RE: Wired detection of rogue access points



No solution is absolute.

Activate 802.1x Port base auth on your network and you increase the level of expertise necessary to connect a rogue AP.
Install Wifi sensors on every floor of every building and use something like AirDefense to centrally manage them.
Scan the network from the wire side.
Install agent on all your laptops to disable the WiFi port as soon as the Ethernet port is active.
Put filters on your vlans so that PC cannot talk across vlan to other PC but only at the server's vlan. A good structure IP Address plan is very helpfull for that
Etc...




-----Message d'origine-----
De : listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] De la part de Eric Hacker
Envoyé : 21 mars 2007 14:11
À : focus-ids@xxxxxxxxxxxxxxxxx
Objet : Re: Wired detection of rogue access points

Haven't we gone through this before?

For each of you that thinks they have a way to detect a wireless
access point using only the LAN, please demonstrate how you would
detect this.

A wireless router is hooked up to the network jack of a printer. The
wireless router is configured to use the printer's MAC address. The
wireless router is set up with the printer's new IP address as it's
DMZ host[1]. From the outside, all port scans and probes are going to
the printer.

There might be some IP stack differences, but you'd have to have a
very comprehensive database to figure that out, and the time to scan
at that level could prevent that level of probing on large networks.

From Mr. Waters, I expect no less than the results of an actual scan
on a live network with
this set up running on it. :)

Now that was easy. No real expertise required on the person who set up
the rogue access point, just a little cleverness. So lets say I want
to put the rogue access point on your network.

Same router, new firmware. My new OS is reconfigured a bit.

The WAN port bridges to LAN1. WAN plugged in to wall, LAN1 plugged in
to printer. All other ports and the wireless are configured for the
private LAN on the router.

My OS sniffs packets and determines the IP address in use by the
printer. Now it statefully NAT's packets from it's private network to
the printer's IP address. It filters return packets on the bridge so
that the printer doesn't see any of the traffic.

Now how do you find it over ethernet with scanning or probing? It
doesn't respond to anything. It doesn't interfere with the printer's
IP stack fingerprints when the printer is probed. Only watching the
unusual traffic coming from the printer or scanning for the RF would
pick this up.

Oh yeah, heaven forbid that I go all out and not use normal wireless
frequencies. Maybe pop in an EVDO card instead of an 802.11 one. Who
would want their own Internet accessible back door into your intranet
anyway?

OK, so my OS isn't completely off the shelf, and I haven't had the
time to sit down and make it work yet. The open source pieces are all
there, however, just waiting for the right person to come along and
duct tape them all together.

Bottom line: Ethernet cannot be completely secured. Either encrypt
everything, watch everything, or physically control access to
everything.

Regards,
Eric Hacker, CISSP

[1] I hate using the term DMZ for this use, but that's what is used on
all the router configurations.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------



Relevant Pages

  • RE: Wired detection of rogue access points
    ... Rogue detection is critical ... Activate 802.1x Port base auth on your network and you increase the level of expertise necessary to connect a rogue AP. ... No real expertise required on the person who set up the rogue access point, ...
    (Focus-IDS)
  • Re: Wired detection of rogue access points
    ... Wireless security is just as important to companies without wireless networks as it is to those with! ... Wired detection of rogue access points ... A wireless router is hooked up to the network jack of a printer. ...
    (Focus-IDS)
  • Re: HELP: Linux telnet smtp server fails, Works from MS Windows
    ... > Then you have a firewall up on port 25 outgoing. ... you surely don't mnean wireless router, ... network device that only connects devices on the _same_ network. ...
    (comp.os.linux.setup)
  • RE: Networking adding of DI-524
    ... I am writing this letter to ALL Wireless Router manufacturers. ... screen shots from Linksys' own self help technical support site. ... network, what on Gods' Green Earth makes anyone think that I would CHOOSE to ... WAN port. ...
    (microsoft.public.windowsxp.network_web)
  • RE: Printing from Win9x clients stops
    ... > and make sure this software does not interfere with SBS Server. ... > clients, please disable it and try again. ... Create a local printer and redirect the port to the network server. ...
    (microsoft.public.windows.server.sbs)