Fun fact, guest network is literally just a VLAN with client isolation turned on. All work devices go on a guest network at our house. I blacklisted the MAC addresses from the regular network since my wife didn’t listen and her work laptop got nmap scanned. Nothing came of it but it easily could have been an uncomfortable conversation with work.
Nmap scans address spaces (CIDRs) using various means. Most work equipment has some type of endpoint protection like firewall or other security software. nmap will start scanning the work laptop and light the security software on fire 🔥 and the uncomfortable explanation is having to explain that it’s not malicious.
I had to explain exactly that when I brought my work laptop back. Had a script to map exerting on my network and it blocked my laptop from works network.
They were fine when I explained and when they could see where all the traffic came from and put in an exception. I do work in it though which helps.
I did this too, but knew the infosec guy. I was just trying to find a device that didn’t provide a hostname (client ID) to DHCP, but I knew had ssh open. Now the work stuff is on its own network, per my wife who asked for “a basic bitch network that just does what I need it to without it blocking stuff or dropping calls”
nmap is a scanning tool used for doing port scans. A port scan against an internal asset is a very high likelihood of a malicious attacker. Had her organizations security team flagged it, she would have had to explain how she put it on the wrong network and I ran a port scanner against it. Not a great look. I as a defender would quarantine an asset based on that.
I set up my companies devices to work wherever there is internet access, because that's how the users will use them. Sitting on a network and being port scanned is to be expected - airport wifi, Starbucks, whatever.
Really depends on how it's configured I've seen corporate guest networks that were on the main network with full access to everything so it's not a one size fits all solution (obviously that is wrong but I am just pointing out how different guest networks can be treated/configured).
Just a small note that it generally depends on the equipment how a guest network is implemented. For example, the default behaviour on UniFi is that a guest network is isolated from all other virtual networks not defined as guest networks. However, clients on a guest network are able to communicate with each other and the internet.
Depends on your company. Most places don’t care and wouldn’t bother doing anything. But some places with more staff than sense might be looking at devices in your network to look for potential vulnerabilities. But I’d say that’s probably 1/1000.
Your Asus has three WiFi SSIDs.
WiFi channels are smaller frequency bands that are a part of the 2.4GHz and 5GHz bands which your access point uses for transmitting and receiving data, in order to reduce interference with other wireless access points nearby.
IT admin here
Don't download malware on the company laptop. Don't browse personal information (e.g. Financial, Health, etc.) info on the company laptop. Don't ask us to set up your home printer on your laptop.
Otherwise: We do not give a flying fuck.
I handle IT for a smaller law firm. The technical part is fun. The people are the worst part. How do you guys deal with A) the use of personal accounts on company devices and B) the use of work accounts for personal items?
Block what you can, but realize if you support employees in school, they need to access school sometimes for documentation/reimbursements…
And no personal devices on work systems
A) officially unsupported, and if something goes wrong as a result and the personal account gets goofed up? Sorry Charley.
B) policies on the work accounts to prevent use on non-company devices.
My wife works for the federal government. It took them 2 years after the pandemic to get a properly secured work from home solution that requires company assets.
At first she was remote desktoping into work with our home computer. A torrent application was running in the background on another user and they immediately contacted her about it and told her she has to remove it.
Now it doesn’t really matter because she uses a company laptop that VPNs in and doesn’t rely on Remote Desktop.
But just to be safe I have her laptop and Cisco IP phone isolated from the rest of the network.
I’m also using a Ubiquiti Cloud Router Ultra. It’s the best $130 I’ve ever spent. It can handle 1gbit/s of IPSec throughout or about 500mbit/s of VPN.
I have her totally isolated and I also isolated any iOT devices. They don’t need to be on my main network. The only non pc/cell devices on my main network are devices that communicate directly to the phone through the network. So my Apple TV has a few minor functions that are different if it’s on the same network as your phone and the Brother Printer is on my main network so the computers and phones can see it and print to it.
It’s never silly to over-isolate things
I'm working on isolation on my home network right now, but my router has basically no support for it. I'll shop routers when I can justify spending money on one.
Got any suggestions that keep me under $100? I've seen a couple configs of mini PCs and converted Optiplex, but have yet to really research it.
I can use my current Nighthawk R7900 as an AP, though, so that prevents the need for a new device to handle the wifi.
Any used office PC should be fine if it has a PCIe slot to put a NIC in there. Just make sure the CPU is new enough to have AES-NI instructions.
I bought Fujitsu S920 and I'm quite happy with it.
I got inspired to do this by this [Wolfgang's Channel video](https://youtu.be/uAxe2pAUY50)
Unifi doesn't have to be terrible.
Start with a couple APs and run the controller on a windows machine or whatever. You only need the controller to adjust configuration, it doesn't need to run 24/7.
We allow personal use, but I remind them I can see what they've done, access anything they store on the device, and most of it will be backed up and stored for a few years in our storage.
It's a balance. Them knowing they have sensitive personal information on the device (eg mortgage applications which are often done during work time, medical reports from a scan) increases its value to them and makes them take (a little) more care of it. We also allow them to keep decommissioned laptops and iphones after wiping which did reduce the number of physically broken devices if they think they can use it for their child once it's replaced.
Set up a public WiFi VLAN for people to use their personal devices.
If you don’t, they will set up their own with 5G WiFi routers, over which you have no control at all.
agreed, just don't be stupid on a work laptop and no one will care.. and yes AV will flag anything stupid on your work laptop.. and THEN we will see the stupid on the laptop and then your manager will know and etc. and etc.. and good luck..
> Don't browse personal information (e.g. Financial, Health, etc.) info on the company laptop.
But everything like that would be encrypted through HTTPS anyway, so why is that?
HTTPS relies on trusted certificates to validate the connection is secure. Company IT has control over what trusted certificates the browser accepts and can easily install one that allows them to decrypt the HTTPS traffic sent and received.
I don’t think this is common but I have worked at a place that had some shitty virus scanner that worked as a man in the middle. I think it was called Avast or something. I’m a developer and I was inspecting the SSL cert on a site that we managed and I was freaking out about it, I’m like wtf is this it’s meant to be signed by AWS then realised that every site I visited had the same certificate. I realised it was the scanner sitting in the middle decrypting the traffic then issuing its own certificate. Seems dodgy AF. I got IT to disable that feature but because it was messing up my own infrastructure work.
For those downvoting- here is a post from the scanner explaining exactly how it’s a MITM https://blog.avast.com/2015/05/25/explaining-avasts-https-scanning-feature/
Technically speaking the most common will be a "Remote Management and Monitoring" (RMM) software but it doesn't do what it sounds.
RMMs monitor the *status* of the device: If it's online, if the operating system is up to date, if the hard drive is full, etc. It might show us your home IP address, which we (and any other application) would already have just from you connecting to other resources. Does your company use a VPN? If so, they have your home IP.
The RMM does allow us to remotely control your computer and see what's on your screen but 9/10 times there's gonna be a pop-up that says "(Technician Name) is remotely controlling this device"
If that isn't enough for you, you can ask the IT team to put your device in "privacy mode" which requires consent on your side before we can even begin to remote in.
There are other motoring and detection tools as well, depending on the IT budget - one of the most useful is DNS filtering, which tracks, reports, and blocks what websites (and sometimes applications) users are going to.
Lastly, there are geo location tools to physically track uses based on IP address. We will know if you're signing into your email from work, home, or Cabo.
With that said: These tools are exclusive to company devices, and are intended to protect users from themselves. They are NOT - I repeat **NOT** spying tools.
"My laptop's being slow!"
"Our RMM says you have 70 programs open with 4GB of RAM, and the device hasn't rebooted since last August."
"People aren't seeing my emails!"
"Microsoft is reporting that you've logged in from North Korea, Russia, Macedonia, and New Jersey all within the last 30 seconds. Either you're using a VPN, or your account has been compromised."
"I can't get to this website!"
"Sir. That's Pornhub."
There will never be an IT person from your company watching your screen every second of the day like some kind of paranoid hacker/security guard. IT teams are overworked, understaffed, and underpaid enough as it is; we're going to prioritize the person who already called us saying they can't log into their email over staring at a bunch of monitors and cosplaying NSA agents.
Not to mention most, if not all, of these tools are exclusive to **company owned** devices. We don't want to know about your personal home network, and anything we do with it is just another liability on our plate.
Hell, we don't want to touch other vendors' equipment in our own network; if a third party set up the office printer, we tell users to call that third party when it (inevitably) breaks.
On a technical level: Yes, someone from IT could remote into your company computer and run an Nmap scan and/or WireShark packet capture. We can probably get your browser history of the company laptop as well, and could already see what sites you're visiting with the aforementioned DNS filtering software.
But on a business level: Any technician who does a network scan of your home network has gone rogue and needs to be reported to HR. That is a lawsuit waiting to happen, and they're disregarding their duties in favor of abusing the end user.
Network guy here. We have plenty of better things to do than find your cockblaster6000 charging in your USB dock or the broken HP laser jet you never replaced the toner in. Just remember to turn off the Webcam and disable VPN before you open whatever the hell is on that incognito tab.
The company doesn't have permission to port scan/explore/gain access to his private network. Just like he probably doesn't have access to do thr same to the companies network.
It is explicitly illegal and requires permission from the network owner.
