Hi, can someone recommend me what is the best solution/way to enforced a policy on a contractor's laptop when they connect to our network either wireless or wired.

We want to make sure they are not bringing any virus from outside in and effecting our systems.

We are in a workgroup evironment running windows xp. We are running symantec corp 10.

What would be some of the hardware/software we need to purchase?

thanks for your input.

You have no way to enforce a policy in a workgroup.

Alternatively you could setup a website internally that when first connected would run a AV scan. Like internet cafe software.

Imagine the power of knowing how to internet search
http://www.lib.berkeley.edu/TeachingLib/Guides/Internet/FindInfo.html

You could also try using Cisco's Clean Access program, but this is probably beyond your budget. Wanderer's suggestion seems like the best bet.

-Ryan Adams
http://RyanTAdams.com

Or, put the computer outside the firewall so it has Internet access but not access to your internal network.

Life's more painless for the brainless.

Really, hmmm, so it must be through a domain then... How would it be done in a domain envornment if that is the way to go? Is there things we need to purchase other then a server?

You mention AV scan through a internal website. That sounds like a plan but we don't have an internal website. Is it hard to create one and how would you go about running a AV scan from there?

Thanks for your reply.
Thanks for you links.

We have a wireless network that is public internet and that's what we let vendors/contractors use. What Jennifer SUMN said.

I like long walks, especially when they are taken by people who annoy me.

Thanks for all the post... Jennifer that sounds good. Hmm, would you have any link to how to do that? I'll be looking on google as well.

Multiple ways of how to do it, without knowing the way that your network looks it's hard to tell you how to do it. We have a public vlan that we use and you could put a port that the contractor plugs into in that public vlan, or an access point in that public vlan.

I like long walks, especially when they are taken by people who annoy me.

I see, that makes sense.. We do have a manage cisco router with VLAN capability.. I'm pretty all we need to do is figure out how to configure it then we'll be set.

Currently, all pc are hook to the manage switch (no settings configure) then the switch to the internet.

Thanks, I'll look into VLAN.

That does not address your question. If the vlan has access to the servers you still have a AV threat issue.

Imagine the power of knowing how to internet search
http://www.lib.berkeley.edu/TeachingLib/Guides/Internet/FindInfo.html

If it's a public vlan then it won't have access to the private vlans, it works, that's how I'm configured.

I like long walks, especially when they are taken by people who annoy me.

I may have a little more control though, we are an ISP so I control the Internet Core router.

I like long walks, especially when they are taken by people who annoy me.

That's right wanderer, it doesn't solve the AV scan part... Hmm, what would you do in this setup?

Hardware
1 managed cisco switch (48 ports)
10 computers all XP sp2
1 windows 2003 server

Software
Symantec Corporate 10.0
Windows defender
Spybot search and destroy

All computers hook up to the manage switch and are in workgroup environment..

Budget to spend... $0 dollars.

Have them use a live cd to access rdp.

You can not secure their sytem any other way.

Syamntec has not been able to secure a large companies lan of root kits. Their solution was to clean boot every computer on the lan.

I read it wrong and answer it wrong too. So get off my case you peanut.

Hi Jefro... Live CD access RDP? I'm not familiar with this. So, the contractor would run a RDP session from a CD through their laptop and connect with an inside computer to access resources? Isn't it possible for virus to go from one system to their other via remote desktop/vnc?

Nem0 assuming you have AV on the server and all workstations, with that setup I wouldn't do anything. You are protected by Symantec. Just keep SAV updated and you are fine.

Imagine the power of knowing how to internet search
http://www.lib.berkeley.edu/TeachingLib/Guides/Internet/FindInfo.html

Only if a windows live cd was used and it mounted the contractors disk. Most if not all such disks are linux based. (ok, beos, qnx, solaris and bsd too)

Not sure I have ever heard of a cross platform virus other than maybe some claims of java.

There are some reall simple cd's out there just for this. See also knoppix, 2x, and bsd based solutions. Almost all live cd's offer remote desktop, openldap and vnc solutions.

