Re: Detect Wireless Access Points

From: winged (winged_at_nofollow.com)
Date: 04/06/05


Date: 05 Apr 2005 21:21:47 EDT

Michael Pelletier wrote:
> Leythos wrote:
>
>
>>On Sat, 02 Apr 2005 12:07:28 +0000, donnie wrote:
>>
>>>I consult for a mortgage company
>>>and I just recommended that they don't go wireless when the move to
>>>their new location.
>>
>>The only wireless we install is in bridge mode between two units, with MAC
>>and key filtering. When you set up the units in bridge mode they don't
>>allow outside connections.
>>
>>I refuse to do wireless for any of our clients. We had one medical center
>>in LA that was adamant about having is install Wireless, we kept saying
>>now, then when the client got real demanding, we took out a laptop and did
>>a scan of the available networks, found 8 open networks in the area (all
>>from the main conference room)..... Once we showed them the problem it was
>>easy to dissuade them from implementing wireless.
>>
>
>
> Cisco has a nice product line basically using VPN over wireless...EAP
> EAP/LEAP, etc..
>
> Michael
>

One system we have found effective at ensuring only authorized devices
connect to our network wireless systems is product called Cranite.

http://www.cranite.com/

It has the nominal administrative overhead of any server (OS patches
etc). Unless a device has a certificate, the APs will not respond. The
APs do not broadcast presence except to certified device. Certificates
are married to the device and the wireless card, if either are changed
the APs will not negotiate. The APs do not respond to wardriving
techniques and are FIPS 140-2 compliant. Since it is a level 2 access
instead of level 3 (like a standard VPN solution) it enhances the
security envelope significantly.

It does require managing a Win server and establishing VLANS to the
server DMZ (server lives in its own isolated DMZ properly configured),
but the product does work and the encryption does not impact
communications speed significantly.

A drawback is there are only a few APs that will work with the system,
so this solution is best when one is starting a wireless network from
scratch as most of your old APs are not suited to operate properly with
the exception of the wireless NIC card. There is an additional limit of
only Win OS (2000, XP, or CE) though I have run Linux inside a VM on a
XP box.

It has the additional advantage of setting up dynamic effective VPNs
from remote public access points (using the remote access software)
keeping the communications secure even outside of controlled boundaries
tunneling the communications through the authentication point. While
this may not be a "home" solution, the technology "seems" to be immune
to many unauthorized communication attempts (I have not found any way to
compromise the network or the data, but I am still trying).

The components are equitably priced with other commercial use APs (200$
range + antenna) and the software was much cheaper per simultaneous
seats than I expected (less than 50$ per simultaneous seat (prices go
down with quantity)), though I do recommend testing the various beams
antaneas (which cost as much as the access points) for large facilities.
  Using beams in our case reduced the access points required to 1/4 as
many APs in turn reducing management overhead.

Additionally you can restrict the client to a domain, (requires the
additional authorization credentials of the domain), route it outside
for general Internet use, mainframes etc, depending on the user work
requirement. You can pretty much control and localize where these
devices are allowed to communicate to, using the same group policies
(does not relate necessarily to domain policies) that we have a grown to
love. This finite control of the network activity allowed to the device
is just as essential as controlling wired network communications.
Activity monitoring is very good.

Like any other network, when in design phase, plan IDS APs to monitor
for unauthorized access attempts. Each IDS requires it's own AP, each
AP ideally needs an accompanied IDS AP for monitoring for unauthorized
rogue devices, though you can fudge somewhat by placing the IDS between
two APs.

The fact users are putting rogues on the network is "usually" an
indicator of an un-met requirement. When you attend that next meeting
with full access to your data, it does make meetings more productive.

Once you make APs available for users rogue use drops significantly,
especially after word gets out about the device confiscation and
supplementary personnel removal action.

If you are looking for a good solution for the business environment,
this one seems to be reasonably secure. I wish I had a similar secure
solution available for the home environment.

I can vouch for 3 minutes to enter a standard WEP device especially if
it is being used, even if all the AP security features are turned on,
just ask my neighbors... ;-)

Winged