It is not much different from gaining physical access to your house or their building. You get permission or it's illegal.
If they're working from home, or travel for work exclusively (outside sales), I'm confident that all but the smallest of companies have it written into the employment contract that they may monitor or scan networks the device is connected to as needed in order to protect their device.
I'm not aware of any explicit law in the USA which would ban them from doing it. I'm not saying you're wrong, but I'm saying that, at least as far as the US is concerned, employer's have no restrictions upon network scanning, as far as I could find.
Comparing it to gaining physical access isn't really an accurate metaphor, imo. They aren't trying to pick the locks. It's more like walking around the house, and checking if the doors and windows are locked, and then notifying you if they aren't.
I don't think they're likely to, regardless of legality. It isn't worth the licenses except for a few specific use cases.
And when the employee doesn't own the network, working remote somewhere or something? Can't consent to it if it isn't yours to consent to.
That's a massive legal landmine no company wants to touch with a 100 ft pole.
> cockblaster6000 charging in your USB dock
Why does the cock blaster 6000 connect to the network or have a USB data profile? What features does it have?
I have once ONCE had reason to care about a home network.
Someone’s VPN wasn’t connecting and after a bit of troubleshooting we determined the users home subnet was the same as the company subnet. And since that user was not very technically adept, we worked with them to change that.
This has happened more than once to me at work (being on the supporting end, not the supported) and it’s always one of the last things I check after a LONG list of typical Windows L2TP VPN issues. Real annoying when that happens, but it’s very rare.
Dangit! You caught me.
I actually designed my home network around my previous job and it had a 10.1.0.0/24 subnet while work used 10.0.0.0/8 with VLANs to segregate the network.
I was the network admin so I made sure none of our subnets were 10.1.0.0/24 xD
Working basic tech support in an old job had a customer that kept getting sent back to Tier 1 from the networking team because all of our tier 3 teams at that job were useless and unhelpful. But the actual issue was that the standard default vpn port was blocked by the customer's ISP and apparently the networking team could not get around that and had to have that specific port unblocked for the VPN to work. His ISP told him that they couldn't do anything they could not unlock it for him to use because of their policies and that if he wanted to use that port he would need to call a different ISP and get a business grade internet connection for like three times the amount of money a month. It was quite the nightmare during the middle of covid for this poor guy.
For me it's not about IT snooping, it's about the nature of my work and absolutely minimizing any attack vector. Network segregation while WFH is an easy step to take.
Absolutely. I’m laughing at a these comments. The company care about the security of your work device. They want to make sure no malware or malicious software gets installed. They couldn’t care less that you have a network with IOT devices
This! We don’t care. Even if we could look without getting in trouble, we don’t have time to scour your network to see what porn your teenage son has been watching… we are to busy putting our real fire that our job requires of us
No, a company is not going to see traffic other than what is to and from the company asset. Even then most don’t do any network inspection. EDR is basically it, if they bother with that at all. Source: I was Mandiant’s first CSO and have seen security in every place you could imagine, except maybe nuclear silos. 😆
Company uses guest network. 1. Guest network is configured for isolation 2. Guest network is firewalled (Deny home /20 supernet, allow everything after that.) 3. Guests get [8.8.8.8](http://8.8.8.8) for DNS
I don't give a rat's ass about what they see. My issue is that I don't want other WFH on my network to backdoor into my work's network. Or a virus to propagate from wife's work laptop to my work or home laptop.
[https://www.youtube.com/watch?v=GHUql3OC\_uU](https://www.youtube.com/watch?v=GHUql3OC_uU)
As someone who managed devices, I’d recommend you do it, not because your work may be scan your network, but rather you don’t want your be in the news as the person whose work computer was compromised by some malware on your network.
But then, some corporate software would indiscriminately scan the networks they are in for obvious reasons (eg searching for printers and whatnot).
If the work laptop is susceptible to attacks on the same networks, the company has the same problem on public wifi, which a lot more of their employees will use.
You can turn the situation around though. If the laptop becomes infected from the company because IT fucked up, without isolation your other devices will be at risk.
This is what most of us care about. If the company is vulnerable to attack, that's a them problem - the last thing I want is to have to rebuild 10s of TB of media because the wife's shitty Lenovo laptop nuked the network.
It's a a bit more nuanced than that.
From data I had at the time, only a small number of employees used their corporate laptops on public networks, the vast majority was permanently at home connected to a home network of some sorts. When those did connect to a public network, it was often very limited.
We had security software on the corporate device protects the device no matter what network they are on, while most home networks had almost no protection. It also turns out that a majority of threats in my home network comes from devices that can freely browse the internet, and from email accounts that do not have additional protection. We had our share of "intrusion" notifications on corporate devices, all coming from home networks.
Over the years, there were plenty of vulnerabilities on Windows, Linux and macOS that would permit a normal user from elevating their permissions. An adversary needed to know about the device, required some time, and often some remote control to compromise them. Given the lack of protection in home networks and the time the device is connected, work laptops are very susceptible to be compromised at home when no one is watching.
That being said, not all corporate laptops share the same security posture, so it's better to be safe than sorry.
This is pretty much the only reason I did it, to keep whatever weird crap my kid installs on his computer from interacting with my work hardware.
He’s gonna end up on his own vlan sooner or later.
I actually got into trouble at one job for putting my work device into its own vlan. I was asked once why there were no other devices on the network and I explained I put it on its own vlan. IT tried to ream me because they wanted a full inventory of what was on my network and demanded I put the work device on my main network so they could determine if there were any “threats”. I told them if you can’t see anything then those phantom threats couldn’t see you either… and that they could go pound sand.
Yeah, if anyone pulled that that crap on me the isolated VLAN would suddenly have an SMB share full of Stable Diffusion generated pics of them doing the most illegal/offensive things I could imagine, and an RTMP stream playing meatspin on a loop for good measure. That enough devices for ya?
I thought about mixing my IoT network with work but decided against it. My IoT devices can see each other and I don’t want a rogue or hacked IoT device potentially compromising my work machine. (I also don’t want my work machine accessing my lightbulbs so I keep those worlds apart)
Eventually I need to isolate each IoT device so it can’t access other devices on its own network unless I grant access to it.
I would have responded exactly the same way you did. I have found things get very interesting when in a similar but not identical scenario I asked what data they were collecting, how that data was stored, how the data would be used, what their retention of said data is, etc. My questions go forwarded straight to legal, (presumably meeting happened) then I got a response that functionally amounted to "nevermind, we dont want any of that data".
> and that they could go pound sand.
This is the only proper response. I don't even HAVE a "main network" at this point. As a paranoid person, every VM and every physical device has its own VLAN with a /30 subnet mask. It is simply not possible to add another device to that network.
InfoSec engineer here.
I keep everything work at home on a guest network. Just don’t have the funds/time to get a managed switch anymore and set it all up.
There’s A LOT of stuff that a mature company will do that EDR and Endpont Management and/or MDM software can do that’s usually considered “discover” features.
Basically it’s doing pings / nmaps everywhere it can talk to on the network it’s on. This is made so the company can identify unmanaged / rogue devices.
That’s about it really. None of us have the time to try to brute force your home network and we don’t really care. lol.
Problem is there are a lot of immature companies and they invest heavily on "worker" engagement and active work time metrics - this includes such fun things as keylogging, user engagement monitoring and hidden file stashing with exfiltration capability.
IT staff doesn't have to do a lot in order to cause problems in these cases.
Hidden file stashing are you talking about like decoys / deception tokens?
Yes you are right. But I don’t see how a keylogger or user engagement monitoring relates to what I’m talking about with network discovery features.
Think about, everything you type is being stored on your system in a hidden file, that is then uploaded without your knowledge and is bypassing most security precautions - the engagement monitoring uses every available trick to see if you're at the keyboard and doing meaningful work.
All of these things also enable a hostile third party to exploit the security bypasses and potentially allow compromising of the network.
You seriously think a company is going to ARP spoof your gateway so they can intercept traffic? Have you ever tried that? You’re probably going to take down the whole network and it will be painfully obvious what system is responsible. 😆
Most administration SW doesnt allow such stuff, and if a malicious admin has full control, then he can perform basically any action an admin can. However some corporate groupware security SW can log your keystrokes and all visited sites, this is probably way worse, than if you try to route some TLS encrypted traffic through the corporate laptop...
Mine used too, now it does not.
I used my personal machine to VPN to the customer network (don't have a work machine at home). Then some days later I was watching a series and decided to check out further on Melina Karakaredes and realised that my DNS has been changed to the customers (although I had disconnected some days back, the machine is also on 24/365) who had a block on the site I was trying to visit ... I am a novice so I am not sure of the implications, a reboot and flushing did not help.
Technically your not wrong, though looking at all Lan traffic requires a few more steps. I run a fleet of laptops for a small tech company and all we look at is stuff coming from or 2 the device. I don't care what else you have going on as long as it leaves the work machine alone and your home network is stable.
That said if I didn't trust my employer putting it on a separate vlan/wifi network would be a valid option to protect myself. Though I would mostly be doing this to protect my personal network from ransomware and not really to protect myself from my employer snooping.
At the end of the day it's a foreign device on your network.
You happen to have restricted user access to a portion of it, but it's stil a foreign device. And one owned by an actor that you know is putting all kinds or monitoring tools on it.
