Slashdot Mirror
Rogue Access Point Detection?
Yossarian2000 asks: "With all the media attention WLANs have been getting lately, more and more businesses seem to be looking to better understand their implications as relates to company intranets. Whether a business is running a WLAN or not, detecting rogue access points is essential to maintaining some degree of security. Currently, it seems there are few options for detecting APs: subnet scans (which add overhead to the network and can still miss some APs), handheld devices (which require regular site surveys), and systems that use existing access points to detect rogues (this assumes you have APs covering your entire site). Has anyone heard of better methods for the detection of rogue APs?"
If you can't trust your employees, then why does it matter if non-employees have access?
C'mon guys! Look, I admit that Anna Paquin is pretty darn cute but talking about her privates in such a crude manner is really tasteless. Shame on all of you.
GMD
watch this
However, I think a good start would be a fairly simple Ruby script that scans your IP ranges for SNMP agents, looking for anything unrecognizable.
The right way, of course, is to keep a careful database of what's on your network, and report any unscheduled/unauthorized changes. You could either use rmon or something similar or a few strategically placed Linux boxes running tcpdump to find IP addresses broadcasting on the network and send a trap. Or, you could look for changes in the ARP tables on your routers (which you could retrieve using SNMP pretty easily.) This would still leave you vulnerable to various kinds of sniffing attacks, but might be a start.
These are just ideas, but any of them could be implemented in 100 lines of ruby (or perl if you must.)
"He who would learn astronomy, and other recondite arts, let him go elsewhere. " -- John Calvin, commenting on Genesis 1
Shows signal strength too so you can do the James Bond homing-in-on-the-signal-with-gun-drawn type stuff.
-n
http://www.remix.net/
go with pppoe for wi-fi if that's a possibility and also be sure to allow access only based on MAC address of the network card.
Not only will the network restrict based on their network card address, but also their user authentication (l/p)...
systems that use existing access points to detect rogues (this assumes you have APs covering your entire site)
If you don't have APs already, set up an AP and link it to a computer which is disconnected from the network and logs all activity. A WiFi honeypot.
In a really, well-run company, the CIO will tell the CEO, "we have a problem with rogue APs". The CEO tells the VPs, who tell the department managers. The managers bring it up in department meetings. Because the managers have good working relationships with all their subordinates, they figure out who has APs and which ones need to be hardened. Problem solved, and no Big Brother nonsense necessary.
In the real world, no company is that well run. This manager or VP doesn't get along with his or her subordinates. That one is a control freak. This employee doesn't see what the big deal is, and won't let anybody look at his AP. That one never goes to department meetings, doesn't take orders from anybody, and has so much seniority that...
Oops, the trauma of my last job is showing! Point is, not all problems end up being solved by management/worker trust and collaboration. It's certainly desireable that you solve as many problems that way as you can. But there's always something you end up having to enforce with rules and snooping, and other nasty stuff. When that sort of thing gets out of hand, the company is probably in deep trouble. But you always have to deal with some of it.
It's mentioned in another thread that it's fairly easy to change a MAC address, but on most OTS AP's, that's not the case. Provided you have intelligent switches or at least machines with decent scripting kits, you can watch your ARP tables for common vendor MACs, like Linksys or Dlink. The downside to this, is that your ARP cache might not spot an AP in bridging mode, but a decent managed switch would, since it has to forward frames.
- billn
However, I did it fairly properly, I installed a Linux box configured as a firewall, configured the filtering on the firewall so that all the through traffic could only go off to the official company contivity VPN server (which happened to be on another site!), and ran VPN software on all the clients.
Basically, it was very secure, short of hacking the firewall (tricky, the filtering rules were pretty brutal), or one of the clients (I put personal firewalls on each of the clients too), there was no way in. Even the building was pretty much a Faraday shield due to metallised windows(!)
From the network side, the WiFi AP is very difficult to spot- the firewall just looks like a Linux box; which is what it is; it just NATs the AP off of itself. There may be ways to find it, but I can recompile the firewall to make it very difficult.
