Dealing With Laptops in a Business Network?

lanimreT asks: "Notebooks are a large problem for IT managers. They carry viruses and other malware back into the network and are less reliable than desktop PCs for more than one reason. Yet, every employee MUST have one for his job. How have other IT managers dealt with the various problems that notebooks create?"

Here's a start for you.

[grub]

Put your laptops on a DMZ-like subnet. Don't allow unrestricted access from that to the rest of the LAN. ie.: only allow them access to your servers and other necessary resources. If they don't need to access Bertha's PC in Accounts Receivables then block it.

Block spyware sites on your firewall and log it. If you see a laptop trying to get to $SPYWARESITE you know they've installed crap. Go remove it.

Make sure they have antivirus and antispyware stuff installed, up to date and running. A lot of people turn it off because "it slows my machine down"

Ideally you won't let them have admin access. Far too often laptops show up with Kazaa or other shit installed because they let their kids play with the machines at home. Bad move, it's company property with company information but many people think the other way around. Assuming you're the IT manager you should have every right to remove such crap. Check your policies first.

Very important: Make a log of everything you have to fix If and when you start to enforce policy you need hard data to back up your actions.

Re:Here's a start for you.

[grub]

We have a bunch in our PIX configs. Here's a few to start (and some may be old or broken, we don't actively check) I usually google around for the spyware places. Not sure how this will wrap...

: www.xcelent.biz evilness. see http://www.theregister.co.uk/2004/09/22/opt-out_ex ploit/
access-list CSM-acl-Ginside deny ip any host 61.218.79.53

: gator.com [SPYWARE]
access-list CSM-acl-Ginside deny ip any 64.94.89.0 255.255.255.0
access-list CSM-acl-Ginside deny ip any 204.238.120.0 255.255.255.0
access-list CSM-acl-Ginside deny ip any 64.162.206.0 255.255.255.0
access-list CSM-acl-Ginside deny ip any 63.197.87.0 255.255.255.0
access-list CSM-acl-Ginside deny ip any 216.30.17.0 255.255.255.0
access-list CSM-acl-Ginside deny ip any 208.184.198.0 255.255.255.128
access-list CSM-acl-Ginside deny ip any 216.141.76.128 255.255.255.248
access-list CSM-acl-Ginside deny ip any 64.152.73.0 255.255.255.0
access-list CSM-acl-Ginside deny ip any 66.35.229.0 255.255.255.0
access-list CSM-acl-Ginside deny ip any 64.152.64.0 255.255.255.0

: cydoor
access-list CSM-acl-Ginside deny ip any host 209.10.17.133
access-list CSM-acl-Ginside deny ip any 209.73.225.0 255.255.255.0
access-list CSM-acl-Ginside deny ip any host 212.29.215.3
access-list CSM-acl-Ginside deny ip any host 209.11.42.240

: friendgreetings.com "worm", see
:http://securityresponse.symantec.com/avcente r/venc/data/friendgreetings.html
access-list CSM-acl-Ginside deny ip any host 207.21.232.104
access-list CSM-acl-Ginside deny ip any host 65.89.168.69
access-list CSM-acl-Ginside deny ip any 216.34.38.64 255.255.255.192
access-list CSM-acl-Ginside deny ip any host 216.65.63.139

: activex viruslike crud, see http://zdnet.com.com/2100-1105_2-1026228.html
acc ess-list CSM-acl-Ginside deny ip any 216.187.107.0 255.255.255.0

: www.freescratchandwin.com <- spyware, logger, hijacker.
access-list CSM-acl-Ginside deny ip any 206.161.193.0 255.255.255.0

: zotob worm. Mainly for detection internally. grg 20050817
:diabl0.turkcoders.net port 8080 normally.
access-list CSM-acl-Ginside deny ip any host 84.244.5.237

etc etc etc

Re:Here's a start for you.

You have a false sense of security. The two subnets share the same broadcast domain. The second any malware uses any protocol other than IP, you're fucked.