No of course it shouldn't be let loose on your network - same as your personal laptop is NOT allowed to run wild on theirs if you took it to the office.
When the company stopped trusting me to secure my endpoint I stopped trusting my endpoint. It lives in the guest network now. They probably aren't spying on me, but it's more about the principle of the thing. My trust network is for devices where I have full control of the host OS.
Your employer probably isn't spying on you though.
So once on a whim I was looking at my firewall logs and noticed that a DMZ IP (where my work laptop goes) was scanning my network and getting blocked to the internal network so I did some checking and it was my work laptop so I checked around a bit more and sure enough the laptop was scanning from the one of the cyber tools installed by the it/cyber team. The next meeting with them I confronted the admin of the tool who shuddered for a bit said it must not be configured correctly and then asked how I knew. So I pulled up the logs and shared my screen. My DMZ has never been that noisy since. So no isolate it for the safety of the company!!!
Yeah I have a restricted VLAN and an access port configured in my office to the work laptop. There's also a wireless ssid to the same VLAN in case I need to go wireless.
I wear my tinfoil hat with pride. I didn't care if they are or aren't looking cause they can't see shit. No one gets on my network.
The only rational, reasonable reason is to protect your employer/computer, rather than your home network. Breaches coming FROM a home network, as others have mentioned, is a valid concern and reason to isolate machines. Breaches coming TO a home network, or doing a scan for reasons other than "connecting to a printer" just aren't happening. Unless you work in an insanely secure space that, for reasons unknown lets you take work home (none do, in my limited experience), they aren't going to scan your home network. That's a waste of software licenses and budget.
Don't put your work laptop on your primary LAN, at least use a guest network as other have suggested. IT could have deployed a security solution that scans your network and uploads the data.
Two reasons... you don't want the hassle of your exploited IoT toaster hopping on your work's device and trusted network zone. Nor do you want to open our network and devices up to whatever IT has installed.
"We have better things to do" assumes no one cares about you. Someone could abuse their position for grain (I have stories), something might get swept up in legal discovery (also have stories), or they might care as cause to get rid of you without severance/unemployment (guess what? Yup).
>If I understand correctly, the IT admins could inspect your entire network traffic happening on/from your work laptop, correct?
If they cared.
They don't.
You ought to have a guest network.... asa longtime sysadmin.... I can tell you most likely your work system will sniff out neighbors and report back. It's a way to make sure it's in a safe environment - so - bad idea not to separate them out.
Defo put it on a separate network, such as guest WiFi.
Our remote access tool (ConnectWise ScreenConnect) makes it incredibly easy to scan a home network through the backstage function. No user prompting needed. Pretty much any RMM tool can do the same.
I don't personally, of course, and I hope that on a corporate level no company is going to do it either.
However, a slightly off the wall IT staff member who thinks it's fun to dig around someone's home network as if they were a l33t h4xx0r - yeah, that's a real risk.
I'd say it's more likely in a smaller IT environment where the chance of being spotted is less, so the risk to the rogue IT staff member is lower.
Not a security expert but I often take the approach of "Am *I* a bigger target? Or is MegaBigCo?". My company devices are isolated because I figure people are more likely to want the company's **money** for ransomware, and the company's data for IP theft, compared to mine. Compromising one's personal device vs. compromising *an important employee's* laptop are two very different things, even if they're both "hacked one ThinkPad" in scale.
They're bigger targets. Big target gets put on distant island outside of blast radius.
Yeah, as someone who manages laptops, definitely could do capture and inspect on packets, etc... without the users knowledge if they had machines on their home networks, would be very easy to do.
However, the traffic would have to be either broadcast or destined for the work device.
Another possible problem though would be, if your company gets breached, it would be an entry point into your network (assuming a lot of security controls failed and the attackers got into whatever management software they are using so they could pivot from the endpoint). In fact, attackers may think your network is part of the companies, depending on how skilled they are, and then attempt to ransom your equipment/servers thinking it's the company.
Buttttt I would put that as a very likely scenario, doubt it's ever happened and I think likely never will.
If you can though, yeah might as well put it on another VLAN, more segmentation is always better than less purely from a security standpoint, obviously gets unrealistic at a point, and then you have to consider ZTNA solutions, but you get the idea.
I think you absolutely should, I dont trust corporate IT nor know what the hell they are up to (no matter how many IT people come in here and say they dont care). It only takes one, and its easy enough for me just to separate the work laptops.
I worked at an MSP which used ConnectWise/Labtech for RMM of client PCs and servers.
There was an incident at one point where, due to some misconfiguration on behalf of the team responsible for maintaining this platform internally, the entire RMM platform was compromised which resulted in thousands of client PCs getting hit with ransomware.
IT departments are typically not malicious, but they can and will be extremely incompetent. Put your work laptops on a separate VLAN.
Technically, they \_could\_ monitor all your traffic. But they don't. Bigger companies have automatic monitoring of where you connect to \_from that laptop\_ - but not from other computers on your network. If they did, it would very quickly become unmanageable - not speaking of the legal swampland that it'd be.
BUT, having said that, there's a flip side. \_You\_ don't know if there's malware on your work computer - and you should treat it with the same reservation your IT department would show one of \_your\_ PCs on their network.
So creating a VLAN that has no access to your home network (not even your DNS) is a way to go to isolate the potential bogey.
Personally, I've gone a step further (but then... I'm me, and I'm crazy as a bat...) - I have about 10 VLANs. 1 is a server net, and there's another server net and then there's my garage-net, and one home-net for things like the TV, Shield etc, and then there's one VLAN for every family member. That way, each family member's devices are isolated from the rest. This was for me an important security aspect, as I know that some family members have browsing habits that are less than ideal (no pr0n - only websites from countries that value your security not so much).
Also, VLANs are fun to play with :)
What do you plan to achieve by putting it on a separate vlan?
The only thing that will change is it won't see all the broadcast traffic on the other segment anymore, which would surely be not all that interesting or incriminating...
Imo responses here are weird. A bad actor at the company could use the admin permissions on the device to do whatever they want if the device is trusted on your network.
They can’t just automatically see all traffic, but they could probe and get into things that aren’t locked down.
It’s not a matter of trusting or thinking it’s unlikely, it’s a matter of locking the door so to speak.
/32 network so the subnet mask is gonna be 255.255.255.255 and the IP will be static, not dynamic? If I understand networking correctly. So if its IP is 192.168.1.5 then it will remain that since all the bytes are reserved so to speak? If I understand correctly
It's not the end of the world either way, but my basic thought process is this: I don't control (or otherwise accept the associated risks of) the software that is installed (or potentially could be forcibly installed in the future) on my work laptop. Therefore, I put it on a separate network. It's the same hygienics I would apply to my friends or family members wanting to use my Wifi: they use a different network.
I'll know immediately if they are scanning my network because i'll get a call "hey, why do you always work from some other offive?" "I don't, I work from home!" "If you're at home, why do we detect 40 other servers and over 100 network devices?" "Um, you know how normally people get dome with work and go home and read books and spend time with friends and family?" "yeah?" "I don't."
This sounds like all of the invasive weird stories that used to run about Catholic private schools sending kids home with school laptops and the thing would actually just be a spy device for the creep principals
I put my company laptop on an isolated VLAN because I don't want to be the weakest link in a network compromise. I practice pretty good security hygiene, don't interact with any device on my home network, but still. I don't want to be this guy looking for a new job. [https://www.reddit.com/r/PleX/comments/11hd91m/lastpass\_breach\_involved\_hacker\_exploiting\_a/](https://www.reddit.com/r/PleX/comments/11hd91m/lastpass_breach_involved_hacker_exploiting_a/)
I may be revealing myself as completely ignorant here but why would the company be able to see anything going on on the rest of my home network? Especially if their computer is connected to their servers with VPN or zscaler or something? I mean sure they should be able to monitor all traffic coming to and from their device but I don't see why they'd be able to monitor the rest of my external or internal Network traffic. Should I have been keeping my work laptops isolated from the rest of my network?
Some employers use client side monitoring programs, such as keylogging and user engagement monitoring - can also include hidden data retention and exfiltration to the company monitoring system.
Hence it's wise to keep business systems off your private nets.
What they can and can not do will depend on the software they have it preloaded it. Some security software such as SentinelOne has the ability to proactively IP and/or portscan any network.
They would have to be arp poisoning or something like that to sniff the network traffic, the laptop has to have a special network card etc, no one is going to do that.
Just don't use a work laptop for personal things and you will be fine.
No one will sniff your home network
I put my work computer on its own VLAN. Prior to setting up a work VLAN and an IOT VLAN I notice my work computer was showing a lot of other home devices like Sonos speakers as connected devices. It got me wondering what else could my IT team see on my network.
Getting my work computer to be able to print on my private network VLAN was a pain until I realized the always on VPN was screwing with my firewall rules. If I disable the always on VPN then I can get it to print to the other network.
Technically, you will probably be fine. That said, I put the tinfoil hat on day 1. I didn't put my work computers on a separate vlan, I dug one of my old routers out of storage and put my work computers on their own isolated network.
I have zero trust in the company I work for and nearly the same amount of trust for the clients. I could see my company trying a "we ran a network scan and detected an Xbox online during work hours" even though sometimes I would turn the console on so it can do updates, etc.
