Manage security on unmanaged PCs

[DarkCorner]

I have a project problem even before a technical one.

I'm working in a small company where users are all on the same LAN, but in offices not close to each other. More than one user has their own personal laptop. Agents and guests often arrive with their own laptops. There is no domain server with AD in the network and therefore no PC is managed.

So, each user does what he wants, thanks also to the lack of a company policy.
Furthermore, there is also a home in the network where personal PCs, SmartTVs and XBoxes are connected to the Internet via the company LAN.
Without forgetting smartphones of all types that connect to home and office access points.

I was thinking of segmenting the LAN with VLANs, but this is useless if I don't limit Internet access and manage traffic.

On the pfSense firewall there is Squid with ClamAV and Squidguard.
I was thinking of using ClamAV as the first additional filter to what is usually NOT installed on the various devices.
Then, I would like to use Squidguard to block part of the traffic using public blacklists and differentiating the use of the network based on accesses or VLANs.

But, how to configure all this correctly?

With the Transparent Proxy I do not filter HTTPS.
To filter and use Clamav over HTTPS I would need to enable "Man in the Middle", but I would need WPAD and a certificate. A solution that in this situation is not recommended to me by other colleagues because users with laptops (the majority) could download (without knowing they have done so) insecure configurations when they are elsewhere, for example with public hotspots.
Furthermore, few know how to change the network settings of PCs and smartphones. I should continuously provide them with extra assistance.

Installing Captive Portal I think would add more problems because guests would still have generic access.

I'm doing a lot of tests without ever finding a satisfactory solution. I welcome all your suggestions.

Thanks in advance.

[deanwebb]

Welcome to the forums, and I feel that pain.

There are technical aspects to this issue, but there's a very big corporate management one. That is, if you don't have authority to implement security and the company leadership isn't behind you in that effort, you're at risk of putting something in place that gets you fired.

Step one is to get the number of devices on the network and what kinds they are - laptop, desktop, server, phone, other device. Now, if the number is under 100, you can likely do it by pulling MAC addresses off of the wifi controllers and the switches, then look up the first 6 digits of the MAC address online to find the vendor. A little more Google-fu, and you can find out what the vendor makes. That gets you device type and number.

Armed with that, you can then make a case for what should be allowed on the network and what should not. Or, if the "should not" is still permitted, what should be throttled and walled off from corporate assets. A good question to ask is, "which of these devices do you want to expose our corporate data to?"

Now, simply restricting traffic isn't going to do the job, not by half. Most of the breaches start with a phishing email, so you'll need both training and email filtering in place. Next, I recommend doing some scanning of your own - NMAP from the command line or WiNMAP for a desktop application. Scan for the worst of the misconfigured ports being open on your network - Telnet, Remote Desktop Protocol, and VLC. Look for SSH and NetBIOS, as well. Where open and responding, those devices present a clear threat and are likely already compromised. They need to be shut down and that's where corporate buy-in is necessary, so you can get an AD controller and implement some group policy on the Windows devices, at the very least.

I'm ready to carry on discussing, as I have only touched a few areas and would like to know the scale and budget for this effort before getting into solutions. All that being said, what's your gut feeling about this? Security is an area where people can get fired suddenly if they don't have strong backing from managers that understand we can't do everything and that mistakes can and will be made - security's job is to prevent where possible and to mitigate where breached.

[icecream-guy]

yes like deanwebb says, if this is a corporate network, to secure it, you NEED to have by in from management, otherwise you will probably be out of work shortly. Identify devices, build a case, make recommendations, provide solutions, request a budget for securing the network, and implement recommendations.  If management is not keen on securing their network, what was is that he (deanwebb) said,  hop into your Porsche Boxster and peel out of the parking lot...screaming it's all on you (expletive). cause you don't want to be there long.

The budget really depends on the solutions that management is will to support with your recommendations. I would suggest to contact 3 vendors build a Bill of Materials and present to management (with your recommendations) to support the budget request. it could be in 500K to 5M. it really depends on what you are trying to protect. and what the loss to the company would be if that data were compromised or lost, or encrypted.

Recovery cost would need to be determined by management or accounting,  if it's going to cost 2M to recover and you can protect with 500K, that's a no brainer. if it's going to cost 2M to recover and 2.5M to protect, that is not your decision but may be viable depending on what you are protecting. But that is risk assessment and not part of network security.

[DarkCorner]

First of all, thanks for your replies.

A first general comment right away.
This is a small company; the number of users with desktops is less than 15 and the rest are all laptops.
Sure, the warehouse worker who works alone can also secretly access a porn site; or the employee can spend her time on Facebook
But I have to leave more freedom of access to the Internet for those who work in marketing and I can't block the boss's access.

