Sticking a router in the middle of the LAN

vistalavista

Today, I found a user had brought a wireless router and connected to LAN. Could this be creating any network connectivity issues?

Monkerz

Do you have any other wireless APs within the office using the same channel? Is it in ad hoc mode? Are hosts connected to it and working? Is it against your company network/security policy to have such consumer line products connected to your infrastructure?

Our director would chew someone's ass for an incident like this.

vistalavista

it's a small office so there's not any security policies in place. It's currently working but I'm worried it might cause the network speed to slow down or cause connectivity problems. Do u see that happening?

ConstantlyLearning

vistalavista wrote: »

Today, I found a user had brought a wireless router and connected to LAN. Could this be creating any network connectivity issues?

Could be giving out DHCP assignments to devices connecting to the LAN, thereby putting them on the incorrect network and causing connectivity issues for said devices.

Could be creating a wireless entry point to outside users as a result of poor wireless security.

Two connections into the LAN could cause loop issues.

I'm sure there's more..

Tear the head off the user while referencing your security policy.

Forsaken_GA

In all likelyhood, it won't have much effect. Assuming it's actually connected like a router, it's probably getting an IP via DHCP on it's WAN interface, and has the DHCP turned on for it's LAN ports/wireless clients, and then it's NAT'ing the traffic behind it's WAN port. So it's not likely it'll offer DHCP leases to the other clients on your network.

As long as only that user is associated to the router via wireless, it's not really any different than if they had their desktop/laptop plugged directly into the port.

With that being said - allowing unauthorized network gear onto your network is a big no no. The user, in all likelyhood, failed to properly secure it, and if they actually are savvy enough to do so, it means they're savvy enough to potentially do other things that could cause network instability.

If you have the authority to do so, go pull it, or shut it's port down and explain to the user it'll be reenabled once he takes his personal property off of the company network. If you don't, go have a chat with whomever you need to about getting it pulled, and outline the reasons exactly why this shouldn't be allowed. If you get shot down, at least then your ass is covered.

white96gt

vistalavista wrote: »

it's a small office so there's not any security policies in place.

A good opportunity to write some policies and then get them approved. This will help you gain some experience and help you move up in your career.

shaqazoolu

Forsaken_GA wrote: »

In all likelyhood, it won't have much effect. Assuming it's actually connected like a router, it's probably getting an IP via DHCP on it's WAN interface, and has the DHCP turned on for it's LAN ports/wireless clients, and then it's NAT'ing the traffic behind it's WAN port. So it's not likely it'll offer DHCP leases to the other clients on your network.

As long as only that user is associated to the router via wireless, it's not really any different than if they had their desktop/laptop plugged directly into the port.

With that being said - allowing unauthorized network gear onto your network is a big no no. The user, in all likelyhood, failed to properly secure it, and if they actually are savvy enough to do so, it means they're savvy enough to potentially do other things that could cause network instability.

If you have the authority to do so, go pull it, or shut it's port down and explain to the user it'll be reenabled once he takes his personal property off of the company network. If you don't, go have a chat with whomever you need to about getting it pulled, and outline the reasons exactly why this shouldn't be allowed. If you get shot down, at least then your ass is covered.

This. That router is opening you up to serious issues. Crush the poor soul that thought this was a good idea and start writing some policies. Even if they don't get approved, it will be good experience.

rsutton

Most SoHo routers have DHCP enabled by default, but that will only broadcast out the LAN ports. If the router was plugged in to the LAN on the WAN port, and then another cable was plugged in to the LAN again, you would probably have to deal with conflicting DHCP broadcasts. It would be silly to connect the router this way, but an unknowing user could do it faster than you can say PBKAC.

Since it may be tough to lay down the law of the land in a small business, you might try to compromise by taking ownership of the router. I.e. change the admin login, then you can configure the wireless security, disable DHCP etc.

Forsaken_GA

rsutton wrote: »

Since it may be tough to lay down the law of the land in a small business, you might try to compromise by taking ownership of the router. I.e. change the admin login, then you can configure the wireless security, disable DHCP etc.

I wouldn't even be willing to do that. From what it sounds like, this is a user who just brought in his own gear from home and just hooked it up. Taking over management of non-company owned property opens up a host of liability issues.

If your bosses want wireless in the office against your wishes, they need to purchase the equipment and show it as an asset of the company. This needs to be a management call - he needs to ask them straight up how much the company's data is worth to the company. If it's worth any sizeable amount, the administrator needs to be able to draw up and enforce proper security policies. If they don't want to bother with it, he should seek whatever indemnification for himself he can get.

phoeneous

If one of my users tried to do that I'd flog them with a cat6 cable, one without a molded boot.

Forsaken_GA

phoeneous wrote: »

If one of my users tried to do that I'd flog them with a cat6 cable, one without a molded boot.

If one of my users tried it, I wouldn't have a conversation with them in the workplace ever again. HR would say anything that needed to be said.

Putting personal equipment on the corporate network without an explicit exemption from on high is a cardinal sin.

jovan88

switchport port-security FTW

rsutton

Unfortunately the culture of a small business environment does not always allow for the best practice security policies, although it is our job to always try for that, sometimes we must work with what we have, which means compromise. Of course the best solution is to replace the crap the EU bought with something that is more secure and manageable.

bertieb

phoeneous wrote: »

If one of my users tried to do that I'd flog them with a cat6 cable, one without a molded boot.

Like it, if only I could write such things into the security policies

tpatt100

At my old job working in the corporate building I found a "wifi" spot and it ended up being someone's phone's mobile wifi. I walked around the third floor with my android phone running a wifi scanner and found several more. Ended up filing several incident reports, documented the names and found out company policy covered cell phone cameras, hard drives in cameras but no mention of wifi. Ended up having to get management to approve some changes to the existing policy and have our IAM send out a company wide email notifying everybody of the changes.

If anything this is a good opportunity to learn how to write, change and keep up to date company security policies.