On Mon, Oct 15, 2012 at 7:31 PM, Joe Hamelin <j...@nethead.com> wrote:
> Jonathan stated that they have health data on the network and only company > issued devices are allowed. I would suggest to him that he inventory the > equipment via MAC address (I'm guessing that it's mostly standard issue > stuff that would be easy to recognize) and then lock down unused ports and > setup up monitoring. If a new MAC appears on the network, then it better > have been sent there by IT. > I won't argue with that. When no official wireless network is involved, a MAC whitelist can be very effective. It'll catch any casual user attempting to homebrew a WiFi setup and significantly increase the odds of detecting an actual attacker. Even if the switches are at the lowest end of "smart" and only expose a web interface it's not too hard to rig up a screen scraper to list the connected devices on a regular basis and alert if anything new is seen. I'd expect that there are probably at least a dozen commercial and/or open source tools that already exist for the purpose, actually.
