I presume that you are talking about a setup with a DSL router/modem in front of the Monowall and they effectively plugged straight into this thus bypassing the Monowall rules.
There are several measures that I can think of to combat this, although their effectiveness does depend on your network setup. For monitoring, I might suggest setting up a cacti server to monitor the snmp of the monowall. There is a good virtual appliance I can point you in the direction of if you are interested. Although if they leave the Mono box plugged in and just plug into the router/modem this will not be enough. Are you using IPSec VPN between sites? If you are, monitoring the existence of this like would be fairly easy.
In addition, consider the tightening up of the setup at the office end. If you have any funds available, you could consider getting a DSL ethernet modem like the Dratek Vigor 100/110 which is a true PPPoE to PPPoA converter. this will eliminate the weak link in the chain at the router/modem. Another option would be to tighten the configuration of the router/modem. If you turn DHCP off and configure the mono with a static IP address and then only allow that IP through the router/modem that should at least make it more difficult to bypass the mono box.
In addition to all of this, I would suggest that you make sure you have a good Acceptable Use Policy and get the relevant management on board to enforce it. The actions of these power users was potentially very damaging to your corporate network and such deliberate actions should have consequences for them.
|
Topic: detecting removed firewall