Rogue Access Point Detection?

Yossarian2000 asks: "With all the media attention WLANs have been getting lately, more and more businesses seem to be looking to better understand their implications as relates to company intranets. Whether a business is running a WLAN or not, detecting rogue access points is essential to maintaining some degree of security. Currently, it seems there are few options for detecting APs: subnet scans (which add overhead to the network and can still miss some APs), handheld devices (which require regular site surveys), and systems that use existing access points to detect rogues (this assumes you have APs covering your entire site). Has anyone heard of better methods for the detection of rogue APs?"

Tell people not to do it?

[anthony_dipierro]

If you can't trust your employees, then why does it matter if non-employees have access?

Welll....

[Fished]

There are many ways to do this.

However, I think a good start would be a fairly simple Ruby script that scans your IP ranges for SNMP agents, looking for anything unrecognizable.

The right way, of course, is to keep a careful database of what's on your network, and report any unscheduled/unauthorized changes. You could either use rmon or something similar or a few strategically placed Linux boxes running tcpdump to find IP addresses broadcasting on the network and send a trap. Or, you could look for changes in the ARP tables on your routers (which you could retrieve using SNMP pretty easily.) This would still leave you vulnerable to various kinds of sniffing attacks, but might be a start.

These are just ideas, but any of them could be implemented in 100 lines of ruby (or perl if you must.)

Re:ObJurrasicParkQuote: I know this, this is Unix!

[Nathan+Ramella]

Unless you meant some partially effective way of finding the APs like SNMP or fingerprinting the hardware. More like a waste of time. Anyone could setup an OpenAP and fiddle with the tcp/ip stack to make it appear as if it's not a real AP. If you're really paranoid and have a lot of space to cover, you can hook them up at different locations up to RS-232 ports and dump whatever they spit out to a central server for processing.

I'm more inclined to trust a radio detection method than trusting IP based solutions.

-n

No, no easy way.

[WolfWithoutAClause]

At the last place I worked I installed a 'rogue' WiFi installation.

However, I did it fairly properly, I installed a Linux box configured as a firewall, configured the filtering on the firewall so that all the through traffic could only go off to the official company contivity VPN server (which happened to be on another site!), and ran VPN software on all the clients.

Basically, it was very secure, short of hacking the firewall (tricky, the filtering rules were pretty brutal), or one of the clients (I put personal firewalls on each of the clients too), there was no way in. Even the building was pretty much a Faraday shield due to metallised windows(!)

From the network side, the WiFi AP is very difficult to spot- the firewall just looks like a Linux box; which is what it is; it just NATs the AP off of itself. There may be ways to find it, but I can recompile the firewall to make it very difficult.

The only definite way to find it was if you knew it was there or went around with a WiFi receiver looking for networks. I suppose you might get a bit suspicious about the NATed network there are ways to spot those, but that depends on your network connectivity rules, they may well be legal anyway.

The whole thing only tied up 1 pc and only then because we didn't have a linux box hanging around we could configure to be a firewall. The network guys had put in some ridiculous estimate on how much it would cost to install... thousands of pounds.

Paper I'm writing

[caffeinex36]

I'm in the middle of writing a paper on the subject, the start of what I have is below. Also, take a look at www.tenablesecurity.com's whitepaper on using nessus to detect rogues...which of course is not as ammusing as genetically engineering bats (not my idea)
You can view this also at www.robtimko.com

Detecting Wireless Threats on your Network from (802.11)A to B to G

Introduction
In todays IT world, insecure wireless technology has become a serious problem among IT professionals. As The Keeper said in The Invisible Man -- "When you're invisible, the only one really watching you is you." This holds true with wireless techology. Becuase of the intangable communication methods, detection of threats become close to impossible using conventional vulnerability and threat scanning methods. This paper will demonstrate best practices for detecting these threats.

The Threats
In order to effectivly recognize a threat, you first must understand what you are looking for. A threat is any potential event or act that could cause one or more of the following to occur: unauthorized disclosure, destruction, removal, modification or interruption of sensitive information, assets, or services or injury to people. A threat can be deliberate or accidental. An example of threat is a concentrated attack by hackers inside an organization or from outside an organization.

Wireless Detection
The saying "The right tool for the right job" holds true in wireless threat detection. Taken from the website, Kismet is an 802.11 wireless network sniffer - this is different from a normal network sniffer (such as Ethereal or tcpdump) because it separates and identifies different wireless networks in the area. Kismet works with any 802.11b wireless card which is capable of reporting raw packets (rfmon support), which include any prism2 based card (Linksys, D-Link, Rangelan, etc), Cisco Aironet cards, and Orinoco based cards. Kismet also supports the WSP100 802.11b remote sensor by Network Chemistry and is able to monitor 802.11a networks with cards which use the ar5k chipset. Other tools include Netstumbler (www.netstumbler.com) and Wellenweighter. Many people opt to use handhelds to detect,

Passive vs. Active
Kismet is a passive tool. It listens, and reports, whereas Netstumbler is active. It constantly sends out packets of data and reports on devices that respond. These are two major differences.

MAC Signatures
MAC Signature detection is detection based on the MAC or hardware address of the device. Since each is unique and usually easly detectable and matched to a specific vender, it is a good way to see what the device you are actually looking for is. There is however, one pitfall. MAC Spoofing.

Wired Detection
Enterprises who believe they are effective in detecting rogue AP's in their networks are evidently missing more than 50% of the wireless threats to their organizations.Ã Similar in fashion to using vulnerability assessment tools - using nmap to scan your enterprise for AP's will give you known, obvious threats -- not unknown threats. Nessus (www.nessus.org) is a popular security scanner which can used to detect signatures on wireless access points which are connected and configured on your network. It works with http and ftp signatures and is helpful when you are scanning a part of a network which cannot be accessed at the moment.

Locating the Threat
How do you catch an invisible man? Unfortunatly you cannot follow wires to find wireless devices as you would a rogue router or system. Becuase of this, more sophisticated methods need to be used in determining "where" exactly this device is to properly deal with it. Kismet and other wireless detection software have features built-in to facilitate this. These features include the ability to monitor a devices signal strength, and GPS capabilities. Using these features, it is possible to locate a device with minimal work using basic triangulation.

Conclusion
Darien Fawkes: The