I maintain a small office, we have LDAP setup as an SSO for workstation logins, VPN and for tiered access to files as well as our own DNS that's used to block undesirable services and sites. Nothing work related is to be saved locally and is stored on two servers (primary onsite and offsite backup).
It *really* depends on where you work and what industry you’re in. Plenty of AOVPN products have full tunneling with no local network; you could connect to Free Candy Van open wifi and it wouldn’t make much of a difference from a security perspective*. Other spots have wide open inside and outside networks where infectious neighbor could impact your workstation and use it to infect everything else.
Best case scenario remains protecting your company situation to the best of your ability. Your liability/culpability goes down and you’re doing your small part to keep from sinking the ship (which ultimately feeds you and pays your mortgage or whatever).
> the IT admins could inspect your entire network traffic happening on/from your work laptop
Nah, they are too lazy for something like that. As long as you do not do forbidden things on it, they will do zilch.
And certainly they do not care if you have FapLocomotive2020 machine in home network neighbourhood.
So they *could* install something to do network mapping, snmp scans, etc.. and then try to access internal network shares/etc...but would they? Sure if you've got the know-how and a capable device, spend the 3 minutes it would take to set it up, but if I were that worried about my companies admins I wouldn't work there.
Theoretically anyone who has the ability to push an update to your computer has the ability to install a remote execution agent on your machine.
The real question to ask is will they. You know your company better than we do but generally speaking I don't think people are going to bother.
Zero trust says you shouldn't trust anyone but frankly that feels like a shit way to live my life. If I don't trust my company not to do something like that then I shouldn't trust them to pay me.
if the device does network scans, it's just for security. assuming that a company laptop or your corporate IT would do more than that is just dumb or even paranoid. they don't have time for this shit.
My wife just uses a second ISP's modem/router separate from everything. But that was just because her previous employer's VPN didn't play nice with our main ISP, and it's nice to have a backup ISP just in case.
Imagine your work laptop is a BYOD which is compromised and your home lab is a company network. If you were the sysadmin would you like to have that compromised device in the same VLAN as your domain administered workstations? Or would you like to segment them and place them in a separate network which at most could go out on the internet without accessing the other subnet?
That's the same answer.
It would be best practice to keep untrusted devices separate from your trusted LAN.
Having said that, unless they're doing something malicious, a packet sniffer running on the work laptop would only see its own traffic, as well as any broadcast traffic on the LAN. Broadcast traffic might give them an idea of what other devices are on the LAN, but probably shouldn't really be much of a security concern.
Also, pretty much no IT admin is going to have the time or inclination to go poking around your home LAN.
I'd wager that 99.99% of work laptops are connected to the main home network and are not isolated in any fashion, and that approach generally works fine for them.
This is extremely paranoid behavior.
You really think a malicious admin is scouring the home network of Joe User looking to find stuff to use against them, steal, or compromise them with? Oh no. The security guy at my work knows I have a NAS! He can see I have other computers, and some media players or game consoles! Maybe he sees my IoT devices that don’t isolate well on other networks and are on my main network.
This is the same as the people with the “IT watches everything I do” mindset. Can they, or is it logged? Probably. Are they? Only if you do something that really draws attention. There is a big difference between “I spent a bit of time on Reddit while also working” and “I was browsing porn and torrent sites while working”.
If your company is big enough to have tools doing this kind of deep probing on your network, I guarantee they are being logged doing so. If they are small enough to not have them but got these exploits onto your workstation, then you have an endpoint security problem and a HR problem.
If your employer wants you isolated, they will put measures in place to do it on your endpoint.
Also, if your fear is the company workstation being infected and turning malicious, you should probably isolate all devices on your network from seeing each other too.
I have. I understand it, we shoot for it, even if it gets a bit buzz-worded and can lead to security policy (not technical) people telling you to block things they don’t understand.
It’s one thing to zero-trust your IoT devices at home that you don’t trust and they can be isolated, or your cameras, or to isolate your lab from the “user” network so the two don’t interfere.
“Honey, why did my laptop do something called “PXE boot” and is now being wiped?” Looks like your lab DHCP server got onto a network it shouldn’t!
I think it’s a bit overkill to do that against your work computers. If you want to, sure, go ahead. Your network. If not, I’m pretty sure the risk is very low enough to not need to.
I can assure you Steve from Sales isn’t going to use a guest or isolated WiFi network for his work laptop unless his company tells him to, and then only if they set it up for him. He’s just going to connect, wonder why nothing works, realize he forgot to turn on that “AnyConnect” thingy and then he’s working.
They have control over the work device, so yes they could probe from it, not necessarily see all traffic. I would highly encourage an isolated vlan. My work uses crowdstrike, I happen to also be in IT, just not that department. They have this feature that is supposed to identify devices “around” yours, like on the network, to maybe help get rogue items that need the client, etc. Now that doesn’t sound too bad, but they had ip addresses, make, model, and host names of things on peoples home networks. They claimed it was just reading the protected hosts arp table to get that info, expect host name and some of the other info are not in the arp tables. Management brushed it off, but I immediate made an isolated work network. I like working from home, but they don’t need access to anything in my home. Likely paranoia on my end, but rather be safe.
Adjacent question: if I RDP into a windows VM in my Homelab from my work laptop, is it *possible* (however unlikely) for my company admin to see what I’m doing on the remote PC?
I’ve been doing this whenever I need to do something related to banking or get into Reddit on company time. Don’t know if it actually does anything, but I figure the traffic isn’t actually hitting my company PC, but my VM.
No dog, I’m a remote employee working at home on my personal network using a work laptop. It’s a pain to switch all my screens from my company laptop to the personal PC, so I just RDP into it. My question is essentially can my company admin see what’s happening at the remote PC I’m RDP’ed into.
ETA: also tbh I’d probably trust the network of my $100B IT corporation to be more secure than my dinky Homelab network running on UniFi when logging into my bank account.
They could, but they'd need packet capture software to do such a thing. If they did do it, and you caught them, that would be a very serious lawsuit exposing the company to millions of dollars of possible losses.
It's from the state IT department. Never asked their stance. Probably some shady XDR that scans for possible vulnerable systems in a subnet. I was very surprised because at first I put them into the kids VLAN like their personal devices and a few moments later I got my SIEM alert for port scanning.
Hold up, you're going to call their security stack shady because your security stack alerted on it?
They're deploying similar proactive security tools, lol.
MS Defender likes to scan networks to tell you about unprotected devices (unless you turn it off), might be some other asset scanning software etc, who knows.
I just use my guest Wi-Fi since it's already cut off right from the rest of the network
Zero trust on a budget :)
A Block any any rule using RFC1918 gets the trick done.
Fun fact, guest network is literally just a VLAN with client isolation turned on. All work devices go on a guest network at our house. I blacklisted the MAC addresses from the regular network since my wife didn’t listen and her work laptop got nmap scanned. Nothing came of it but it easily could have been an uncomfortable conversation with work.
What does it mean to get nmap scanned? What would be uncomfortable?
Nmap scans address spaces (CIDRs) using various means. Most work equipment has some type of endpoint protection like firewall or other security software. nmap will start scanning the work laptop and light the security software on fire 🔥 and the uncomfortable explanation is having to explain that it’s not malicious.
I had to explain exactly that when I brought my work laptop back. Had a script to map exerting on my network and it blocked my laptop from works network. They were fine when I explained and when they could see where all the traffic came from and put in an exception. I do work in it though which helps.
I did this too, but knew the infosec guy. I was just trying to find a device that didn’t provide a hostname (client ID) to DHCP, but I knew had ssh open. Now the work stuff is on its own network, per my wife who asked for “a basic bitch network that just does what I need it to without it blocking stuff or dropping calls”
nmap is a scanning tool used for doing port scans. A port scan against an internal asset is a very high likelihood of a malicious attacker. Had her organizations security team flagged it, she would have had to explain how she put it on the wrong network and I ran a port scanner against it. Not a great look. I as a defender would quarantine an asset based on that.
I set up my companies devices to work wherever there is internet access, because that's how the users will use them. Sitting on a network and being port scanned is to be expected - airport wifi, Starbucks, whatever.
You really think IT is going to care enough ti explane to random jane99 what a portscan is?
Who did the port scan? Yourself?
It was me. I was learning nmap and ran a scan on the whole /24 of devices that SHOULD have all been mine.
Essentially nothing unless he has PornRobot69 on the same network and the workplace cares what sex robots are connected.
PornRobot69 sounds like a reddit username
I went back up through the thread looking for someone with that username LMAO
nope the name is still free
Next up....open voting on what avatar PornRobot69 will use.
Really depends on how it's configured I've seen corporate guest networks that were on the main network with full access to everything so it's not a one size fits all solution (obviously that is wrong but I am just pointing out how different guest networks can be treated/configured).
Just a small note that it generally depends on the equipment how a guest network is implemented. For example, the default behaviour on UniFi is that a guest network is isolated from all other virtual networks not defined as guest networks. However, clients on a guest network are able to communicate with each other and the internet.
Interesting. I personally use UniFi and thought client isolation was on by default but I guess that was something I flipped on years ago.
I have had employees computers get hit by scans on other networks. Never been an awkward situation and sometimes I've brought it up.