As I said initially, in my opinion the biggest problem comes from devices that are not under management.
A good example would be that of a school where students connect to the network with their laptop, but where you cannot manage their PCs or their smartphones.

Returning to the company, if there is an event in the showroom or in the meeting room, I cannot block the Internet or limit it to a predefined whitelist because there may be the need to consult an external site. For example, a competitor's website or a web magazine to see how the banner looks.
Not to mention the need to allow a guest to access his/her email or website.

I thought I could manage this by replacing the switches and access points with devices capable of managing VLANs so as to segment the network.

Again for example, in the personal apartment I can create a VLAN for personal devices (SmartTV, XBox, etc.), one for the children and one for those in the family who work in the company and who need to access the services or the NAS even from home.
User desktop PCs will be on one VLAN, company laptops on a second VLAN, agent laptops on a third, guest laptops on another, smartphones on yet another, etc.

Using Squidguard on the Squid proxy I can differentiate access by blocking entire categories (such as porn, sport and social networks) and adding specific websites into blacklists and whitelists.

However, I was wondering how to manage these filters. Not so much at the level of specific configuration or firewall rules, but primarily at the design level.

If I want to use ClamAV I have to open packets for what is now predominantly HTTPS traffic.
As I was saying, I'm perplexed by the use of the "Man in the Middle" and the difficulty in automatically configuring devices of people I don't know (such as guests and sales agents).

Furthermore, the considerations of some colleagues worry me.
I'm going to "impose" the use of wpad.dat on a person who then goes somewhere else to download a wpad.dat to an unauthorized website.
Who is responsible if something happens with this access that shouldn't have happened? Of this guest who didn't check properly or mine who allowed him to download wpad.dat automatically?

Finally, as for the budget, it is commensurate with a small company.
For switches and access points I will focus on devices like Ubiquiti while the firewall is already a PC with i5 quad core and 16GB of RAM, enough to manage both the proxy and future VPNs.

I don't think that replacing it with a appliance firewall will change anything if I don't solve the segmentation and filtering problem.

[deanwebb]

Small company means as close as you can get to free is going to be the solution the bosses will want to see. Accounting is architecture.

Windows Defender with a high level of settings will accomplish a great deal on Windows desktops and PCs, and is free with Windows. Encourage people to turn it on and see if you can arrange for either yourself or managers to do walk-by spot checks to make sure it's up and running.

Do the NMAP scan daily or weekly and ping via email and chat any offenders to turn off the offending application. Be the nagware - it's free(ish) because your time is already paid for and folks will not want to turn something on that's going to result in nagging. That can close off some of the biggest potential threat vectors.

Your corporate email solution may already have anti-spam and anti-phishing measures in place. Doing a corporate phishing awareness campaign can help to reduce your exposure to that threat vector.

To determine VLAN membership, Ubiquiti has good tools for creating VLANs, placing security rules on them, and assigning switchports or wireless devices to VLANs. The catch is that if a person connects a red-zone device to a green-zone port, that person gets green-zone access for the red-zone device. Getting a full-blown dynamic network access control solution will either be complicated, more costly than what you already have, or both.

I would NOT break into HTTPS traffic. All kinds of potential legal and HR issues can result from that, and you're simply not protected in a small company from potential hazards resulting from access to encrypted information.

[icecream-guy]

Doing anything against company policy is a path to nowheresville, IN.  you need buy in, and acceptance (in writing, to CYA) that anything you do is recommended and or approved by management. and only do what is approved by management, making decisions on your own leads to liability. liability leads to joblessness. not your company, not your decision, so all you can do is make recommendations, it's up to the company to make the final decisions and accept liability and task you to implement your recommendations, rather than you. if they decide not to do anything, it's not your call. it's not your company. (unless you have some stock sharing incentive that I am not aware of).

[deanwebb]

Doing anything against company policy is a path to nowheresville, IN.  you need buy in, and acceptance (in writing, to CYA) that anything you do is recommended and or approved by management. and only do what is approved by management, making decisions on your own leads to liability. liability leads to joblessness. not your company, not your decision, so all you can do is make recommendations, it's up to the company to make the final decisions and accept liability and task you to implement your recommendations, rather than you. if they decide not to do anything, it's not your call. it's not your company. (unless you have some stock sharing incentive that I am not aware of).

^ Quoted for truth.

Get it IN WRITING

And then make copies of that IN WRITING part for your own records, both electronic and hard copy. Store in a secure location. I am not joking around. CYAWP - cover your a$$ with paper - is the key to survival in this business.

[icecream-guy]

I'm in network security, my job is to find vulnerabilities and weaknesses in systems.  But I can't even run a Tenable scan or NMAP, without authoritative permissions. otherwise it might be construed that I am hacking the network.
 

[DarkCorner]

OK. Thanks for your suggestions.