey, or subversive, or even (at worst) in the middle of corporate espionage.

How would you feel if this happened at your home, while you were doing your online banking, or sending an IM to a "special friend"? Not that I'm hiding anything at work, mind you, but by the same token, since we are health care/corrections, there is very sensitive data on our network.

For that matter, we don't even allow a vendor in the building without signing a HIPAA compliance form, and that includes the guy that fills the candy machine in the basement!



Just my 2¢

"In order to start solving a problem, one must first identify its owner." --Me
--Greg