[fw-wiz] Re: Wireless

From: Dennis.Archambault@stpaul.com
Date: 08/09/02

From: <Dennis.Archambault@stpaul.com>
To: firewall-wizards@honor.icsalabs.com
Date: Fri Aug  9 17:33:17 2002

I have struggled with these question for a while now. Have looked at the
NetStumbler/Kismit side of the solution. But still find that solution set
somewhat limited when it comes to a national or international network. I
started toying with the 'wired' side looking at the WAP MAC addresses.
Most of the WAP manufacturers out there are using their own MAC (OUI)
ranges. I think there are link 15-20 OUI's right now that pick up the
majority of the WAP products, I started with a list from a thread on BAWUG.
So the plan is write a simple script that will go out to all the routers
and grep the OUI list against the router ARP table, alert on any hits.
Still have to do a little leg work in weeding out the false positives, but
if you run something like the 3-4 times a day you should pick up at least
some of the rogue AP's.

You could argue--That the MAC OUI on the WAP could be forged to obfuscate
its presents on the wired net. I don't disagree. I would argue it we have
someone with the talent level to whack the MAC address, they have enough
skills to either tightened up the radio side (hopefully) or are using it
for some really evil purposes and don't want to be found (hello IDS and
other burglar alarms.)

I also came across a guy from Cisco, Kirby Kuehl that has done some work in
this area on the Cisco network. He has a somewhat limited tool that he has
written that will search the network for specific WAP signatures. I think
he uses tiny-HTTPd and SNMP sigs to discover these things. Its not a
highly developed tool because it was purpose built for locating Cisco Stuff
on Cisco Networks. Anyway, Keith has the source posted out on SourceForge,
I think it was called... APTool or something like that.

Interesting stuff this rogue AP... look forward to hearing what other folks
are doing on an enterprise basis.

Dennis Archambault
St Paul Cos.

On Fri, 9 Aug 2002, Paul Robertson wrote:

> How are people starting to deal with hunting down and killing rogue
> Wireless Access Points (WAPs)[1]? It seems pretty easy in environments
> where wireless isn't allowed at all, but is anyone dealing with the
situation in
> an environment where there are sanctioned wireless networks?
> Thanks,
> Paul
> [1] I'm thinking a lot about the built-in laptop WAPs, people bringing in

> 802.11b-enabled hubs, and only slightly about the cleaning folks hiding
> one in the ceiling tiles.

> Paul D. Robertson "My statements in this message are personal
> proberts@patriot.net which may have no basis whatsoever in fact."
> probertson@trusecure.com Director of Risk Assessment TruSecure

Relevant Pages

  • Re: Installing an old hard drive on the same computer?
    ... > There's more involved here than the NIC card MAC address (although that is ... If the Network card is a PC ... then it will trip the WAP as soon as it is inserted (if it hasn't ... trip the WAP because the MAC address won't change. ...
  • Re: WLAN security question
    ... >come with the MAC address as part of the configuration parameters. ... at the very least use a VPN into the network. ... the wireless still has vulnerabilities. ... it feasible for someone to do say a brute force attack on the WAP (Wireless ...
  • Re: Open access point for clients
    ... fropm our office without having to add their mac address and enter a code on their end. ... for adding a WAP for internet only? ... I dont want this WAP to giver access to anything except my router going out. ... If you knew enough to get the network setup like it is already then you ought to know how to do this. ...
  • TidBITS#794/29-Aug-05
    ... This week's issue brings a potpourri of Mac news, ... Mark Anbinder looks briefly at Google Talk, ... Adding Tiger's AirPort Preferred Network List ...
  • Re: IP addresses of devices on local network?
    ... But it turns out that the printer shows up in Bonjour Browser in various ... and even the Airport Express box has a Bonjour-advertised ... If any other devices connected to the physical network ... over Airport or Ethernet (recent Mac models). ...