Q
Problem solve Get help with specific problems with your technologies, process and projects.

How can I control 'untrusted' laptops that connect directly to our network?

I'm presently engaged in a research project. The research I'm doing will lead to a good practice paper on controlling "rogue" laptops connected to networks. The problem is that in agriculture research centers there are a lot of visiting scientists and others who hook their personal laptops directly into the center's network, thus bypassing the firewall as they are now on the "inside." In some isolated centers the problem also encompasses private computers based in people's houses, which are used for work purposes and for e-mail connection through the center's e-mail server.

How do we control these laptops (and private computers), as they are by definition "untrusted" and are bypassing the firewall controls? The research is interesting -- there is by no means a consensus, but most seem to agree that to merely ban laptops and private home machines from the network is a "blunt instrument" approach -- that the problem will not go away and needs to be handled and appropriate controls put in place.

Yes, a most interesting problem. Years ago the problems were simpler -- we just worried about people bringing floppies from home. We set up virus testing stations and the rules were you must have your disk checked for viruses before you could use it. I remember visiting one company and they wanted me to take some files for analysis. I had some blank, new floppies with me, but we still had to scan them. They passed. I only used a few to copy the files. Later, back at my office, I found the scanned disks were infected -- by the scanning machine!

Today we have larger concerns, but some of the same issues. Here are some thoughts:

  1. Before a machine is allowed to plug into the network it must be approved. This will limit somewhat just "anyone" connecting. (Don't forget there may be visitors, contractors, etc. Have a policy and follow it.)

  2. Part of that policy can be that the machine must be running antivirus software and it must be updated.

  3. Only allow them access through a remote access system. You can do this from home or remote connections, as well. Yes, even on the network, set up remote access that they must use. You can set up the remote access to quarantine their systems until they've been checked for viruses. One possible product for this is Microsoft's Internet Authentication Server. I quote:
    IAS Network Access Quarantine Control provides phased network access for remote client computers by restricting them to a quarantine mode. After the client computer configuration is either brought into or determined to be in accordance with your organization's network policy, quarantine restrictions, which consist of Quarantine IP Filters and Session Timers, are removed and standard remote access policy is applied to the connection.
    You can read more here.

  4. Another option to keeping them from accessing local area network resources directly is to insist that an IPsec authentication (AH) is the only policy that requires a certificate. Your resident machines, of course, can have a certificate. Approved visiting scientists can be given a certificate after proof of their compliance, and certs can be set for very short validity times and even revoked.
Remember, you do want to make services available for visitors, but, just like having guests in your house, you don't have to put up with their bad behavior.

Dig Deeper on Unified endpoint management

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

Close