How Do You Locate That Access Point?

parp asks: "As an IT Manager I'm concerned about unauthorized Access Points being installed, or users who setup wireless computer to computer networks. How do you find the exact location of these devices? I've tried walking around the office with a laptop watching the signal, but the signal monitors that are included with most network drivers are very limited. The signal could be upstairs, downstairs or right around the corner, but I can't find it. Results of web searches I've done just tell you how to find a signal (wardrive), not the source. I'd be interested in any software or hardware device that can locate the device within a few feet."

Pull wires

[samjam]

Attach to the access point and ping your router.

Then pull wires till the ping stops. Work up the wires till you find the one the access port is on the end of.

Sam

Re:Pull wires

[samjam]

Hey - it was night when I wrote the post, I imained it would be late night when the deed was done.

There's a lot of talk about fancy switches, but we don't know if this guy has any managed switches.

When I said "pull the wires till the ping stops" I didn't expect him to end up with a load of wires on the floor, I expected him to plug eachone back in after 2 seconds.

Ethernet can cope with a brief unplug without difficulty.

If *I* was doing it and I had fancy switches I would stull pull wires. How many places have a map of the wiring and mac addresses on switch ports and so forth? And if folk are able to plug in wireless access points where they like, do you think such maps and charts would be up-to-date?

Maybe I'd try it that way for fun, but networks grow and breed in weird ways, hence the wire-pull suggestion: "it will work"

Sam

Re:Something to check out...

[QuantumRiff]

Airespace was recently purchased by Cisco. I just bought some of the equipment, and it is damn sweet.. One note about the location pinpointing though.. (see below for the poor mans fix..)

By default it tells you that AP X detects an access Point. It tries to connect as a client, and ping spots on your network. This tells you if its on your network or not.. If you feel mean, you can flood it and shut it down.. (DOS attack built in!) However, if you want the precision mapping, you have to pay a very, very large chunk of change.. I have seen a demo, and it is pretty sweet to watch it pinpoint the exact location of a rouge AP. Keep in mind that this uses triangulation. You need more than one of your Cisco AP's to be able to see this rouge to get it pinpointed.

(Poor/Evil BOFH Fix) I would connect through the access point, note my IP, see if I could Ping the network.. Then, check the IP/Mac address, and find what port on my switches it is coming from. Disable the port. (if you have a nicely labeled patch panel, you could walk to the switch, and see exactly where the port is..) Wait for someone to complain about no network activity...

MAC address

[gregmac]

If you're so concerned about systems connecting, then perhaps you should get the MAC address of all your authorized machines, and only allow those at the router or firewall level?

You should also keep your servers secured against your internal network, only allowing services that are actually needed. There's a tendancy to trust everything internal on your network -- but really, with wifi and so many people having laptops, as well as systems infected with viruses and spyware, the internal network is just as volitaile as the internet itself.

Re:MAC address

[rusty0101]

Perhaps the biggest problem with this is that the MAC of the access point will very rarely be the address that the network traffic will be sourced from. Likewise the source MAC address in packets through the AP may be in the approved address list as well.

About the only way you can really lock this down via MAC addresses is to restrict what MAC can appear on what Switch port in your network. This does require that you have managed switches.

Another thing to do would be to check the mac list in your DHCP server and compare that against the OUI list at the IEEE. You would then want to check the addresses that resolve to fairly well known AP manufacturers, (D-Link, Hawking, Linksys, etc.). Now point a web broser at those IP addresses and see which of them comes up with a login for an AP. Try the default passwords for each manufacturer's products, and if you get in, shut down the wireless side, and reset the password to something a bit more secure.

If you can't get in, then if you have managed switches, find the port the device is on, and disable it.

If you have a policy in place that only end devices are allowed on your network, i.e. no hubs, APs, etc, and you have a managed switch, you may be able to find several offending ports with multiple active MAC addresses on the port. (Cisco switche may call these either mac or cam entries) Once you eliminate known trunk or inter-switch ports, ports with multiple active addresses are likely to have an unmanaged network device attached that should not be allowed. You may be able to restrict it to the authorized mac address at the switch.

One really 'nasty' thing to do would be to authorize the MAC address for the AP, so that the user can manage it, can release and renew it's IP address with the DHCP server, etc. yet nothing that attaches to the AP would be able to connect to anything, or even get an IP address. The exception would be AP Routers that are offering their own DHCP server and NATing the traffic. Then shutting down the port would be the easiest solution.

Actually locating the AP via it's radio beacon is chancy in most buildings.

-Rusty

Re:What are you going to do once you find them?

[QuantumRiff]

Not really, perhaps he just wants to get rid of "Rouge" access points. My polices say that IT installs and maintains all networking equipment. This is to ensure uniformity, and most importantly security. If I see a SSID of "linksys" with no security, or bad security, that is a point of entry onto "my network." Maybe the employee threw it up because his laptop card doesn't do 802.1x authentication over 802.11g, or maybe he just isn't close enough to one of the other AP's in the office, and wants to "roam." Maybe its a guy sitting in a van in the parking lot, sniffing password attempts, or trying to lure people to use him as their gateway to grab confidential information. Either way, it is a security risk, and needs to be removed.

