IDS mailing list archives
Re: Wired detection of rogue access points
From: <jay.tomas () infosecguru com>
Date: Tue, 27 Mar 2007 11:32:50 -0400
Its a strong statement that doing something provides "no additional security whatsoever, period". Any good defense includes layering a collection of countermeasures. No one will save you, but you hope together you will be able to weather the storm. Its like saying Im not going to lock the door, because a determined locksmith will pick it , or a big ape will smash it open. Its about containment and slowing the attack so that hopefully you can detect its source and eliminate it. Also, I thought the topic of this thread was access points. It's true that spoofing MAC address on workstations can be done with a variety of tools.Spoofing a MAC address of an access point through firmware etc seems a more delicate task. (If anyone is thinking about responding about workstation emumlating an access point bother, my comments only apply to hardware flavors like Linksys etc. Jay ----- Original Message ----- From: tim_holman () hotmail com [mailto:tim_holman () hotmail com] To: agraham () datastreamcowboys net,listbounce () securityfocus com,focus-ids () securityfocus com Sent: Mon, 26 Mar 2007 23:24:25 +0000 Subject: Re: Wired detection of rogue access points Filtering by MAC gives you no additional security whatsoever, period. MAC addresses can be easily spoofed and although your solution may assist in spotting misconfigurations a determined intruder will get straight through.... Sent from my BlackBerry? wireless device -----Original Message----- From: "Adam Graham" <agraham () datastreamcowboys net> Date: Mon, 26 Mar 2007 15:52:21 To:<focus-ids () securityfocus com> Subject: RE: Wired detection of rogue access points First off is it even possible to buy a laptop that does not have wifi built in? I have set up an automated scan looking for MACs. If the MAC does not appear on my list I drop its packets in the IPTabes FW. It's rather simple to do. The main thing I do that seems to work the best is the APs are un-trusted and therefore stuck out in the DMZ. Before one can get to network resources they need to open the VPN client after connecting to the AP. A simple way to handle MACs with IPTables (NOTE: simple rule if you need more instruction I can send it to you or just the complete iptable script): Let's create 2 text files: /tmp/whiteist /tmp/blackist Insert into whiteist 00:06:25:2E:56:A0 Insert into blackist 00:06:25:2E:56:E1 Add following to your IPTabes script TABLES = "filter nat mangle" iptables = /sbin/iptables touch /tmp/whiteist touch /tmp/blackist WHITELIST = `cat /tmp/whiteist | awk '{print $1}' BLACKLIST = `cat /tmp/blackist | awk '{print $1}' # Forward good MACs $iptables -t filter -I FORWARD 1 -m mark --mark 0x42 -j ACCEPT # mark all packets from the good macs for MAC in $WHITELIST ; do $iptables -t mangle -I PREROUTING -m mac --mac-source $MAC -j MARK --set-mark 0x42 done # drop all packets from the good macs for MAC in $BLACKLIST ; do $iptables -t mangle -I PREROUTING -m mac --mac-source $MAC -j DROP done ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- RE: Wired detection of rogue access points, (continued)
- RE: Wired detection of rogue access points Adam Graham (Mar 26)
- Re: Wired detection of rogue access points tim_holman (Mar 27)
- Message not available
- Re: Wired detection of rogue access points Adam Crosby (Mar 27)
- Re: Wired detection of rogue access points Hari Sekhon (Mar 22)
- RE: Wired detection of rogue access points Waters, Chris (Mar 22)
- Re: Wired detection of rogue access points Chad Mano (Mar 26)
- Re: Wired detection of rogue access points Eric Hacker (Mar 26)
- Re: Wired detection of rogue access points tim_holman (Mar 29)
- RE: Wired detection of rogue access points Adam Graham (Mar 29)
- Re: Wired detection of rogue access points Eric Hacker (Mar 30)
- RE: Wired detection of rogue access points Adam Graham (Mar 30)