Accommodating visitors to our network

The bane of my life!

As a sysadmin, the sales staff are quite happy to welcome visitors to our 50
user network without checking the visitors AV software, scanning it for
worms, spyware etc., so that the visitors can access their own OWA servers
via the our company gateway.

Any suggestions as to what we might do?

Options:

1. Ask visitors to sign something (I'm not sure what) before plugging their
notebooks into our network.

2. Man wrestle the visitor to the floor to release him/her from their
notebook, then scan the HDU off line before allowing them to plug in their
notebook.

3. Set up some kind of physical DMZ.

4. Explain politely - no you can't use our network! Not exactly an option as
our visitor today has signed an order for just over 2 million pounds
sterling with our company turning over 7.5 millions.

Any suggestions/thoughts/contributions, no matter how silly or off the wall,
are greatly appreciated.

TX in advance.

Maurice

Create a dedicated DMZ just for the visitors behind the primary firewall.
The only public service you should support to your internal network is DNS,
and obviously take steps to prevent them from doing zone transfers. I
wouldn't even give them e-mail. Restrict their access outside your network
to http and https. Now when their virus-ridden laptops try to connect to
every IP on the DMZ network, you have direct visibility on that from the
firewall log, and your internal network doesn't get any of that traffic.

All of this presupposes you create a business process that trains your staff
that outsiders will connect in rooms, x, y, or z, only on specific marked
ethernet jacks.

--
Will


"Maurice Bishop" <(E-Mail Removed)> wrote in message
news:438cfbf5$0$63094$(E-Mail Removed)...
> The bane of my life!
>
> As a sysadmin, the sales staff are quite happy to welcome visitors to our
50
> user network without checking the visitors AV software, scanning it for
> worms, spyware etc., so that the visitors can access their own OWA servers
> via the our company gateway.
>
> Any suggestions as to what we might do?
>
> Options:
>
> 1. Ask visitors to sign something (I'm not sure what) before plugging
their
> notebooks into our network.
>
> 2. Man wrestle the visitor to the floor to release him/her from their
> notebook, then scan the HDU off line before allowing them to plug in their
> notebook.
>
> 3. Set up some kind of physical DMZ.
>
> 4. Explain politely - no you can't use our network! Not exactly an option
as
> our visitor today has signed an order for just over 2 million pounds
> sterling with our company turning over 7.5 millions.
>
> Any suggestions/thoughts/contributions, no matter how silly or off the
wall,
> are greatly appreciated.
>
> TX in advance.
>
> Maurice
>
>

In news:438cfbf5$0$63094$(E-Mail Removed),
Maurice Bishop <(E-Mail Removed)> typed:
> The bane of my life!
>
> As a sysadmin, the sales staff are quite happy to welcome visitors to
> our 50 user network without checking the visitors AV software,
> scanning it for worms, spyware etc., so that the visitors can access
> their own OWA servers via the our company gateway.
>
> Any suggestions as to what we might do?
>
> Options:
>
> 1. Ask visitors to sign something (I'm not sure what) before plugging
> their notebooks into our network.

"I swear on all I hold sacred that I have no dangerous crap on my computer"
doesn't really fly. And isn't actually likely to be true, even if they don't
know it.
>
> 2. Man wrestle the visitor to the floor to release him/her from their
> notebook, then scan the HDU off line before allowing them to plug in
> their notebook.

Fun!
>
> 3. Set up some kind of physical DMZ.

Set up a dedicated private LAN that has access only to the Internet for use,
in a convenient public location. Hell, even give 'em wireless.
>
> 4. Explain politely - no you can't use our network! Not exactly an
> option as our visitor today has signed an order for just over 2
> million pounds sterling with our company turning over 7.5 millions.

"You can't use our network, but you can use *this other* network we kindly
set up for guest Internet access."
>
> Any suggestions/thoughts/contributions, no matter how silly or off
> the wall, are greatly appreciated.
>
> TX in advance.



Disconnect all unused network drops from the switches. Inform the managers
of the sales department that unauthorized machines will not be permitted on
the corporate LAN.

I don't know what your budget is, but since your company just made this big
sale, they might now be able to afford a fancy layer-2 switch and other such
goodies to protect unauthorized computers from even getting IP addresses or
doing something with them if they *do*. [My clients don't have budgets that
big, so I am probably not the most useful person to consult in that regard -
wrestling works just fine for me. ]

>
> Maurice

I agree with the others on creating a DMZ for them. You could also implement
something like Cisco Clean Access which will scan there computer when they
connect to your network. If they do not meet your spec's of patches, A/V,
etc, you can restrict all access to your network, throw them in a different
vlan, etc. This can be applied for all laptops/pc's connecting to your
network (we all know even sales guys have strange things on their laptops).


"Maurice Bishop" <(E-Mail Removed)> wrote in message
news:438cfbf5$0$63094$(E-Mail Removed)...
> The bane of my life!
>
> As a sysadmin, the sales staff are quite happy to welcome visitors to our
50
> user network without checking the visitors AV software, scanning it for
> worms, spyware etc., so that the visitors can access their own OWA servers
> via the our company gateway.
>
> Any suggestions as to what we might do?
>
> Options:
>
> 1. Ask visitors to sign something (I'm not sure what) before plugging
their
> notebooks into our network.
>
> 2. Man wrestle the visitor to the floor to release him/her from their
> notebook, then scan the HDU off line before allowing them to plug in their
> notebook.
>
> 3. Set up some kind of physical DMZ.
>
> 4. Explain politely - no you can't use our network! Not exactly an option
as
> our visitor today has signed an order for just over 2 million pounds
> sterling with our company turning over 7.5 millions.
>
> Any suggestions/thoughts/contributions, no matter how silly or off the
wall,
> are greatly appreciated.
>
> TX in advance.
>
> Maurice
>
>