The only definite way to find it was if you knew it was there or went around with a WiFi receiver looking for networks. I suppose you might get a bit suspicious about the NATed network there are ways to spot those, but that depends on your network connectivity rules, they may well be legal anyway.
The whole thing only tied up 1 pc and only then because we didn't have a linux box hanging around we could configure to be a firewall. The network guys had put in some ridiculous estimate on how much it would cost to install... thousands of pounds.
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"Hey, think of it this way. If you can't get off your ass and walk around your own building with a wireless kit, you probably don't care too much about security in the first place.
End of Line.
I wonder why people are not already working on solving such issue. With all the hotsports out there it is quite easy to set up a fake one even without connection to the network and then simply record username/password and re-use them.
What is needed is some kind of cert inside the beacon so that the PC Client can validate that the AP he is associated with contain a valid cert signed with the proper CA.
And only associate with that AP after a key verification. This would work like SSL on the browser and would not require one cert per station.
At the moment this can be done without changing too much the AP but it would require still to have a cert signed inside the AP you want and then modify the client or run a new client which after association will get the AP cert and if not de-associate.
A few possibilities present themselves to me here:
1) Move to IP Locking. Only allow 'approved' IPs to pass through your network. This would limit use of the APs, although they could still 'proxy' (some APs have NAT) using the persons assigned IP while they use an internal IP on their laptop, etc. This could be solved by:
2) MAC locking, either on firewall or DHCP. Even if you simply locked out a 'class of MACs' (IIRC, each manufacterer/product type has a block of MAC that identifies manufacturer + product) it would limit use of APs.
Just some thoughts... I'm sure I have more.
For my particular needs, placing multiple rogue detectors (shall I coin a phrase? Rogue Detection Grid..I'll be trademarking it ;) seemed to be the best way to go.
Currently, we are considering AirDefense, which is a commercial solution, suitable for "enterprise". It has a server that holds a database of information gleaned from the sensors, which are little more than refirmwared Cisco APs.
Another option we have been considering is Kismet. The later CVS stuff includes supports for "drones", which is basically a kismet server, only without all the reporting and parsing turned on. It pumps all that info back to a more heavywieght kismet server to do the processing. You can put kismet on a very small box. We are considering some of the ones from www.soekris.com.
There are a few other solutions, but these are the two front runners in my mind.
You mention the 3 major mechanisms. I honestly don't know that there are any better ones. subnet scans are handy because they are fast and get the 80% mark. Site surveys are good because they actually find them physically pretty well. And systems as I've described above are good because they provide a presence at all times, and give you a pretty good idea of the location.
-- Who is the bigger fool? The fool or the fool who follows him? --
I'm in the middle of writing a paper on the subject, the start of what I have is below. Also, take a look at www.tenablesecurity.com's whitepaper on using nessus to detect rogues...which of course is not as ammusing as genetically engineering bats (not my idea)
You can view this also at www.robtimko.com
Detecting Wireless Threats on your Network from (802.11)A to B to G
Introduction
In todays IT world, insecure wireless technology has become a serious problem among IT professionals. As The Keeper said in The Invisible Man -- "When you're invisible, the only one really watching you is you." This holds true with wireless techology. Becuase of the intangable communication methods, detection of threats become close to impossible using conventional vulnerability and threat scanning methods. This paper will demonstrate best practices for detecting these threats.
The Threats
In order to effectivly recognize a threat, you first must understand what you are looking for. A threat is any potential event or act that could cause one or more of the following to occur: unauthorized disclosure, destruction, removal, modification or interruption of sensitive information, assets, or services or injury to people. A threat can be deliberate or accidental. An example of threat is a concentrated attack by hackers inside an organization or from outside an organization.
Wireless Detection
The saying "The right tool for the right job" holds true in wireless threat detection. Taken from the website, Kismet is an 802.11 wireless network sniffer - this is different from a normal network sniffer (such as Ethereal or tcpdump) because it separates and identifies different wireless networks in the area. Kismet works with any 802.11b wireless card which is capable of reporting raw packets (rfmon support), which include any prism2 based card (Linksys, D-Link, Rangelan, etc), Cisco Aironet cards, and Orinoco based cards. Kismet also supports the WSP100 802.11b remote sensor by Network Chemistry and is able to monitor 802.11a networks with cards which use the ar5k chipset. Other tools include Netstumbler (www.netstumbler.com) and Wellenweighter. Many people opt to use handhelds to detect,
Passive vs. Active
Kismet is a passive tool. It listens, and reports, whereas Netstumbler is active. It constantly sends out packets of data and reports on devices that respond. These are two major differences.
