IDS mailing list archives
RE: Wired detection of rogue access points
From: "Adam Graham" <agraham () datastreamcowboys net>
Date: Mon, 19 Mar 2007 22:42:28 -0500
I do two things. 1) Use a mac scanner, I wrote one that scans periodically, and compares the MACs with the MACs listed in my equipment database. It then displays the details about the machine running the unknown mac address. I am planning on adding countermeasures to this program. 2) a wifi scanner (netstumbler, kismet, etc) 3) TREAT ALL WIRELESS NETWORKS AS HOSTILE!!!! Now what I am about to say is not how to find rogue AP's as much as a system to limit the exposure to them. I have 80 acres covered by 802.11 b/g in a metropolitan area on a city with several million people. While this is not the easiest network to defend we have a system that helps. All of our access points are custom built ourselves running pebble linux. One reason we did this is there is a mini PCI wireless card putting out 400mw (most are 200). We force all authenticated connections in to a VPN connection. Is someone gets thru the WEP/WPA/MAC Filtering they are stuck against tougher security standards. Our access points lay outside the firewall and must a user must connect to the VPN to gain access to anything (including internet access). If/When a rogue AP shows up we generally know with in 5 or 10 min. We see lots of scanning and probing in to our wireless network on a daily basis. We only take action on the more extreme cases. How we stop most un-authorized connections. I have a MySQL table loaded with computernames, MAC and other information. There is a cronjob to dump the list of MACs to a text file nightly (this can be run manually as well). Any MAC showing up on the IPTables rule that is not on the list it's packets are logged and dropped. I have not found a single application you can go buy to protect yourself. Instead I use known, stable technologies to protect my network. I hope this helps. Check out http://www.proxim.com/learn/library/whitepapers/Rogue_Access_Point_Detection .pdf ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Wired detection of rogue access points johnnywkm (Mar 19)
- Re: Wired detection of rogue access points Ron Gula (Mar 19)
- RE: Wired detection of rogue access points Waters, Chris (Mar 19)
- Re: Wired detection of rogue access points Michał Melewski (Mar 19)
- RE: Wired detection of rogue access points Adam Graham (Mar 20)
- Re: Wired detection of rogue access points Vladimir Vuksan (Mar 19)
- Re: Wired detection of rogue access points Adam Crosby (Mar 20)
- Re: Wired detection of rogue access points Johnny Wong (Mar 20)
- Re: Wired detection of rogue access points Benjamin Hofstetter (Mar 21)
- Re: Wired detection of rogue access points tim_holman (Mar 20)
- Re: Wired detection of rogue access points Tõnu Samuel (Mar 20)
- Message not available
- Re: Wired detection of rogue access points Hari Sekhon (Mar 21)
- Re: Wired detection of rogue access points Tim Holman (Mar 21)
- Re: Wired detection of rogue access points Hari Sekhon (Mar 21)
- Re: Wired detection of rogue access points Eric Hacker (Mar 22)
- Re: Wired detection of rogue access points Hari Sekhon (Mar 21)