On Mon, Oct 15, 2012 at 7:31 PM, Joe Hamelin <joe@nethead.com> wrote:
Jonathan stated that they have health data on the network and only company issued devices are allowed. I would suggest to him that he inventory the equipment via MAC address (I'm guessing that it's mostly standard issue stuff that would be easy to recognize) and then lock down unused ports and setup up monitoring. If a new MAC appears on the network, then it better have been sent there by IT.
I won't argue with that. When no official wireless network is involved, a MAC whitelist can be very effective. It'll catch any casual user attempting to homebrew a WiFi setup and significantly increase the odds of detecting an actual attacker. Even if the switches are at the lowest end of "smart" and only expose a web interface it's not too hard to rig up a screen scraper to list the connected devices on a regular basis and alert if anything new is seen. I'd expect that there are probably at least a dozen commercial and/or open source tools that already exist for the purpose, actually.