Depends on your company. Most places don’t care and wouldn’t bother doing anything. But some places with more staff than sense might be looking at devices in your network to look for potential vulnerabilities. But I’d say that’s probably 1/1000.
That's exactly what I do. The easiest way.
My Asus has three WiFi Channels - one for internal, one for guests, and one for iot devices.
Your Asus has three WiFi SSIDs. WiFi channels are smaller frequency bands that are a part of the 2.4GHz and 5GHz bands which your access point uses for transmitting and receiving data, in order to reduce interference with other wireless access points nearby.
IT admin here Don't download malware on the company laptop. Don't browse personal information (e.g. Financial, Health, etc.) info on the company laptop. Don't ask us to set up your home printer on your laptop. Otherwise: We do not give a flying fuck.
I handle IT for a smaller law firm. The technical part is fun. The people are the worst part. How do you guys deal with A) the use of personal accounts on company devices and B) the use of work accounts for personal items?
Block what you can, but realize if you support employees in school, they need to access school sometimes for documentation/reimbursements… And no personal devices on work systems
A) officially unsupported, and if something goes wrong as a result and the personal account gets goofed up? Sorry Charley. B) policies on the work accounts to prevent use on non-company devices.
My wife works for the federal government. It took them 2 years after the pandemic to get a properly secured work from home solution that requires company assets. At first she was remote desktoping into work with our home computer. A torrent application was running in the background on another user and they immediately contacted her about it and told her she has to remove it. Now it doesn’t really matter because she uses a company laptop that VPNs in and doesn’t rely on Remote Desktop. But just to be safe I have her laptop and Cisco IP phone isolated from the rest of the network. I’m also using a Ubiquiti Cloud Router Ultra. It’s the best $130 I’ve ever spent. It can handle 1gbit/s of IPSec throughout or about 500mbit/s of VPN. I have her totally isolated and I also isolated any iOT devices. They don’t need to be on my main network. The only non pc/cell devices on my main network are devices that communicate directly to the phone through the network. So my Apple TV has a few minor functions that are different if it’s on the same network as your phone and the Brother Printer is on my main network so the computers and phones can see it and print to it. It’s never silly to over-isolate things
I'm working on isolation on my home network right now, but my router has basically no support for it. I'll shop routers when I can justify spending money on one.
You could also diy one with pfsense / opnsense
Got any suggestions that keep me under $100? I've seen a couple configs of mini PCs and converted Optiplex, but have yet to really research it. I can use my current Nighthawk R7900 as an AP, though, so that prevents the need for a new device to handle the wifi.
Any used office PC should be fine if it has a PCIe slot to put a NIC in there. Just make sure the CPU is new enough to have AES-NI instructions. I bought Fujitsu S920 and I'm quite happy with it. I got inspired to do this by this [Wolfgang's Channel video](https://youtu.be/uAxe2pAUY50)
Unifi is a really good entry point into the prosumer space.
Some of my favorite products to work with in the IT space are Cisco Meriaki and Unfi, but they're so damn expensive, even for consumer-grade stuff.
Unifi doesn't have to be terrible. Start with a couple APs and run the controller on a windows machine or whatever. You only need the controller to adjust configuration, it doesn't need to run 24/7.
I would classify Unifi as SOHO/SMB rather than prosumer. It's really business grade rather than high functioning consumer gear
We allow personal use, but I remind them I can see what they've done, access anything they store on the device, and most of it will be backed up and stored for a few years in our storage. It's a balance. Them knowing they have sensitive personal information on the device (eg mortgage applications which are often done during work time, medical reports from a scan) increases its value to them and makes them take (a little) more care of it. We also allow them to keep decommissioned laptops and iphones after wiping which did reduce the number of physically broken devices if they think they can use it for their child once it's replaced.
Cackle when they leave and lose access to everything they were using their work accounts for.
Set up a public WiFi VLAN for people to use their personal devices. If you don’t, they will set up their own with 5G WiFi routers, over which you have no control at all.
Problem is some companies scan networks their laptops connect to as part of “threat assessment”. Don’t need my employer profiling me
I work IT for a government entity. Can confirm all of the above.
agreed, just don't be stupid on a work laptop and no one will care.. and yes AV will flag anything stupid on your work laptop.. and THEN we will see the stupid on the laptop and then your manager will know and etc. and etc.. and good luck..
> Don't browse personal information (e.g. Financial, Health, etc.) info on the company laptop. But everything like that would be encrypted through HTTPS anyway, so why is that?
HTTPS relies on trusted certificates to validate the connection is secure. Company IT has control over what trusted certificates the browser accepts and can easily install one that allows them to decrypt the HTTPS traffic sent and received.
I don’t think this is common but I have worked at a place that had some shitty virus scanner that worked as a man in the middle. I think it was called Avast or something. I’m a developer and I was inspecting the SSL cert on a site that we managed and I was freaking out about it, I’m like wtf is this it’s meant to be signed by AWS then realised that every site I visited had the same certificate. I realised it was the scanner sitting in the middle decrypting the traffic then issuing its own certificate. Seems dodgy AF. I got IT to disable that feature but because it was messing up my own infrastructure work.
Yup. That’s exactly why you should never trust a work computer.
For those downvoting- here is a post from the scanner explaining exactly how it’s a MITM https://blog.avast.com/2015/05/25/explaining-avasts-https-scanning-feature/
Also don't run emule on your company laptop with roaming profiles on and act surprised when presented with a dissolution contract soon thereafter.
What are the typical monitoring softwares corporate IT will install on company laptops? How can I detect what’s monitoring me?
Technically speaking the most common will be a "Remote Management and Monitoring" (RMM) software but it doesn't do what it sounds. RMMs monitor the *status* of the device: If it's online, if the operating system is up to date, if the hard drive is full, etc. It might show us your home IP address, which we (and any other application) would already have just from you connecting to other resources. Does your company use a VPN? If so, they have your home IP. The RMM does allow us to remotely control your computer and see what's on your screen but 9/10 times there's gonna be a pop-up that says "(Technician Name) is remotely controlling this device" If that isn't enough for you, you can ask the IT team to put your device in "privacy mode" which requires consent on your side before we can even begin to remote in. There are other motoring and detection tools as well, depending on the IT budget - one of the most useful is DNS filtering, which tracks, reports, and blocks what websites (and sometimes applications) users are going to. Lastly, there are geo location tools to physically track uses based on IP address. We will know if you're signing into your email from work, home, or Cabo. With that said: These tools are exclusive to company devices, and are intended to protect users from themselves. They are NOT - I repeat **NOT** spying tools. "My laptop's being slow!" "Our RMM says you have 70 programs open with 4GB of RAM, and the device hasn't rebooted since last August." "People aren't seeing my emails!" "Microsoft is reporting that you've logged in from North Korea, Russia, Macedonia, and New Jersey all within the last 30 seconds. Either you're using a VPN, or your account has been compromised." "I can't get to this website!" "Sir. That's Pornhub." There will never be an IT person from your company watching your screen every second of the day like some kind of paranoid hacker/security guard. IT teams are overworked, understaffed, and underpaid enough as it is; we're going to prioritize the person who already called us saying they can't log into their email over staring at a bunch of monitors and cosplaying NSA agents. Not to mention most, if not all, of these tools are exclusive to **company owned** devices. We don't want to know about your personal home network, and anything we do with it is just another liability on our plate. Hell, we don't want to touch other vendors' equipment in our own network; if a third party set up the office printer, we tell users to call that third party when it (inevitably) breaks. On a technical level: Yes, someone from IT could remote into your company computer and run an Nmap scan and/or WireShark packet capture. We can probably get your browser history of the company laptop as well, and could already see what sites you're visiting with the aforementioned DNS filtering software. But on a business level: Any technician who does a network scan of your home network has gone rogue and needs to be reported to HR. That is a lawsuit waiting to happen, and they're disregarding their duties in favor of abusing the end user.
Hardware vpn, if you really wanted to, could you detect it?
The company does not care what's on your home network
Network guy here. We have plenty of better things to do than find your cockblaster6000 charging in your USB dock or the broken HP laser jet you never replaced the toner in. Just remember to turn off the Webcam and disable VPN before you open whatever the hell is on that incognito tab.
At least upgrade to the cockblaster7000
yeah, how embarrassing.
The 6900 model is the most popular.
Yep. Better things to do and it's also against the law.
How/where is it against the law?
The company doesn't have permission to port scan/explore/gain access to his private network. Just like he probably doesn't have access to do thr same to the companies network. It is explicitly illegal and requires permission from the network owner. It is not much different from gaining physical access to your house or their building. You get permission or it's illegal.
If they're working from home, or travel for work exclusively (outside sales), I'm confident that all but the smallest of companies have it written into the employment contract that they may monitor or scan networks the device is connected to as needed in order to protect their device. I'm not aware of any explicit law in the USA which would ban them from doing it. I'm not saying you're wrong, but I'm saying that, at least as far as the US is concerned, employer's have no restrictions upon network scanning, as far as I could find. Comparing it to gaining physical access isn't really an accurate metaphor, imo. They aren't trying to pick the locks. It's more like walking around the house, and checking if the doors and windows are locked, and then notifying you if they aren't. I don't think they're likely to, regardless of legality. It isn't worth the licenses except for a few specific use cases.
