Re: Detect Wireless Access Points

From: winged (
Date: 04/06/05

Date: 05 Apr 2005 21:21:47 EDT

Michael Pelletier wrote:
> Leythos wrote:
>>On Sat, 02 Apr 2005 12:07:28 +0000, donnie wrote:
>>>I consult for a mortgage company
>>>and I just recommended that they don't go wireless when the move to
>>>their new location.
>>The only wireless we install is in bridge mode between two units, with MAC
>>and key filtering. When you set up the units in bridge mode they don't
>>allow outside connections.
>>I refuse to do wireless for any of our clients. We had one medical center
>>in LA that was adamant about having is install Wireless, we kept saying
>>now, then when the client got real demanding, we took out a laptop and did
>>a scan of the available networks, found 8 open networks in the area (all
>>from the main conference room)..... Once we showed them the problem it was
>>easy to dissuade them from implementing wireless.
> Cisco has a nice product line basically using VPN over wireless...EAP
> EAP/LEAP, etc..
> Michael

One system we have found effective at ensuring only authorized devices
connect to our network wireless systems is product called Cranite.

It has the nominal administrative overhead of any server (OS patches
etc). Unless a device has a certificate, the APs will not respond. The
APs do not broadcast presence except to certified device. Certificates
are married to the device and the wireless card, if either are changed
the APs will not negotiate. The APs do not respond to wardriving
techniques and are FIPS 140-2 compliant. Since it is a level 2 access
instead of level 3 (like a standard VPN solution) it enhances the
security envelope significantly.

It does require managing a Win server and establishing VLANS to the
server DMZ (server lives in its own isolated DMZ properly configured),
but the product does work and the encryption does not impact
communications speed significantly.

A drawback is there are only a few APs that will work with the system,
so this solution is best when one is starting a wireless network from
scratch as most of your old APs are not suited to operate properly with
the exception of the wireless NIC card. There is an additional limit of
only Win OS (2000, XP, or CE) though I have run Linux inside a VM on a
XP box.

It has the additional advantage of setting up dynamic effective VPNs
from remote public access points (using the remote access software)
keeping the communications secure even outside of controlled boundaries
tunneling the communications through the authentication point. While
this may not be a "home" solution, the technology "seems" to be immune
to many unauthorized communication attempts (I have not found any way to
compromise the network or the data, but I am still trying).

The components are equitably priced with other commercial use APs (200$
range + antenna) and the software was much cheaper per simultaneous
seats than I expected (less than 50$ per simultaneous seat (prices go
down with quantity)), though I do recommend testing the various beams
antaneas (which cost as much as the access points) for large facilities.
  Using beams in our case reduced the access points required to 1/4 as
many APs in turn reducing management overhead.

Additionally you can restrict the client to a domain, (requires the
additional authorization credentials of the domain), route it outside
for general Internet use, mainframes etc, depending on the user work
requirement. You can pretty much control and localize where these
devices are allowed to communicate to, using the same group policies
(does not relate necessarily to domain policies) that we have a grown to
love. This finite control of the network activity allowed to the device
is just as essential as controlling wired network communications.
Activity monitoring is very good.

Like any other network, when in design phase, plan IDS APs to monitor
for unauthorized access attempts. Each IDS requires it's own AP, each
AP ideally needs an accompanied IDS AP for monitoring for unauthorized
rogue devices, though you can fudge somewhat by placing the IDS between
two APs.

The fact users are putting rogues on the network is "usually" an
indicator of an un-met requirement. When you attend that next meeting
with full access to your data, it does make meetings more productive.

Once you make APs available for users rogue use drops significantly,
especially after word gets out about the device confiscation and
supplementary personnel removal action.

If you are looking for a good solution for the business environment,
this one seems to be reasonably secure. I wish I had a similar secure
solution available for the home environment.

I can vouch for 3 minutes to enter a standard WEP device especially if
it is being used, even if all the AP security features are turned on,
just ask my neighbors... ;-)


Relevant Pages

  • Re: Wireless handhelds
    ... Realize that access points (APs) are not routers, ... the client) and you've established routing, wireless networks work just like ... You can use IP protocols and applications such as telnet, ... organization can power up a wireless network. ...
  • Re: Multi-AP WiFi best practice
    ... A walk around the school showed 2 APs in every classroom. ... how would a WiFi expert set this network up? ... laptops to use the new one, thus avoiding all 16 using the same AP ... in education and I am a member of the janet wireless advisory group. ...
  • Re: Wireless handhelds
    ... APs are intended to be transparent connections into a network. ... APs can watch for WPA or WAP or any of various other authentication protocols as part of authorizing the connection (as part of unlocking the network socket that the invisible network cable plugs into, to follow the earlier analogy), and can often be set to filter on station MAC address, but the client wireless stations don't necessarily have or need IP addresses at this point. ...
  • Re: Tools for Detecting Wireless APs - from the wire side.
    ... Subject: MORE: Tools for Detecting Wireless APs - from the wire side. ... > SNMP: Use HP Openview, SolarWinds or another SNMP enabled network ... This list is provided by the SecurityFocus Security Intelligence Alert ...
  • Re: F10 wireless question
    ... APs in reception range. ... which wireless AP I want to connect to. ... connection settings to disable the one that's currently up and enable ... Now the NM applet says the wired network is "unmanaged". ...