MAC Signatures
MAC Signature detection is detection based on the MAC or hardware address of the device. Since each is unique and usually easly detectable and matched to a specific vender, it is a good way to see what the device you are actually looking for is. There is however, one pitfall. MAC Spoofing.
Wired Detection
Enterprises who believe they are effective in detecting rogue AP's in their networks are evidently missing more than 50% of the wireless threats to their organizations.Ã Similar in fashion to using vulnerability assessment tools - using nmap to scan your enterprise for AP's will give you known, obvious threats -- not unknown threats. Nessus (www.nessus.org) is a popular security scanner which can used to detect signatures on wireless access points which are connected and configured on your network. It works with http and ftp signatures and is helpful when you are scanning a part of a network which cannot be accessed at the moment.
Locating the Threat
How do you catch an invisible man? Unfortunatly you cannot follow wires to find wireless devices as you would a rogue router or system. Becuase of this, more sophisticated methods need to be used in determining "where" exactly this device is to properly deal with it. Kismet and other wireless detection software have features built-in to facilitate this. These features include the ability to monitor a devices signal strength, and GPS capabilities. Using these features, it is possible to locate a device with minimal work using basic triangulation.
Conclusion
Darien Fawkes: The
1. threat analysis
Who Wants in,
a. Employess wanting to access the network for legit work but using unauthorized means;
b. Script kiddies looking to gain a reputation for hacking your network;
c. industrial spy's;
d. multi-national corp or governments?
What do they want
a. all of our data just went out in a press release anyways;
b. to access data they are authorized while moving arround with thier laptop for the cool factor;
c. competitor seeking a market place advantage;
d. nefarious persons seeking to destroy your company and put everybody in prison
e. forgien inteligence agencies seeking national security information.
2 Cost to benifit analysis
Nothing is secure you want to make the threat's percieved value of your data less than the cost of aquiring that data and you want to spend resources in manpower, hardware and software costs that are less than the actual value of the data to be protected. If a sucessful intrution, is likely to causes the CEO to wig-out and order unreasonal expenditures to protect the network, factor in a agravation expense too.
I think the minimum you want to do is,
a. periodic site scan with a laptop and wireless cards.
b. periodic wardial your pool of phone numbers to look for unauthorised modems and fax machines.
c. use nmap or similar program to map your network from both the inside and outside, do network segments seperate.
d. select a computer population sub-sample and run a spyware detection program on them like Spybot S&D, also might as well check for licienses for the software at the same time.
e. treat your employess with respect, and actualy pay them enough so that they have a little real loyalty to the company, and aren't so easy to compromise.
f. employee education, just tell them no unauthorised software/hardware and give them a mechanism to get things authorised also.
After that I'd think about looking for cameras like those x10 cameras, bug sweeps; maybe even hiring a pro to check things once a year, and before and durring a particularly valuable project.
Apocalypse Cancelled, Sorry, No Ticket Refunds
Then we have the primary metro plant, which covers a couple of square miles and is connected to HQ via "GigaMAN". Plus a half dozen major suburban sites connected via either leased line, ATM, microwave, or frame relay.
Both the building and the main plant use construction material which interferes with GPS reception.
Worse yet, when I do walk around the building with a wireless kit (I was a major code contributor to one open source wireless detection package), I have to manually eliminate the false positives from the WLAN networks deployed in nearby buildings. These change often, and signal strength can often be quite strong, so it's not as easy as doing a "diff" against the results from the previous walkthrough.
I do not deploy Linux. Ever.
Well you could just create a script to scan port 80 for all IPs on the network. If you find an open port that is not a known web server and connecting to it asks for authentication, then you may have found yourself an AP.