When Joe the salesman from Pete’s Software Palace shows up at the guard desk (because I know you have one) and is signed into the system and is asked to have a seat until you come to get him. Is there a wired network connection in the lobby that would allow Joe to sniff your network? If there is, you should probably disable the port for that specific jack.
After you come and get Joe and you go meet several other people in a conference room. Joe says he needs Internet access; is his only option a wired network or do you have a guest wireless network? The preferred option should be a wireless guest network, segregated from the corporate wireless network. Additional controls could include a daily, rotating password that only employees have access to, thus requiring a vendor or contractor to get the password from an employee. This ensures that someone at your company will know that they are connected to your guest wireless network.
If your company has fast, reliable corporate wireless network, another sound practice is disable unused wired ports in conference rooms. Many times a vendor or contractor will be left alone in a conference room; the disabling of excess ports will help reduce the risk to the network.
I will leave you this week with a couple of wireless network thoughts….what type of authentication to you require for your laptops to connect to the corporate wireless network? If you are not requiring some type of machine authentication, you are at risk for access point spoofing. How do you handle the ad-hoc networks your corporate laptops have previously connected to? These are usually from traveling (i.e. hotel, airports, etc….) and they will continuously send out a signal looking for their respective network. Another opportunity for access spoofing. Finally, How far does your wireless network extend outside of your building?