RE: Wired detection of rogue access points



I do two things.
1) Use a mac scanner, I wrote one that scans periodically, and compares the
MACs with the MACs listed in my equipment database. It then displays the
details about the machine running the unknown mac address. I am planning on
adding countermeasures to this program.

2) a wifi scanner (netstumbler, kismet, etc)

3) TREAT ALL WIRELESS NETWORKS AS HOSTILE!!!!


Now what I am about to say is not how to find rogue AP's as much as a system
to limit the exposure to them.

I have 80 acres covered by 802.11 b/g in a metropolitan area on a city with
several million people. While this is not the easiest network to defend we
have a system that helps. All of our access points are custom built
ourselves running pebble linux. One reason we did this is there is a mini
PCI wireless card putting out 400mw (most are 200). We force all
authenticated connections in to a VPN connection. Is someone gets thru the
WEP/WPA/MAC Filtering they are stuck against tougher security standards. Our
access points lay outside the firewall and must a user must connect to the
VPN to gain access to anything (including internet access). If/When a rogue
AP shows up we generally know with in 5 or 10 min. We see lots of scanning
and probing in to our wireless network on a daily basis. We only take action
on the more extreme cases.

How we stop most un-authorized connections. I have a MySQL table loaded with
computernames, MAC and other information. There is a cronjob to dump the
list of MACs to a text file nightly (this can be run manually as well). Any
MAC showing up on the IPTables rule that is not on the list it's packets are
logged and dropped.

I have not found a single application you can go buy to protect yourself.
Instead I use known, stable technologies to protect my network. I hope this
helps.


Check out
http://www.proxim.com/learn/library/whitepapers/Rogue_Access_Point_Detection
.pdf



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------



Relevant Pages

  • Re: Anonymous Blogging
    ... Assuming the user has hardware that allows this, ... universities have large wireless networks that are easy to get on and hard to ... person if they were using a fake MAC. ... This might completely demolish any anonymity Tor gives you. ...
    (alt.computer.security)
  • Re: password protecting my wireless network
    ... Steven Fisher wrote: ... heronDO-0B16FB.20355604022010@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx, "heron stone" ... there are no other wireless networks being picked up by my Mac. ...
    (comp.sys.mac.system)
  • Re: password protecting my wireless network
    ... Steven Fisher wrote: ... heronDO-0B16FB.20355604022010@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx, "heron stone" ... there are no other wireless networks being picked up by my Mac. ...
    (comp.sys.mac.system)
  • Re: password protecting my wireless network
    ... heronDO-0B16FB.20355604022010@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx, "heron stone" ... there are no other wireless networks being picked up by my Mac. ... I'm using an 8-character alpha-numeric password with WPA2. ...
    (comp.sys.mac.system)
  • Re: password protecting my wireless network
    ... I don't understand why people are so concerned about security. ... there are no other wireless networks being picked up by my Mac. ... unDO email address ...
    (comp.sys.mac.system)