Remember that the network it is plugged into is the businesses, not the individuals, and the business dictates what is done with it. They have every right to disconnect it. They might not be able to confiscate it, and keep it, but they can certainly disconnect it, unplug it, and tell the employee to never, ever bring it back in.

Re:Radio Direction Finding

Nice, you have no idea what his security requirements are. Think before you speak moron.

Check the LAN switches

[MeanMF]

Try browsing through your LAN switch's MAC address tables.. The manufacturer ID on the WAP will probably be different than most of your other computers' network cards.

Treat the DISEASE, not the symptoms

[Noksagt]

If your network is good enough, there wouldn't be a need for rogue WAPs.

Supply your users with a better wireless network! Make sure there is connectivity EVERYWHERE & then lock your own network down (through VPN, WPA+Radius, or whatever).

If even facility-provided wireless is absolutely verboten everywhere, just put up jammers & be done with it.

Or change your AUP and internal network security so that you wouldn't care about WAPs.

If you decide to go hunting for them, you'll have to do it more than once. There is employee turnover & machine turnover & anyone can bring in a new WAP.

Re:Radio Direction Finding

[bergeron76]

I'm concerned about unauthorized Access Points being installed, or users who setup wireless computer to computer networks.

He's trying to prevent unauthorized Access Points from being installed, you fucking moron.

And how do you know he's not on a University Campus, trying to prevent students from peering?

non-tech solution

[fred+fleenblat]

Send out a company-wide email reminding employees about the corporate policy against bringing wireless access points from home. Ask anyone who has one to please disconnect it and remove it from the premises thank you for your cooperation etc etc.

Worker bees will comply almost instantly. If it's still on the air by that evening, start looking in manager offices. If you can at least isolate it to one floor you should be able to just LOOK for it. It's connected to the network, right? Follow some ethernet cables and you'll eventually find it. It's not like they would hide it in a metal filing cabinet.

And when you do find it, don't be an @$$ about it. Just remind the misguided soul that this is against corporate IT policy and we'll be happy to extend a supported AP into the ceiling near you on monday.

Re:Is it open?

[Glonoinha]

Better yet, connect to the AP management tools using the default password and just enable WEP with a random key. As far as the newbie that plugged an unconfigured AP into the network is concerned it just 'broke' (wifi is mostly magic to all but a select few.)

Re:What are you going to do once you find them?

[dougmc]

The stuff is not plugged in to the network. It's wireless.

Well, yes, it is possible to have an access point that's not plugged into the network, but that's not very likely. (And if it's not plugged into the network, it's not a problem. But it's not always obvious that this is the case until you find it.) It's quite likely that if you find a rogue AP somewhere inside your office building, it's connected to the (wired) network.

(Though if you didn't like your IT department, you certainly could set up an AP in your office -- not plugged into the network at all -- just to mess with them. Power it with a battery if you really want to make sure it doesn't violate any company policies. Howver, if you're going to do this, it may really piss them off when they find it, and it could very well still get you fired. And perhaps rightfully so, since obviously you'd be a schmuck with too much time on his hands.)

Finally, the business should not be running wireless. It's insecure, it's been demonstrated insecure, and it's been demonstrated hard to guard and easy to penetrate.

It can be made reasonably secure easily enough. WEP helps a lot, but by itself it doesn't make it completely secure, and that's probably what you're referring to. But there are other ways to secure wireless networks, and some of them work pretty good. The NSA probably doesn't use them (on their uber-secure networks anyways), but for many companies they're good enough.

But really, the `wireless isn't secure' mantra is getting quite old. There's some truth to it, but it can be made secure. Secure enough, anyways. (After all, IT is always balancing security with usability. Security is not a black or white thing -- it's a huge spectrum.)

Vague on details

[vga_init]

"As an IT Manager I'm concerned about unauthorized Access Points being installed, or users who setup wireless computer to computer networks."

Let me get this straight...you're out to find "unauthorized" network activity between computers? As stated in previous posts, who owns these computers? Who owns the network?

If it's your network, then you need to record the MAC address of the unauthorized machines and use security measures to lock network. More securely, you can even configure the network to provide service *only* to authorized network adapters. That's how they do it here, and this is a public school (if THEY can do it, then you certainly can ;) The IT administration here is a bunch of boneheads).

But what happens if they're not on your network? Well, then we start to cross into a gray area of sorts. More variables need to be considered where none are given, such as who owns the machines and what restrictions the employees have agreed to previously.

If they own the computers, are running the network themselves, and are not violating any agreement with their employer, then finding/squashing the networks is really none of your business.