Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rogue Access Point Detection?

Posted by Cliff on from the plugging-the-holes dept.

Yossarian2000 asks: "With all the media attention WLANs have been getting lately, more and more businesses seem to be looking to better understand their implications as relates to company intranets. Whether a business is running a WLAN or not, detecting rogue access points is essential to maintaining some degree of security. Currently, it seems there are few options for detecting APs: subnet scans (which add overhead to the network and can still miss some APs), handheld devices (which require regular site surveys), and systems that use existing access points to detect rogues (this assumes you have APs covering your entire site). Has anyone heard of better methods for the detection of rogue APs?"

5 of 53 comments (clear)

  1. ObJurrasicParkQuote: I know this, this is Unix! by Nathan+Ramella · · Score: 4, Interesting
    this should do the trick. It goes from 10Mhz up to 2.6ghz, which should cover 802.11b (2.412Ghz (ch 1) to 2.462Ghz (ch 11))

    Shows signal strength too so you can do the James Bond homing-in-on-the-signal-with-gun-drawn type stuff.

    -n

    --
    http://www.remix.net/
  2. Rules and Trust by fm6 · · Score: 3, Insightful
    I think I agree with the attitude you're expressing. But you're kind of oversimplifying the issue.

    In a really, well-run company, the CIO will tell the CEO, "we have a problem with rogue APs". The CEO tells the VPs, who tell the department managers. The managers bring it up in department meetings. Because the managers have good working relationships with all their subordinates, they figure out who has APs and which ones need to be hardened. Problem solved, and no Big Brother nonsense necessary.

    In the real world, no company is that well run. This manager or VP doesn't get along with his or her subordinates. That one is a control freak. This employee doesn't see what the big deal is, and won't let anybody look at his AP. That one never goes to department meetings, doesn't take orders from anybody, and has so much seniority that...

    Oops, the trauma of my last job is showing! Point is, not all problems end up being solved by management/worker trust and collaboration. It's certainly desireable that you solve as many problems that way as you can. But there's always something you end up having to enforce with rules and snooping, and other nasty stuff. When that sort of thing gets out of hand, the company is probably in deep trouble. But you always have to deal with some of it.

  3. Re:Welll.... by shaitand · · Score: 3, Interesting

    mac based security is not the answer, it's so easy to clone a mac it's not even funny anymore. A mac is no more secure than an IP, anyone can set it.

  4. MAC filtering revisited. by billn · · Score: 3, Interesting

    It's mentioned in another thread that it's fairly easy to change a MAC address, but on most OTS AP's, that's not the case. Provided you have intelligent switches or at least machines with decent scripting kits, you can watch your ARP tables for common vendor MACs, like Linksys or Dlink. The downside to this, is that your ARP cache might not spot an AP in bridging mode, but a decent managed switch would, since it has to forward frames.

    --
    - billn
  5. No, no easy way. by WolfWithoutAClause · · Score: 4, Informative
    At the last place I worked I installed a 'rogue' WiFi installation.

    However, I did it fairly properly, I installed a Linux box configured as a firewall, configured the filtering on the firewall so that all the through traffic could only go off to the official company contivity VPN server (which happened to be on another site!), and ran VPN software on all the clients.

    Basically, it was very secure, short of hacking the firewall (tricky, the filtering rules were pretty brutal), or one of the clients (I put personal firewalls on each of the clients too), there was no way in. Even the building was pretty much a Faraday shield due to metallised windows(!)

    From the network side, the WiFi AP is very difficult to spot- the firewall just looks like a Linux box; which is what it is; it just NATs the AP off of itself. There may be ways to find it, but I can recompile the firewall to make it very difficult.

    The only definite way to find it was if you knew it was there or went around with a WiFi receiver looking for networks. I suppose you might get a bit suspicious about the NATed network there are ways to spot those, but that depends on your network connectivity rules, they may well be legal anyway.

    The whole thing only tied up 1 pc and only then because we didn't have a linux box hanging around we could configure to be a firewall. The network guys had put in some ridiculous estimate on how much it would cost to install... thousands of pounds.

    --

    -WolfWithoutAClause

    "Gravity is only a theory, not a fact!"