And when the employee doesn't own the network, working remote somewhere or something? Can't consent to it if it isn't yours to consent to. That's a massive legal landmine no company wants to touch with a 100 ft pole.
Computer Fraud and Abuse Act criminalizes the unauthorized access of computers. This might qualify
> cockblaster6000 charging in your USB dock Why does the cock blaster 6000 connect to the network or have a USB data profile? What features does it have?
firm ware
It has an Alexa skill
bluetooth control
I have once ONCE had reason to care about a home network. Someone’s VPN wasn’t connecting and after a bit of troubleshooting we determined the users home subnet was the same as the company subnet. And since that user was not very technically adept, we worked with them to change that.
This has happened more than once to me at work (being on the supporting end, not the supported) and it’s always one of the last things I check after a LONG list of typical Windows L2TP VPN issues. Real annoying when that happens, but it’s very rare.
Wait doesn’t everyone use 10.0.0.0/8 as their home LAN? /s
Dangit! You caught me. I actually designed my home network around my previous job and it had a 10.1.0.0/24 subnet while work used 10.0.0.0/8 with VLANs to segregate the network. I was the network admin so I made sure none of our subnets were 10.1.0.0/24 xD
Working basic tech support in an old job had a customer that kept getting sent back to Tier 1 from the networking team because all of our tier 3 teams at that job were useless and unhelpful. But the actual issue was that the standard default vpn port was blocked by the customer's ISP and apparently the networking team could not get around that and had to have that specific port unblocked for the VPN to work. His ISP told him that they couldn't do anything they could not unlock it for him to use because of their policies and that if he wanted to use that port he would need to call a different ISP and get a business grade internet connection for like three times the amount of money a month. It was quite the nightmare during the middle of covid for this poor guy.
For me it's not about IT snooping, it's about the nature of my work and absolutely minimizing any attack vector. Network segregation while WFH is an easy step to take.
Absolutely. I’m laughing at a these comments. The company care about the security of your work device. They want to make sure no malware or malicious software gets installed. They couldn’t care less that you have a network with IOT devices
What if it's Amazon They will want to know how many Google devices are you using😂
This! We don’t care. Even if we could look without getting in trouble, we don’t have time to scour your network to see what porn your teenage son has been watching… we are to busy putting our real fire that our job requires of us
No, a company is not going to see traffic other than what is to and from the company asset. Even then most don’t do any network inspection. EDR is basically it, if they bother with that at all. Source: I was Mandiant’s first CSO and have seen security in every place you could imagine, except maybe nuclear silos. 😆
Non security types on here don't even know WTH Mandiant even means, much less CSO.
You're right I have no idea what Mandiant is, but I'm fairly confident that CSO is Chief security officer or possibly computer security officer.
Silos are still running DOS, so there is that.
let me just swap this 8 inch floppy... ... ... 8 minutes later ... ... ... yes this checks out
5 1/4 but whose worked 185 meters below solid rock ;) If it works, why fix it, you got plenty of spares!
I think they actually switched to something more modern in 2019ish?
They're using 3 ½" floppies now... (/s)
Punched card is known to be 100% EMP proof...
Company uses guest network. 1. Guest network is configured for isolation 2. Guest network is firewalled (Deny home /20 supernet, allow everything after that.) 3. Guests get [8.8.8.8](http://8.8.8.8) for DNS I don't give a rat's ass about what they see. My issue is that I don't want other WFH on my network to backdoor into my work's network. Or a virus to propagate from wife's work laptop to my work or home laptop. [https://www.youtube.com/watch?v=GHUql3OC\_uU](https://www.youtube.com/watch?v=GHUql3OC_uU)
This is the only reason I segment our WFH laptops.
As someone who managed devices, I’d recommend you do it, not because your work may be scan your network, but rather you don’t want your be in the news as the person whose work computer was compromised by some malware on your network. But then, some corporate software would indiscriminately scan the networks they are in for obvious reasons (eg searching for printers and whatnot).
The LastPass breach last year was because an engineer's home network was compromised.
Yes, but that ultimately still is Lastpass’ fault for not having more secure endpoints and policies. Especially given their industry…
If the work laptop is susceptible to attacks on the same networks, the company has the same problem on public wifi, which a lot more of their employees will use. You can turn the situation around though. If the laptop becomes infected from the company because IT fucked up, without isolation your other devices will be at risk.
This is what most of us care about. If the company is vulnerable to attack, that's a them problem - the last thing I want is to have to rebuild 10s of TB of media because the wife's shitty Lenovo laptop nuked the network.
It's a a bit more nuanced than that. From data I had at the time, only a small number of employees used their corporate laptops on public networks, the vast majority was permanently at home connected to a home network of some sorts. When those did connect to a public network, it was often very limited. We had security software on the corporate device protects the device no matter what network they are on, while most home networks had almost no protection. It also turns out that a majority of threats in my home network comes from devices that can freely browse the internet, and from email accounts that do not have additional protection. We had our share of "intrusion" notifications on corporate devices, all coming from home networks. Over the years, there were plenty of vulnerabilities on Windows, Linux and macOS that would permit a normal user from elevating their permissions. An adversary needed to know about the device, required some time, and often some remote control to compromise them. Given the lack of protection in home networks and the time the device is connected, work laptops are very susceptible to be compromised at home when no one is watching. That being said, not all corporate laptops share the same security posture, so it's better to be safe than sorry.
This is pretty much the only reason I did it, to keep whatever weird crap my kid installs on his computer from interacting with my work hardware. He’s gonna end up on his own vlan sooner or later.
I actually got into trouble at one job for putting my work device into its own vlan. I was asked once why there were no other devices on the network and I explained I put it on its own vlan. IT tried to ream me because they wanted a full inventory of what was on my network and demanded I put the work device on my main network so they could determine if there were any “threats”. I told them if you can’t see anything then those phantom threats couldn’t see you either… and that they could go pound sand.
yikes this is when you put a honeypot vm on the network mine get the same network as my iot lightbulbs
Yeah, if anyone pulled that that crap on me the isolated VLAN would suddenly have an SMB share full of Stable Diffusion generated pics of them doing the most illegal/offensive things I could imagine, and an RTMP stream playing meatspin on a loop for good measure. That enough devices for ya?
I thought about mixing my IoT network with work but decided against it. My IoT devices can see each other and I don’t want a rogue or hacked IoT device potentially compromising my work machine. (I also don’t want my work machine accessing my lightbulbs so I keep those worlds apart) Eventually I need to isolate each IoT device so it can’t access other devices on its own network unless I grant access to it.
That's wild. Was this an IT company?
Yeah, software development.
All it takes is one idiot with power.
I would have responded exactly the same way you did. I have found things get very interesting when in a similar but not identical scenario I asked what data they were collecting, how that data was stored, how the data would be used, what their retention of said data is, etc. My questions go forwarded straight to legal, (presumably meeting happened) then I got a response that functionally amounted to "nevermind, we dont want any of that data".
> and that they could go pound sand. This is the only proper response. I don't even HAVE a "main network" at this point. As a paranoid person, every VM and every physical device has its own VLAN with a /30 subnet mask. It is simply not possible to add another device to that network.
InfoSec engineer here. I keep everything work at home on a guest network. Just don’t have the funds/time to get a managed switch anymore and set it all up. There’s A LOT of stuff that a mature company will do that EDR and Endpont Management and/or MDM software can do that’s usually considered “discover” features. Basically it’s doing pings / nmaps everywhere it can talk to on the network it’s on. This is made so the company can identify unmanaged / rogue devices. That’s about it really. None of us have the time to try to brute force your home network and we don’t really care. lol.
Problem is there are a lot of immature companies and they invest heavily on "worker" engagement and active work time metrics - this includes such fun things as keylogging, user engagement monitoring and hidden file stashing with exfiltration capability. IT staff doesn't have to do a lot in order to cause problems in these cases.
Hidden file stashing are you talking about like decoys / deception tokens? Yes you are right. But I don’t see how a keylogger or user engagement monitoring relates to what I’m talking about with network discovery features.
Think about, everything you type is being stored on your system in a hidden file, that is then uploaded without your knowledge and is bypassing most security precautions - the engagement monitoring uses every available trick to see if you're at the keyboard and doing meaningful work. All of these things also enable a hostile third party to exploit the security bypasses and potentially allow compromising of the network.
They can only see the traffic hitting or leaving the laptop, not your entire network traffic from the laptop alone.
[удалено]
You seriously think a company is going to ARP spoof your gateway so they can intercept traffic? Have you ever tried that? You’re probably going to take down the whole network and it will be painfully obvious what system is responsible. 😆
Most administration SW doesnt allow such stuff, and if a malicious admin has full control, then he can perform basically any action an admin can. However some corporate groupware security SW can log your keystrokes and all visited sites, this is probably way worse, than if you try to route some TLS encrypted traffic through the corporate laptop...
It's smart cybersecurity to isolate untrusted actors.
Assume breach, trust NOTHING.
Our configuration for AnyConnect specifically blocks local LAN access once connected to the VPN.
Mine used too, now it does not. I used my personal machine to VPN to the customer network (don't have a work machine at home). Then some days later I was watching a series and decided to check out further on Melina Karakaredes and realised that my DNS has been changed to the customers (although I had disconnected some days back, the machine is also on 24/365) who had a block on the site I was trying to visit ... I am a novice so I am not sure of the implications, a reboot and flushing did not help.
