RE: Wireless Monitoring

["Trevor Greenfield" <tgreenfield () internode on net>]

Also look out for a product called 'Blue Sockets' that I became aware of
lately. Gives the ability to secure a wireless network running through a
controller, using defined policies. Very easy to administer.


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of avatarfx () gmail com
Sent: Saturday, 27 January 2007 3:58 AM
To: security-basics () securityfocus com
Subject: Re: Wireless Monitoring



Hello Kevin.
I had a similar problem before with one of my customers who wanted to
prevent anyone in his network to connect more network devices (Access
Points, Routers, Switches or Hubs) and we spend a while coming out with a
solution. 
We considered that the best way to do so is by following this procedure:
1.      Enable a policy to be signed by the employees regarding the proper
use of the network resources in which you include and remark that "no other
network devices except from those installed by the company are allowed to be
plugged in". 
2.      Using a NIC Card inventory, configure the DHCP server to only
provide a designated address to previously registered MAC addresses.
3.      Log unsuccessful DHCP requests and use a monitoring tool to track
for attempts.
4.      In case that more control is needed, los the user's traffic by MAC
address. An increase in the traffic can point to a saturated node.

This procedure will not completely secure the network against other network
devices but it will deal with most of the people who want to try that. Here
we are dealing with people with different reasons and abilities. Employees
who simply think they can solve a problem (like connecting their laptop to
the Internet) by plugging a device like an Access Point would think it twice
considering that there is a policy in the company that prohibits that and
that their image in the company would be damaged.

In the case of more expertise people who think they cannot be detected by
connecting a device, the fact that they understand that the company it's
tracking and logging this kind of activities will make them think twice.
Most of the common users so not understand the capabilities of the log files
and the alarm systems (as we don't understand casinos) so the fact that
somebody in the company it's tracking this kind of activities would mean
just a fear or even "super advanced detection tools". As long as they don't
understand the mechanism, they won't do it.

In case a user wants to plug a device by using the company's DHCP server, by
logging the unsuccessful negotiations (cause they're not registered into the
valid MAC addresses list) you might be able to tell which office or node
it's being jacked. This log files would give you an idea of which people is
able to break the policy and plug other devices, therefore you can focus
your attention on those nodes and maybe a simple phone call asking them if
there is something wrong with that computer (because you can see a strange
behavior) would stop them in the future.

By now must of the common users should be scared enough to stop this
activities, perhaps some few users with superior computer knowledge may try
to come with a solution to plug devices into the network anyways; this is
when the Network Administrator should be really worried for the reasons to
do so. If this is the case and it's very important to the company's network
to prevent such activities, then a network traffic monitoring software could
be configured on site to log unusual increases of traffic on a given node. 
In case they successfully plug the device and then connect more devices to
it, then the network traffic on that node would increase abnormally. This is
when a check needs to be done to confirm that the network resources are
being used properly. By pin-pointing the correct node to analyze,  the
network administrator can track the sites and services being used to
determine the further steps to take.

Now, it's important to realize that this steps will not completely stop the
problem but they are an inexpensive solution to that problem. The CIO should
consider the budget, time and value of the information to decide whether or
not go further (it's always recommended to secure as much as possible).

I hope this works for you and please mail me back for any further question.

Victor Serrano.
Network and Security Systems Professional.
www.victor-serrano.com