Re: Wireless Monitoring

[avatarfx () gmail com]

Hello Kevin.
I had a similar problem before with one of my customers who wanted to prevent anyone in his network to connect more 
network devices (Access Points, Routers, Switches or Hubs) and we spend a while coming out with a solution. 
We considered that the best way to do so is by following this procedure:
1.      Enable a policy to be signed by the employees regarding the proper use of the network resources in which you 
include and remark that “no other network devices except from those installed by the company are allowed to be plugged 
in”. 
2.      Using a NIC Card inventory, configure the DHCP server to only provide a designated address to previously 
registered MAC addresses.
3.      Log unsuccessful DHCP requests and use a monitoring tool to track for attempts.
4.      In case that more control is needed, los the user’s traffic by MAC address. An increase in the traffic can 
point to a saturated node.

This procedure will not completely secure the network against other network devices but it will deal with most of the 
people who want to try that. Here we are dealing with people with different reasons and abilities. Employees who simply 
think they can solve a problem (like connecting their laptop to the Internet) by plugging a device like an Access Point 
would think it twice considering that there is a policy in the company that prohibits that and that their image in the 
company would be damaged.

In the case of more expertise people who think they cannot be detected by connecting a device, the fact that they 
understand that the company it’s tracking and logging this kind of activities will make them think twice. Most of the 
common users so not understand the capabilities of the log files and the alarm systems (as we don’t understand casinos) 
so the fact that somebody in the company it’s tracking this kind of activities would mean just a fear or even “super 
advanced detection tools”. As long as they don’t understand the mechanism, they won’t do it.

In case a user wants to plug a device by using the company’s DHCP server, by logging the unsuccessful negotiations 
(cause they’re not registered into the valid MAC addresses list) you might be able to tell which office or node it’s 
being jacked. This log files would give you an idea of which people is able to break the policy and plug other devices, 
therefore you can focus your attention on those nodes and maybe a simple phone call asking them if there is something 
wrong with that computer (because you can see a strange behavior) would stop them in the future.

By now must of the common users should be scared enough to stop this activities, perhaps some few users with superior 
computer knowledge may try to come with a solution to plug devices into the network anyways; this is when the Network 
Administrator should be really worried for the reasons to do so. If this is the case and it’s very important to the 
company’s network to prevent such activities, then a network traffic monitoring software could be configured on site to 
log unusual increases of traffic on a given node. 
In case they successfully plug the device and then connect more devices to it, then the network traffic on that node 
would increase abnormally. This is when a check needs to be done to confirm that the network resources are being used 
properly. By pin-pointing the correct node to analyze,  the network administrator can track the sites and services 
being used to determine the further steps to take.

Now, it’s important to realize that this steps will not completely stop the problem but they are an inexpensive 
solution to that problem. The CIO should consider the budget, time and value of the information to decide whether or 
not go further (it’s always recommended to secure as much as possible).

I hope this works for you and please mail me back for any further question.

Victor Serrano.
Network and Security Systems Professional.
www.victor-serrano.com