Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rogue Access Point Detection?

Posted by Cliff on from the plugging-the-holes dept.

Yossarian2000 asks: "With all the media attention WLANs have been getting lately, more and more businesses seem to be looking to better understand their implications as relates to company intranets. Whether a business is running a WLAN or not, detecting rogue access points is essential to maintaining some degree of security. Currently, it seems there are few options for detecting APs: subnet scans (which add overhead to the network and can still miss some APs), handheld devices (which require regular site surveys), and systems that use existing access points to detect rogues (this assumes you have APs covering your entire site). Has anyone heard of better methods for the detection of rogue APs?"

7 of 53 comments (clear)

  1. ObJurrasicParkQuote: I know this, this is Unix! by Nathan+Ramella · · Score: 4, Interesting
    this should do the trick. It goes from 10Mhz up to 2.6ghz, which should cover 802.11b (2.412Ghz (ch 1) to 2.462Ghz (ch 11))

    Shows signal strength too so you can do the James Bond homing-in-on-the-signal-with-gun-drawn type stuff.

    -n

    --
    http://www.remix.net/
  2. Re:Welll.... by shaitand · · Score: 3, Interesting

    mac based security is not the answer, it's so easy to clone a mac it's not even funny anymore. A mac is no more secure than an IP, anyone can set it.

  3. MAC filtering revisited. by billn · · Score: 3, Interesting

    It's mentioned in another thread that it's fairly easy to change a MAC address, but on most OTS AP's, that's not the case. Provided you have intelligent switches or at least machines with decent scripting kits, you can watch your ARP tables for common vendor MACs, like Linksys or Dlink. The downside to this, is that your ARP cache might not spot an AP in bridging mode, but a decent managed switch would, since it has to forward frames.

    --
    - billn
  4. Re:Tell people not to do it? by anthony_dipierro · · Score: 2, Interesting

    Don't make it easy for anyone, not even the employee's.

    Absolutely. Access to the network should be on a need to know basis. There shouldn't be any servers laying around with no passwords. Preferably everything will be access controlled down to the MAC address of each individual machine that's allowed to access it.

    All that's a lot of work. Far too much work to be worrying about rogue access points. Sure, you should be randomly checking for them every once in a while, and firing those who have set them up despite company policy, but there's no need for a system to do it automatically.

    You could even check on a daily basis if you want, just have someone with a laptop and a WiFi card check it out.

  5. Authenticated association... by ykoehler · · Score: 2, Interesting

    I wonder why people are not already working on solving such issue. With all the hotsports out there it is quite easy to set up a fake one even without connection to the network and then simply record username/password and re-use them.

    What is needed is some kind of cert inside the beacon so that the PC Client can validate that the AP he is associated with contain a valid cert signed with the proper CA.

    And only associate with that AP after a key verification. This would work like SSL on the browser and would not require one cert per station.

    At the moment this can be done without changing too much the AP but it would require still to have a cert signed inside the AP you want and then modify the client or run a new client which after association will get the AP cert and if not de-associate.

  6. explored this at length by Raleel · · Score: 2, Interesting

    For my particular needs, placing multiple rogue detectors (shall I coin a phrase? Rogue Detection Grid..I'll be trademarking it ;) seemed to be the best way to go.

    Currently, we are considering AirDefense, which is a commercial solution, suitable for "enterprise". It has a server that holds a database of information gleaned from the sensors, which are little more than refirmwared Cisco APs.

    Another option we have been considering is Kismet. The later CVS stuff includes supports for "drones", which is basically a kismet server, only without all the reporting and parsing turned on. It pumps all that info back to a more heavywieght kismet server to do the processing. You can put kismet on a very small box. We are considering some of the ones from www.soekris.com.

    There are a few other solutions, but these are the two front runners in my mind.

    You mention the 3 major mechanisms. I honestly don't know that there are any better ones. subnet scans are handy because they are fast and get the 80% mark. Site surveys are good because they actually find them physically pretty well. And systems as I've described above are good because they provide a presence at all times, and give you a pretty good idea of the location.

    --
    -- Who is the bigger fool? The fool or the fool who follows him? --
  7. First Things first by budgenator · · Score: 2, Interesting

    1. threat analysis
    Who Wants in,
    a. Employess wanting to access the network for legit work but using unauthorized means;
    b. Script kiddies looking to gain a reputation for hacking your network;
    c. industrial spy's;
    d. multi-national corp or governments?
    What do they want
    a. all of our data just went out in a press release anyways;
    b. to access data they are authorized while moving arround with thier laptop for the cool factor;
    c. competitor seeking a market place advantage;
    d. nefarious persons seeking to destroy your company and put everybody in prison
    e. forgien inteligence agencies seeking national security information.
    2 Cost to benifit analysis
    Nothing is secure you want to make the threat's percieved value of your data less than the cost of aquiring that data and you want to spend resources in manpower, hardware and software costs that are less than the actual value of the data to be protected. If a sucessful intrution, is likely to causes the CEO to wig-out and order unreasonal expenditures to protect the network, factor in a agravation expense too.

    I think the minimum you want to do is,
    a. periodic site scan with a laptop and wireless cards.
    b. periodic wardial your pool of phone numbers to look for unauthorised modems and fax machines.
    c. use nmap or similar program to map your network from both the inside and outside, do network segments seperate.
    d. select a computer population sub-sample and run a spyware detection program on them like Spybot S&D, also might as well check for licienses for the software at the same time.
    e. treat your employess with respect, and actualy pay them enough so that they have a little real loyalty to the company, and aren't so easy to compromise.
    f. employee education, just tell them no unauthorised software/hardware and give them a mechanism to get things authorised also.

    After that I'd think about looking for cameras like those x10 cameras, bug sweeps; maybe even hiring a pro to check things once a year, and before and durring a particularly valuable project.

    --
    Apocalypse Cancelled, Sorry, No Ticket Refunds