Security Basics mailing list archives
Re: Wireless Monitoring
From: avatarfx () gmail com
Date: Fri, 26 Jan 2007 09:27:37 -0800
Hello Kevin. I had a similar problem before with one of my customers who wanted to prevent anyone in his network to connect more network devices (Access Points, Routers, Switches or Hubs) and we spend a while coming out with a solution. We considered that the best way to do so is by following this procedure: 1. Enable a policy to be signed by the employees regarding the proper use of the network resources in which you include and remark that no other network devices except from those installed by the company are allowed to be plugged in. 2. Using a NIC Card inventory, configure the DHCP server to only provide a designated address to previously registered MAC addresses. 3. Log unsuccessful DHCP requests and use a monitoring tool to track for attempts. 4. In case that more control is needed, los the users traffic by MAC address. An increase in the traffic can point to a saturated node. This procedure will not completely secure the network against other network devices but it will deal with most of the people who want to try that. Here we are dealing with people with different reasons and abilities. Employees who simply think they can solve a problem (like connecting their laptop to the Internet) by plugging a device like an Access Point would think it twice considering that there is a policy in the company that prohibits that and that their image in the company would be damaged. In the case of more expertise people who think they cannot be detected by connecting a device, the fact that they understand that the company its tracking and logging this kind of activities will make them think twice. Most of the common users so not understand the capabilities of the log files and the alarm systems (as we dont understand casinos) so the fact that somebody in the company its tracking this kind of activities would mean just a fear or even super advanced detection tools. As long as they dont understand the mechanism, they wont do it. In case a user wants to plug a device by using the companys DHCP server, by logging the unsuccessful negotiations (cause theyre not registered into the valid MAC addresses list) you might be able to tell which office or node its being jacked. This log files would give you an idea of which people is able to break the policy and plug other devices, therefore you can focus your attention on those nodes and maybe a simple phone call asking them if there is something wrong with that computer (because you can see a strange behavior) would stop them in the future. By now must of the common users should be scared enough to stop this activities, perhaps some few users with superior computer knowledge may try to come with a solution to plug devices into the network anyways; this is when the Network Administrator should be really worried for the reasons to do so. If this is the case and its very important to the companys network to prevent such activities, then a network traffic monitoring software could be configured on site to log unusual increases of traffic on a given node. In case they successfully plug the device and then connect more devices to it, then the network traffic on that node would increase abnormally. This is when a check needs to be done to confirm that the network resources are being used properly. By pin-pointing the correct node to analyze, the network administrator can track the sites and services being used to determine the further steps to take. Now, its important to realize that this steps will not completely stop the problem but they are an inexpensive solution to that problem. The CIO should consider the budget, time and value of the information to decide whether or not go further (its always recommended to secure as much as possible). I hope this works for you and please mail me back for any further question. Victor Serrano. Network and Security Systems Professional. www.victor-serrano.com
Current thread:
- Wireless Monitoring Kevin Taylor (Jan 25)
- <Possible follow-ups>
- Re: Wireless Monitoring avatarfx (Jan 26)
- RE: Wireless monitoring Cote, Marc J. (Jan 26)
- Re: Wireless Monitoring avatarfx (Jan 26)
- RE: Wireless Monitoring Trevor Greenfield (Jan 29)
- RE: Wireless Monitoring tgreenfield (Jan 30)