[fw-wiz] Re: Wireless

From: Dennis.Archambault@stpaul.com
Date: 08/09/02

From: <Dennis.Archambault@stpaul.com>
To: firewall-wizards@honor.icsalabs.com
Date: Fri Aug  9 17:33:17 2002

I have struggled with these question for a while now. Have looked at the
NetStumbler/Kismit side of the solution. But still find that solution set
somewhat limited when it comes to a national or international network. I
started toying with the 'wired' side looking at the WAP MAC addresses.
Most of the WAP manufacturers out there are using their own MAC (OUI)
ranges. I think there are link 15-20 OUI's right now that pick up the
majority of the WAP products, I started with a list from a thread on BAWUG.
So the plan is write a simple script that will go out to all the routers
and grep the OUI list against the router ARP table, alert on any hits.
Still have to do a little leg work in weeding out the false positives, but
if you run something like the 3-4 times a day you should pick up at least
some of the rogue AP's.

You could argue--That the MAC OUI on the WAP could be forged to obfuscate
its presents on the wired net. I don't disagree. I would argue it we have
someone with the talent level to whack the MAC address, they have enough
skills to either tightened up the radio side (hopefully) or are using it
for some really evil purposes and don't want to be found (hello IDS and
other burglar alarms.)

I also came across a guy from Cisco, Kirby Kuehl that has done some work in
this area on the Cisco network. He has a somewhat limited tool that he has
written that will search the network for specific WAP signatures. I think
he uses tiny-HTTPd and SNMP sigs to discover these things. Its not a
highly developed tool because it was purpose built for locating Cisco Stuff
on Cisco Networks. Anyway, Keith has the source posted out on SourceForge,
I think it was called... APTool or something like that.

Interesting stuff this rogue AP... look forward to hearing what other folks
are doing on an enterprise basis.

Dennis Archambault
St Paul Cos.

On Fri, 9 Aug 2002, Paul Robertson wrote:

> How are people starting to deal with hunting down and killing rogue
> Wireless Access Points (WAPs)[1]? It seems pretty easy in environments
> where wireless isn't allowed at all, but is anyone dealing with the
situation in
> an environment where there are sanctioned wireless networks?
> Thanks,
> Paul
> [1] I'm thinking a lot about the built-in laptop WAPs, people bringing in

> 802.11b-enabled hubs, and only slightly about the cleaning folks hiding
> one in the ceiling tiles.

> Paul D. Robertson "My statements in this message are personal
> proberts@patriot.net which may have no basis whatsoever in fact."
> probertson@trusecure.com Director of Risk Assessment TruSecure