I treat my work laptop as a hostile entity on my network. It connects to a dedicated Wi-Fi network with client isolation enabled and on a dedicated VLAN with no access to other VLANs, just egress to the internet. DHCP serves 8.8.8.8 as DNS.
On the trusted VLAN I use Technitium as DNS and DHCP. I don't use any block lists, though, because I had too many complains from other network users. Technitium is mostly just because it's easy to manage DHCP hostnames and other DNS records in the same UI.
As a person who manages workplace malwar^Wdevice management software, this is a wise choice. You can gather so much information from home networks, just by passively listening.
Care to share any concrete examples on "useful" information that has been gathered this way?
Also, FWIW, I'm assuming this hypothetical software is clever enough to only function in jurisdictions where that would be legal? Spying on your employees home network is a massive no-no here, you'd need some very deep pockets if you wanted to attempt it, because when you are found out you'll be paying a lot of compensation for privacy violations.
In America, if you are using company property at home on your personal network and the company tunnels in and scans your home network for "security" reasons, there's not much recourse.
You would have a very difficult time even proving that they did it unless they told you that it happened or if you were the kind of person whom, bordering on certifiable paranoia, kept logs of all of your home internet traffic.
Even then, the only thing you could do would be to sue the company, a very expensive process with no guarantee of success and that would take years to see any small measure of justice. They would only be liable for the damages you suffered as a result of their theoretically justifiable intrusion into your home network unless they tampered with your systems or downloaded files from your other computers, in which case you may have a criminal complaint against your company, but even with the Federal laws (like 18 U.S.C. § 1030 federal computer hacking) you not only have to prove that they accessed your personal computers without your permission but also that they did so with the "intent to cause harm".
If they did this and then fired you because of what they found, then you might have the slimmest of chances with a good lawyer to both federally prosecute the company and also sue for damages, but you first have to keep a flawless and undebatable log of all network activity on your personal network, bring a work computer to your home, join it to your network, and have someone acting in an official capacity from the company (because some rogue I.T. guy poking around doesn't represent the company and would thus be personally liable for the damages, absolving the company of any guilt) use that computer to access your personal network, snoop around, and download your personal files or data AND cause you some verifiable injury for what was found.
To say that is a tall order is such an understatement it's like saying Mar's Mons Olympus is a pretty big pile of dirt.
Organizations with savvy legal and security teams are going to either not do this in jurisdictions where it's not legal, not do it at all, or be very quiet about it.
I'm not a security professional so take this with a grain of salt but, if I were going to do this I would be listening for things that could conceivably be trying to pop equipment in employee possession. So malicious mDNS advertisements, nmap scans, that kind of thing.
1. Using tcpdump passively to collect multicast, broadcast, etc with, for example, information such as identity information and in some cases what you're watching on your streaming box. This isn't always encrypted.
2. Using tools to sniff Bluetooth and Wi-Fi information. macOS and Windows includes such tools by default.
Sure! I use TP-Link Omada access points and a mix of managed L2 switches (TP-Link, Unifi, Brocade, Mikrotik). My router is VyOS running on a used commodity SFF box.
I know you can accomplish the same thing with Unifi access points and security gateway and of course Ruckus, Cisco, Aruba, etc will as well. I don't know of any residential equipment that will but I haven't used residential Wi-Fi gear for almost a decade.
The setup is:
- traffic on a particular SSID gets tagged with a VLAN at the AP
- That VLAN is tagged on all of the switch ports between the AP and the router
- the router's firewall is configured to block the guest subnet from the other local subnets and allow internet egress
My bet would be that if they're quarantining their work device, they also don't use it for anything other than work, and don't use any other device for work. If that's the case this would never come up.
Yep, this. No personal stuff on work laptop, with the sole exception of my Spotify login. No work stuff on personal machines other than my payroll login.
Files don't leave my work laptop. If I need to get files into my work laptop (very rarely, usually slack emojis) I email them to my work account or share a Google Drive folder with my work account. These methods are traceable and auditable for my company and, importantly, don't open any of my personal accounts to legal discovery from the company's side as far as I can tell.
On the trusted VLAN I use Technitium as DNS and DHCP. I don't use any block lists, though, because I had too many complains from other network users. Technitium is mostly just because it's easy to manage DHCP hostnames and other DNS records in the same UI.