I read it wrong and answer it wrong too. So get off my case you peanut.

Jefro - thanks
Wanderer- maybe i ask the wrong questions but to clarify.. some business have it set up where when a consultant connects their laptop to the company's network, the laptop gets scan. If it doesn't meet the security policy or is update to the latest services packs, it's deny access until it's updated... Is that something I would be able to do with my setup without a domain?

I was just curious because today we have three auditors who brought laptops in and had it connected to our network. I'm not sure if they have any virus softwares on their systems but just thinking what the damage could be if they had virus on their computers... better to have it meet our policy first then having to go back and fix everything...

hope it makes sense.

Oh I do understand your issue.

What you describe in your first paragraph is specialized software. Our local University of Oregon went to this type of software last year for the campus wireless access.

My understanding of how this works is with an access all traffic is directed to a server containing the software. It scans the remote pc and if found lacking denies access with a message as to updates required.

The software does not update the unit. After all that is a risk. Remote user wouldn't be too happy with a boat anchor for a laptop.

The next issue is "enforcing a policy". Most contractors will not allow you to join their laptop to your domain. They don't want your GPO on their machine. Understandable. Without a GPO I don't see how you can automate a scan of their pc via Active Directory.

Last but not least you can get hardware firewalls that have AV and Spam subscriptions. We do this with Sonicwalls. You would give them access via the sonicwall to your lan. The sonicwall will scan all traffic for Virus's.

Imagine the power of knowing how to internet search
http://www.lib.berkeley.edu/TeachingLib/Guides/Internet/FindInfo.html

Thanks for clarifying Wanderer.. I appreciate everyones' comments and help.

We have to deal with similar situations on a regular basis at the university where I work.

We already have in place a "public access" internet only type network which does not allow access to internal resources. However, since the auditors tend to need access to internal resources this can be a problem. Since we already have VPN access in place, they are allowed to come back into the internal network via the VPN.

NOTE: non University laptops/PC's are strictly not allowed direct access (to be plugged directly into) to our internal network since we don't set them up, maintain them and don't know where they've been....lol

We have all the resources in place and in a case like this, all that needs be done is to create them a VPN account, install the client VPN software (which they then uninstall after they're done their jobs and leave) and show them how to connect.

You however don't have such a 'public access' network setup. Since your main concern seems to be virus issues (whereas we are concerned with privacy issues and people accessing data the shouldn't be) may I offer a rather simple suggestion?

Why not just check and make sure they have up-to-date antivirus software and have them do a scan before plugging into your network? If they don't have antivirus software, install yours, scan, if the unit is clean, you can then uninstall the AV software.

Next time create contracts that allow only your trusted computers on the lan. Use the cost basis of that to be part of the contract. That is let the contractor lease your computers as part of the agreement.

Why do they need to use their computers to access your data?

I read it wrong and answer it wrong too. So get off my case you peanut.

"I was just curious because today we have three auditors who brought laptops in and had it connected to our network. I'm not sure if they have any virus softwares on their systems but just thinking what the damage could be if they had virus on their computers... "

If your worried about their computers giving yours viruses, why not just scan their computers?

You can't be sure their computers are clean. You can only check for the known virus's in your scanners database. You also may not be able to prevent root kits.

Why not take action instead of waiting for a disaster? Enforce a strict policy. If they are a contractor make them use your computer.

To me it is like the kids down the street. Sure they may not pee in the pool.

I read it wrong and answer it wrong too. So get off my case you peanut.

Oh Ho Hum.
I use Knoppix live Linux disc inside a clients (or as old times on Russia owned or China owned computers in their systems.)
This gives me as a contractor a complete ability to communicate outwards (LAN, Dial up, Wireless)or access their hard disc to read files but total inability to write to their hard discs. I can only write to my USB disc attached to their computer which is AV scanned on connection. Supply contractors with Knoppix Live Cds and get them to bring in their files (if any)on a USB hard drive you can scan.
Regards
eion

regards
eionmac