Access control through whitelists can limit unwarranted users from gaining access to an organization’s network. But once it is found that users belong to the network, additional authorization determines what services they have access to. Even then, the possibility of a threat or a breach from a rogue within is something that should be anticipated at all times.

Who are these internal troublemakers?

They are those who’d want to access confidential company information, unethically use company resources, upload or download data for unofficial/unauthorized use - some of which can be damaging to the organization, sometimes they are unruly employees refusing to abide by policies, and so on.

The consequences of each of these ultimately end up on the shoulders of the network admin and he is held responsible to restore normalcy and answer for all the mayhem caused.

How to determine and curb such disruptive activity?

Say, your network management system alerts you on abnormally high traffic that is slowing down all users, or you notice that an IP address from another subnet is trying to access a restricted network. How do you go about determining if this is a result of rogue activity? And, if yes, how to put a stop to it?

Three simple steps to help you regain control of your network are:

  1. Acquire Information - For visibility into and to determine the current location of the user, use the IP address or MAC address to retrieve more information on the user’s connection details such as what switch or access point is the user connected to, the port or SSID, host name and even endpoint details.
  2. Round up Evidence - Pull out data about where the user has been connecting to in the past, or drill down to the port level for a connection history. If you maintain a list of IP address details with the MAC and hostname assignment history, then it is easier to track the activity of a suspicious IP address/user.
  3. Seize Control - Once determined as rogue, immediately block and cut off this user from the network. Being able to do this immediately is vital to reduce or prevent damage to the network. The efforts put in the first two steps are rendered useless if the admin cannot immediately block rogue access or activity in the network.

Hence, to be able to quickly determine, locate and remediate an internal threat in as little time as possible would be the essential action in finally busting these internal culprits. Now only if all this was  possible from a single console!

SolarWinds User Device Tracker (UDT) provides network admins the ability to track, locate and block any of these internal unwarranted users. Integration with SolarWinds IP Address Manager (IPAM) can  further support you by providing detailed reports on usage history for a particular IP address. So, download a trial version today and start blocking off unruly users from your network!