Really, VLANs aren't that expensive to set up, especially with the kind of setup you have. You don't need 100 managed switches. You need one. You can pick up a bunch of old Bay Networks gear on eBay on the cheap. I'd recommend a 350T. It is a sixteen port 10/100 switch capable of trunking and VLANS. Configurable through SNMP and a pretty straightforward text interface through a serial connection. Definitely easier for the networking newbie to set up than Catalysts (especially the old, fucked up 1900 series!). Should put you back about $40 or less.

Re:Here's a start for you.

[karnal]

If you attempt to wipe the machines where I work, you shoot yourself in the foot.

At that point, if you want to install any work related software, you need to be a member of the domain/active directory. If not, you don't get connected, either while in the office or via VPN.

Of which, you can't install the necessary VPN software unless you are in the office, or we ship you a cd.

We haven't had anyone try to get around this yet. I think it's safe to say the people who work on them in my business realize they'd be down a lot harder if they tried to....

Deepfreeze

[QuantumRiff]

Great program, reboot your PC, and all changes are reset. It is so much fun to load Kazaa onto a computer, reboot it, and it is all gone.. Of course, you have to get them trained to save absolutely everything to a Pen drive..

Actually, i think there is a configuration to allow it to make changes to a certain folder, ie, c:\data that will not be wiped on reboot. Lots of fun for viruses too.. Had a lab machine infected with something, (never did look), rebooted the pc, and the virus went away...

Faronics sells this.

VPN, policies, etc.

Posting as AC to protect my job, however our method is quite extensive, and the high-level details are worth sharing for others to learn from.

My company's (a large online e-tailer and book seller) approach involves several methods to protect remote machines and limit access.

For remote access, a customized platform agnostic VPN device (running an embedded linux) piggy-back's onto the laptop. The device is powered by the laptop's USB port, and acts as a firewall in addition to a VPN gateway. The device can connect to the internet either via it's built-in compact-flash wireless card (supports WEP or open wireless) or an ethernet connection. When the tunnel is down, the laptop is still well protected by said firewall. When the tunnel is up, all traffic is routed through the VPN tunnel, and subject to corporate firewall rules. The VPN device is tied to the laptop's MAC address, and will not work with any other machine unless reprovisioned by an admin with appropriate rights. The user must authenticate on the device (which updates credentials each time it connects) before access is granted internally, and only the provisioned user has access to login to the device. Three failed login attempts will delete the data on the device, rendering it useless to any theif, and requiring it to be reimaged by corporate IT. The only means of accessing corporate data from "the outside" is via this device or a direct dial-up. There is zero access to internal systems without either of these methods (not even webmail). Dial-up numbers cannot be modified by the user which prevents them from connecting to any random ISP.

I don't know if either connection is dropped into a DMZ for further protection, however the local VPN device does packet filter certain types of packets on the way out for extra measure.

On the software side, the machines (when running Windows of some sort) run an antivirus and policy enforcement suite which is maintained by a corporate server. Policies enforce encrpytion of the user's mydocs directory should the laptop be otherwise compromised. Policies also restrict the user from installing software that isn't deployed via SMS. Additionally, anti-spyware software is installed on the machine to allow IT to remove threats. Because users must connect to the corporate network to do most job functions, these tools remain fairly up-to-date.

To protect the laptop, user passwords are changed regularly and a strong password requirement is enforced in addition to a fairly long password history retention to prevent reuse. Usernames are not retained in the login screen. Laptop screens are forced to lock after a short amount of time to prevent unattended access.

For browsing, users are permitted either IE or Firefox, however most users prefer the latter :-) Email can be accessed via web, Outlook/Evolution (ick) or Thunderbird via IMAP.

I'm not sure on the size of your company, but if your budget allows, this seems to be highly secure and admitedly, well thought out means of enforcing security and protecting networks.

Re:"if the company has purchased...."

[museumpeace]

I would suggest to the poster that ONLY company issued machines be allowed to ever connect to the company systems, in or outside the perimeter. The "locked down" bare bones configuration are standard practice with better defense contractors and large financial companies, especially brokerage firms...I know this from experience. SecurId two part logins through VPN that basically only let you access your desk top system and only as your employee identity tend limit unauthorized access. And be very careful with wireless. If it is tolerated at all, be darn sure users don't ever get a chance to work without encryption turned on.