RE: Wired detection of rogue access points
- From: "Adam Graham" <agraham@xxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 19 Mar 2007 22:42:28 -0500
I do two things.
1) Use a mac scanner, I wrote one that scans periodically, and compares the
MACs with the MACs listed in my equipment database. It then displays the
details about the machine running the unknown mac address. I am planning on
adding countermeasures to this program.
2) a wifi scanner (netstumbler, kismet, etc)
3) TREAT ALL WIRELESS NETWORKS AS HOSTILE!!!!
Now what I am about to say is not how to find rogue AP's as much as a system
to limit the exposure to them.
I have 80 acres covered by 802.11 b/g in a metropolitan area on a city with
several million people. While this is not the easiest network to defend we
have a system that helps. All of our access points are custom built
ourselves running pebble linux. One reason we did this is there is a mini
PCI wireless card putting out 400mw (most are 200). We force all
authenticated connections in to a VPN connection. Is someone gets thru the
WEP/WPA/MAC Filtering they are stuck against tougher security standards. Our
access points lay outside the firewall and must a user must connect to the
VPN to gain access to anything (including internet access). If/When a rogue
AP shows up we generally know with in 5 or 10 min. We see lots of scanning
and probing in to our wireless network on a daily basis. We only take action
on the more extreme cases.
How we stop most un-authorized connections. I have a MySQL table loaded with
computernames, MAC and other information. There is a cronjob to dump the
list of MACs to a text file nightly (this can be run manually as well). Any
MAC showing up on the IPTables rule that is not on the list it's packets are
logged and dropped.
I have not found a single application you can go buy to protect yourself.
Instead I use known, stable technologies to protect my network. I hope this
helps.
Check out
http://www.proxim.com/learn/library/whitepapers/Rogue_Access_Point_Detection
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
- References:
- Wired detection of rogue access points
- From: johnnywkm
- Re: Wired detection of rogue access points
- From: Michał Melewski
- Wired detection of rogue access points
- Prev by Date: Re: Wired detection of rogue access points
- Next by Date: Re: Wired detection of rogue access points
- Previous by thread: Re: Wired detection of rogue access points
- Next by thread: Re: Wired detection of rogue access points
- Index(es):
Relevant Pages
|