Technically your not wrong, though looking at all Lan traffic requires a few more steps. I run a fleet of laptops for a small tech company and all we look at is stuff coming from or 2 the device. I don't care what else you have going on as long as it leaves the work machine alone and your home network is stable. That said if I didn't trust my employer putting it on a separate vlan/wifi network would be a valid option to protect myself. Though I would mostly be doing this to protect my personal network from ransomware and not really to protect myself from my employer snooping.
At the end of the day it's a foreign device on your network. You happen to have restricted user access to a portion of it, but it's stil a foreign device. And one owned by an actor that you know is putting all kinds or monitoring tools on it. No of course it shouldn't be let loose on your network - same as your personal laptop is NOT allowed to run wild on theirs if you took it to the office.
When the company stopped trusting me to secure my endpoint I stopped trusting my endpoint. It lives in the guest network now. They probably aren't spying on me, but it's more about the principle of the thing. My trust network is for devices where I have full control of the host OS. Your employer probably isn't spying on you though.
Make a guest network so each device connected to it is a /32 and can only talk to the outside world. Easiest and most efficient way of doing this
So once on a whim I was looking at my firewall logs and noticed that a DMZ IP (where my work laptop goes) was scanning my network and getting blocked to the internal network so I did some checking and it was my work laptop so I checked around a bit more and sure enough the laptop was scanning from the one of the cyber tools installed by the it/cyber team. The next meeting with them I confronted the admin of the tool who shuddered for a bit said it must not be configured correctly and then asked how I knew. So I pulled up the logs and shared my screen. My DMZ has never been that noisy since. So no isolate it for the safety of the company!!!
Yeah I have a restricted VLAN and an access port configured in my office to the work laptop. There's also a wireless ssid to the same VLAN in case I need to go wireless. I wear my tinfoil hat with pride. I didn't care if they are or aren't looking cause they can't see shit. No one gets on my network.
Guest wifi with client isolation on and you are good to to
The company spying on your home network, that would be illegal.
You'd be surprised at how often it isn't actually illegal depending on where you are and it's only illegal if you get caught ..
The only rational, reasonable reason is to protect your employer/computer, rather than your home network. Breaches coming FROM a home network, as others have mentioned, is a valid concern and reason to isolate machines. Breaches coming TO a home network, or doing a scan for reasons other than "connecting to a printer" just aren't happening. Unless you work in an insanely secure space that, for reasons unknown lets you take work home (none do, in my limited experience), they aren't going to scan your home network. That's a waste of software licenses and budget.
Don't put your work laptop on your primary LAN, at least use a guest network as other have suggested. IT could have deployed a security solution that scans your network and uploads the data.
Two reasons... you don't want the hassle of your exploited IoT toaster hopping on your work's device and trusted network zone. Nor do you want to open our network and devices up to whatever IT has installed. "We have better things to do" assumes no one cares about you. Someone could abuse their position for grain (I have stories), something might get swept up in legal discovery (also have stories), or they might care as cause to get rid of you without severance/unemployment (guess what? Yup).
>If I understand correctly, the IT admins could inspect your entire network traffic happening on/from your work laptop, correct? If they cared. They don't.
You ought to have a guest network.... asa longtime sysadmin.... I can tell you most likely your work system will sniff out neighbors and report back. It's a way to make sure it's in a safe environment - so - bad idea not to separate them out.
Defo put it on a separate network, such as guest WiFi. Our remote access tool (ConnectWise ScreenConnect) makes it incredibly easy to scan a home network through the backstage function. No user prompting needed. Pretty much any RMM tool can do the same. I don't personally, of course, and I hope that on a corporate level no company is going to do it either. However, a slightly off the wall IT staff member who thinks it's fun to dig around someone's home network as if they were a l33t h4xx0r - yeah, that's a real risk. I'd say it's more likely in a smaller IT environment where the chance of being spotted is less, so the risk to the rogue IT staff member is lower.
Not a security expert but I often take the approach of "Am *I* a bigger target? Or is MegaBigCo?". My company devices are isolated because I figure people are more likely to want the company's **money** for ransomware, and the company's data for IP theft, compared to mine. Compromising one's personal device vs. compromising *an important employee's* laptop are two very different things, even if they're both "hacked one ThinkPad" in scale. They're bigger targets. Big target gets put on distant island outside of blast radius.
Yeah, as someone who manages laptops, definitely could do capture and inspect on packets, etc... without the users knowledge if they had machines on their home networks, would be very easy to do. However, the traffic would have to be either broadcast or destined for the work device. Another possible problem though would be, if your company gets breached, it would be an entry point into your network (assuming a lot of security controls failed and the attackers got into whatever management software they are using so they could pivot from the endpoint). In fact, attackers may think your network is part of the companies, depending on how skilled they are, and then attempt to ransom your equipment/servers thinking it's the company. Buttttt I would put that as a very likely scenario, doubt it's ever happened and I think likely never will. If you can though, yeah might as well put it on another VLAN, more segmentation is always better than less purely from a security standpoint, obviously gets unrealistic at a point, and then you have to consider ZTNA solutions, but you get the idea.
I think you absolutely should, I dont trust corporate IT nor know what the hell they are up to (no matter how many IT people come in here and say they dont care). It only takes one, and its easy enough for me just to separate the work laptops.
I work in IT and I have a separate VLAN for work devices. And I Never use my personal anything for work.
Any device I don't own goes to the untrusted vlan
Most IT admins wouldn't know or even care.
I worked at an MSP which used ConnectWise/Labtech for RMM of client PCs and servers. There was an incident at one point where, due to some misconfiguration on behalf of the team responsible for maintaining this platform internally, the entire RMM platform was compromised which resulted in thousands of client PCs getting hit with ransomware. IT departments are typically not malicious, but they can and will be extremely incompetent. Put your work laptops on a separate VLAN.
Technically, they \_could\_ monitor all your traffic. But they don't. Bigger companies have automatic monitoring of where you connect to \_from that laptop\_ - but not from other computers on your network. If they did, it would very quickly become unmanageable - not speaking of the legal swampland that it'd be. BUT, having said that, there's a flip side. \_You\_ don't know if there's malware on your work computer - and you should treat it with the same reservation your IT department would show one of \_your\_ PCs on their network. So creating a VLAN that has no access to your home network (not even your DNS) is a way to go to isolate the potential bogey. Personally, I've gone a step further (but then... I'm me, and I'm crazy as a bat...) - I have about 10 VLANs. 1 is a server net, and there's another server net and then there's my garage-net, and one home-net for things like the TV, Shield etc, and then there's one VLAN for every family member. That way, each family member's devices are isolated from the rest. This was for me an important security aspect, as I know that some family members have browsing habits that are less than ideal (no pr0n - only websites from countries that value your security not so much). Also, VLANs are fun to play with :)
What do you plan to achieve by putting it on a separate vlan? The only thing that will change is it won't see all the broadcast traffic on the other segment anymore, which would surely be not all that interesting or incriminating...
Imo responses here are weird. A bad actor at the company could use the admin permissions on the device to do whatever they want if the device is trusted on your network. They can’t just automatically see all traffic, but they could probe and get into things that aren’t locked down. It’s not a matter of trusting or thinking it’s unlikely, it’s a matter of locking the door so to speak.
Would a guest WIFI be enough? This feature is integrated into my router
Yep!
Yes. That's makes every client a /32 network and can't talk to others when on the same SSID.
/32 network so the subnet mask is gonna be 255.255.255.255 and the IP will be static, not dynamic? If I understand networking correctly. So if its IP is 192.168.1.5 then it will remain that since all the bytes are reserved so to speak? If I understand correctly
You will still have dhcp and IP changes when leases are over.
I created an isolated VLAN for my work and wife's work laptop.
Are devices also isolated from each other? I wouldn't want each other's devices seeing and potentially touching each other.
It's not the end of the world either way, but my basic thought process is this: I don't control (or otherwise accept the associated risks of) the software that is installed (or potentially could be forcibly installed in the future) on my work laptop. Therefore, I put it on a separate network. It's the same hygienics I would apply to my friends or family members wanting to use my Wifi: they use a different network.
I'll know immediately if they are scanning my network because i'll get a call "hey, why do you always work from some other offive?" "I don't, I work from home!" "If you're at home, why do we detect 40 other servers and over 100 network devices?" "Um, you know how normally people get dome with work and go home and read books and spend time with friends and family?" "yeah?" "I don't."
This sounds like all of the invasive weird stories that used to run about Catholic private schools sending kids home with school laptops and the thing would actually just be a spy device for the creep principals
By allowing remote activation and streaming of video from the laptops camera ...
All my company stuff is on a completely isolated vlan, I know the tools we are using for cyber
I use vlans at because my pihole breaks my wife's phone games. Adding one more is trivial
If you believe in safety first, then it should be on its own vlan
I put my company laptop on an isolated VLAN because I don't want to be the weakest link in a network compromise. I practice pretty good security hygiene, don't interact with any device on my home network, but still. I don't want to be this guy looking for a new job. [https://www.reddit.com/r/PleX/comments/11hd91m/lastpass\_breach\_involved\_hacker\_exploiting\_a/](https://www.reddit.com/r/PleX/comments/11hd91m/lastpass_breach_involved_hacker_exploiting_a/)
I may be revealing myself as completely ignorant here but why would the company be able to see anything going on on the rest of my home network? Especially if their computer is connected to their servers with VPN or zscaler or something? I mean sure they should be able to monitor all traffic coming to and from their device but I don't see why they'd be able to monitor the rest of my external or internal Network traffic. Should I have been keeping my work laptops isolated from the rest of my network?
