Re: Wired detection of rogue access points

Filtering by MAC gives you no additional security whatsoever, period. MAC addresses can be easily spoofed and although your solution may assist in spotting misconfigurations a determined intruder will get straight through....

Sent from my BlackBerry® wireless device

-----Original Message-----
From: "Adam Graham" <agraham@xxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 26 Mar 2007 15:52:21
To:<focus-ids@xxxxxxxxxxxxxxxxx>
Subject: RE: Wired detection of rogue access points

First off is it even possible to buy a laptop that does not have wifi built
in?

I have set up an automated scan looking for MACs. If the MAC does not appear
on my list I drop its packets in the IPTabes FW. It's rather simple to do.
The main thing I do that seems to work the best is the APs are un-trusted
and therefore stuck out in the DMZ. Before one can get to network resources
they need to open the VPN client after connecting to the AP.

A simple way to handle MACs with IPTables (NOTE: simple rule if you need
more instruction I can send it to you or just the complete iptable script):

Let's create 2 text files:
/tmp/whiteist
/tmp/blackist

Insert into whiteist 00:06:25:2E:56:A0
Insert into blackist 00:06:25:2E:56:E1


Add following to your IPTabes script
TABLES = "filter nat mangle"
iptables = /sbin/iptables
touch /tmp/whiteist
touch /tmp/blackist
WHITELIST = `cat /tmp/whiteist | awk '{print $1}'
BLACKLIST = `cat /tmp/blackist | awk '{print $1}'

# Forward good MACs
$iptables -t filter -I FORWARD 1 -m mark --mark 0x42 -j ACCEPT

# mark all packets from the good macs
for MAC in $WHITELIST ; do
$iptables -t mangle -I PREROUTING -m mac --mac-source $MAC -j MARK
--set-mark 0x42
done

# drop all packets from the good macs
for MAC in $BLACKLIST ; do
$iptables -t mangle -I PREROUTING -m mac --mac-source $MAC -j DROP
done





------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

Relevant Pages

  • [UNIX] Bug in Linux 2.4 and IPTables MAC Match Module
    ... Bug in Linux 2.4 and IPTables MAC Match Module ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... perform NAT, mangle packets, and access custom extensions for packet ...
    (Securiteam)
  • Bug in Linux 2.4 / iptables MAC match module
    ... MAC match module does not match small packets ... Apply the attached patch from Harald Welte, Netfilter core ... Netfilter is iptables, a generic structure for allowing firewall rules to ...
    (Bugtraq)
  • Re: kern/109815: wrong interface identifier at pfil_hooks for vlans + if_bridge
    ... Now we have two cases for behaviour of filtering. ... So now we can filter packets treating dst interface ... and do not take in to account the dst MAC. ... bridge that is serving around 60 hosts. ...
    (freebsd-net)
  • Re: MAC filtering on conexant router
    ... >I don't understand how to filter based on MAC addresses. ... usually some help on the manufactory web pile. ... Got to the Security or Filtering web page. ... point wireless links. ...
    (alt.internet.wireless)
  • Re: DHCP restriction via MAC...
    ... > denial of service attack to legitimate computers if the DHCP scope is used ... MAC address filtering just raises the bar by preventing rogue ... >> attacker can take a valid network card or spoof the MAC address to ...
    (microsoft.public.security)