IDS mailing list archives

RE: Wired detection of rogue access points

From: "Adam Graham" <agraham () datastreamcowboys net>
Date: Mon, 19 Mar 2007 22:42:28 -0500

I do two things. 
1) Use a mac scanner, I wrote one that scans periodically, and compares the
MACs with the MACs listed in my equipment database. It then displays the
details about the machine running the unknown mac address. I am planning on
adding countermeasures to this program. 

2) a wifi scanner (netstumbler, kismet, etc)

3) TREAT ALL WIRELESS NETWORKS AS HOSTILE!!!!


Now what I am about to say is not how to find rogue AP's as much as a system
to limit the exposure to them. 

I have 80 acres covered by 802.11 b/g in a metropolitan area on a city with
several million people. While this is not the easiest network to defend we
have a system that helps. All of our access points are custom built
ourselves running pebble linux. One reason we did this is there is a mini
PCI wireless card putting out 400mw (most are 200). We force all
authenticated connections in to a VPN connection. Is someone gets thru the
WEP/WPA/MAC Filtering they are stuck against tougher security standards. Our
access points lay outside the firewall and must a user must connect to the
VPN to gain access to anything (including internet access). If/When a rogue
AP shows up we generally know with in 5 or 10 min. We see lots of scanning
and probing in to our wireless network on a daily basis. We only take action
on the more extreme cases.

How we stop most un-authorized connections. I have a MySQL table loaded with
computernames, MAC and other information. There is a cronjob to dump the
list of MACs to a text file nightly (this can be run manually as well). Any
MAC showing up on the IPTables rule that is not on the list it's packets are
logged and dropped. 

I have not found a single application you can go buy to protect yourself.
Instead I use known, stable technologies to protect my network. I hope this
helps.


Check out
http://www.proxim.com/learn/library/whitepapers/Rogue_Access_Point_Detection
.pdf



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Current thread:

Wired detection of rogue access points johnnywkm (Mar 19)
- Re: Wired detection of rogue access points Ron Gula (Mar 19)
- RE: Wired detection of rogue access points Waters, Chris (Mar 19)
- Re: Wired detection of rogue access points Michał Melewski (Mar 19)
  - RE: Wired detection of rogue access points Adam Graham (Mar 20)
- Re: Wired detection of rogue access points Vladimir Vuksan (Mar 19)
  - Re: Wired detection of rogue access points Adam Crosby (Mar 20)
- Re: Wired detection of rogue access points Johnny Wong (Mar 20)
  - Re: Wired detection of rogue access points Benjamin Hofstetter (Mar 21)
- Re: Wired detection of rogue access points tim_holman (Mar 20)
- Re: Wired detection of rogue access points Tõnu Samuel (Mar 20)
- Message not available
  - Re: Wired detection of rogue access points Hari Sekhon (Mar 21)
    - Re: Wired detection of rogue access points Tim Holman (Mar 21)
    - Re: Wired detection of rogue access points Hari Sekhon (Mar 21)
    - Re: Wired detection of rogue access points Eric Hacker (Mar 22)

(Thread continues...)