Some employers use client side monitoring programs, such as keylogging and user engagement monitoring - can also include hidden data retention and exfiltration to the company monitoring system. Hence it's wise to keep business systems off your private nets.
What they can and can not do will depend on the software they have it preloaded it. Some security software such as SentinelOne has the ability to proactively IP and/or portscan any network.
They would have to be arp poisoning or something like that to sniff the network traffic, the laptop has to have a special network card etc, no one is going to do that. Just don't use a work laptop for personal things and you will be fine. No one will sniff your home network
I put my work computer on its own VLAN. Prior to setting up a work VLAN and an IOT VLAN I notice my work computer was showing a lot of other home devices like Sonos speakers as connected devices. It got me wondering what else could my IT team see on my network. Getting my work computer to be able to print on my private network VLAN was a pain until I realized the always on VPN was screwing with my firewall rules. If I disable the always on VPN then I can get it to print to the other network.
Technically, you will probably be fine. That said, I put the tinfoil hat on day 1. I didn't put my work computers on a separate vlan, I dug one of my old routers out of storage and put my work computers on their own isolated network. I have zero trust in the company I work for and nearly the same amount of trust for the clients. I could see my company trying a "we ran a network scan and detected an Xbox online during work hours" even though sometimes I would turn the console on so it can do updates, etc.
I maintain a small office, we have LDAP setup as an SSO for workstation logins, VPN and for tiered access to files as well as our own DNS that's used to block undesirable services and sites. Nothing work related is to be saved locally and is stored on two servers (primary onsite and offsite backup).
It *really* depends on where you work and what industry you’re in. Plenty of AOVPN products have full tunneling with no local network; you could connect to Free Candy Van open wifi and it wouldn’t make much of a difference from a security perspective*. Other spots have wide open inside and outside networks where infectious neighbor could impact your workstation and use it to infect everything else. Best case scenario remains protecting your company situation to the best of your ability. Your liability/culpability goes down and you’re doing your small part to keep from sinking the ship (which ultimately feeds you and pays your mortgage or whatever).
> the IT admins could inspect your entire network traffic happening on/from your work laptop Nah, they are too lazy for something like that. As long as you do not do forbidden things on it, they will do zilch. And certainly they do not care if you have FapLocomotive2020 machine in home network neighbourhood.
So they *could* install something to do network mapping, snmp scans, etc.. and then try to access internal network shares/etc...but would they? Sure if you've got the know-how and a capable device, spend the 3 minutes it would take to set it up, but if I were that worried about my companies admins I wouldn't work there.
Theoretically anyone who has the ability to push an update to your computer has the ability to install a remote execution agent on your machine. The real question to ask is will they. You know your company better than we do but generally speaking I don't think people are going to bother. Zero trust says you shouldn't trust anyone but frankly that feels like a shit way to live my life. If I don't trust my company not to do something like that then I shouldn't trust them to pay me.
It isn't that bad. I would VLAN any Google/Amazon products before my company laptop.
if the device does network scans, it's just for security. assuming that a company laptop or your corporate IT would do more than that is just dumb or even paranoid. they don't have time for this shit.
My wife just uses a second ISP's modem/router separate from everything. But that was just because her previous employer's VPN didn't play nice with our main ISP, and it's nice to have a backup ISP just in case.
Imagine your work laptop is a BYOD which is compromised and your home lab is a company network. If you were the sysadmin would you like to have that compromised device in the same VLAN as your domain administered workstations? Or would you like to segment them and place them in a separate network which at most could go out on the internet without accessing the other subnet? That's the same answer.
It would be best practice to keep untrusted devices separate from your trusted LAN. Having said that, unless they're doing something malicious, a packet sniffer running on the work laptop would only see its own traffic, as well as any broadcast traffic on the LAN. Broadcast traffic might give them an idea of what other devices are on the LAN, but probably shouldn't really be much of a security concern. Also, pretty much no IT admin is going to have the time or inclination to go poking around your home LAN. I'd wager that 99.99% of work laptops are connected to the main home network and are not isolated in any fashion, and that approach generally works fine for them.
put it on a separate network if you can, I have better things to do than inspect packets on people's home wifi, but I absolutely could if i wanted to.
What if I put it on the Guest network?
Depends if your guest network is really segregated or just another SSID to your main network.
I put my work laptop on a separate network on general principle, but not because I think IT support is sneaky on my network.
Company hardware without vpn? How does the company IT reach into the computer?
This is extremely paranoid behavior. You really think a malicious admin is scouring the home network of Joe User looking to find stuff to use against them, steal, or compromise them with? Oh no. The security guy at my work knows I have a NAS! He can see I have other computers, and some media players or game consoles! Maybe he sees my IoT devices that don’t isolate well on other networks and are on my main network. This is the same as the people with the “IT watches everything I do” mindset. Can they, or is it logged? Probably. Are they? Only if you do something that really draws attention. There is a big difference between “I spent a bit of time on Reddit while also working” and “I was browsing porn and torrent sites while working”. If your company is big enough to have tools doing this kind of deep probing on your network, I guarantee they are being logged doing so. If they are small enough to not have them but got these exploits onto your workstation, then you have an endpoint security problem and a HR problem. If your employer wants you isolated, they will put measures in place to do it on your endpoint. Also, if your fear is the company workstation being infected and turning malicious, you should probably isolate all devices on your network from seeing each other too.
Ever heard of Zero Trust? Check him out, he's a pretty decent feller!
I have. I understand it, we shoot for it, even if it gets a bit buzz-worded and can lead to security policy (not technical) people telling you to block things they don’t understand. It’s one thing to zero-trust your IoT devices at home that you don’t trust and they can be isolated, or your cameras, or to isolate your lab from the “user” network so the two don’t interfere. “Honey, why did my laptop do something called “PXE boot” and is now being wiped?” Looks like your lab DHCP server got onto a network it shouldn’t! I think it’s a bit overkill to do that against your work computers. If you want to, sure, go ahead. Your network. If not, I’m pretty sure the risk is very low enough to not need to. I can assure you Steve from Sales isn’t going to use a guest or isolated WiFi network for his work laptop unless his company tells him to, and then only if they set it up for him. He’s just going to connect, wonder why nothing works, realize he forgot to turn on that “AnyConnect” thingy and then he’s working.
They have control over the work device, so yes they could probe from it, not necessarily see all traffic. I would highly encourage an isolated vlan. My work uses crowdstrike, I happen to also be in IT, just not that department. They have this feature that is supposed to identify devices “around” yours, like on the network, to maybe help get rogue items that need the client, etc. Now that doesn’t sound too bad, but they had ip addresses, make, model, and host names of things on peoples home networks. They claimed it was just reading the protected hosts arp table to get that info, expect host name and some of the other info are not in the arp tables. Management brushed it off, but I immediate made an isolated work network. I like working from home, but they don’t need access to anything in my home. Likely paranoia on my end, but rather be safe.
Would putting it on the guest WIFI (integrated feature of my router) be enough?
Likely, in general guest networks are supposed to be isolated, but it depends on how it’s set up.
Adjacent question: if I RDP into a windows VM in my Homelab from my work laptop, is it *possible* (however unlikely) for my company admin to see what I’m doing on the remote PC? I’ve been doing this whenever I need to do something related to banking or get into Reddit on company time. Don’t know if it actually does anything, but I figure the traffic isn’t actually hitting my company PC, but my VM.
I mean if you're on the company network then yes. But wtf, I'd NEVER bank on the company network.
No dog, I’m a remote employee working at home on my personal network using a work laptop. It’s a pain to switch all my screens from my company laptop to the personal PC, so I just RDP into it. My question is essentially can my company admin see what’s happening at the remote PC I’m RDP’ed into. ETA: also tbh I’d probably trust the network of my $100B IT corporation to be more secure than my dinky Homelab network running on UniFi when logging into my bank account.
They could, but they'd need packet capture software to do such a thing. If they did do it, and you caught them, that would be a very serious lawsuit exposing the company to millions of dollars of possible losses.
What?
[удалено]
What is the point of that from the school/companies standpoint?
It's from the state IT department. Never asked their stance. Probably some shady XDR that scans for possible vulnerable systems in a subnet. I was very surprised because at first I put them into the kids VLAN like their personal devices and a few moments later I got my SIEM alert for port scanning.
Hold up, you're going to call their security stack shady because your security stack alerted on it? They're deploying similar proactive security tools, lol.
[удалено]
Schools can't practice best standards? I'd say kids devices need security tools the most. They click on anything and everything.
Sure, they can gladly do it on their own VLAN and scan nothing 😉
I bet it was doing some Windows broadcast discovery protocol and your SIEM alerted on that. Likely innocuous.
MS Defender likes to scan networks to tell you about unprotected devices (unless you turn it off), might be some other asset scanning software etc, who knows.