Firewall Wizards mailing list archives
Re: Wireless
From: <Dennis.Archambault () stpaul com>
Date: Fri, 9 Aug 2002 16:10:30 -0500
Paul, I have struggled with these question for a while now. Have looked at the NetStumbler/Kismit side of the solution. But still find that solution set somewhat limited when it comes to a national or international network. I started toying with the 'wired' side looking at the WAP MAC addresses. Most of the WAP manufacturers out there are using their own MAC (OUI) ranges. I think there are link 15-20 OUI's right now that pick up the majority of the WAP products, I started with a list from a thread on BAWUG. So the plan is write a simple script that will go out to all the routers and grep the OUI list against the router ARP table, alert on any hits. Still have to do a little leg work in weeding out the false positives, but if you run something like the 3-4 times a day you should pick up at least some of the rogue AP's. You could argue--That the MAC OUI on the WAP could be forged to obfuscate its presents on the wired net. I don't disagree. I would argue it we have someone with the talent level to whack the MAC address, they have enough skills to either tightened up the radio side (hopefully) or are using it for some really evil purposes and don't want to be found (hello IDS and other burglar alarms.) I also came across a guy from Cisco, Kirby Kuehl that has done some work in this area on the Cisco network. He has a somewhat limited tool that he has written that will search the network for specific WAP signatures. I think he uses tiny-HTTPd and SNMP sigs to discover these things. Its not a highly developed tool because it was purpose built for locating Cisco Stuff on Cisco Networks. Anyway, Keith has the source posted out on SourceForge, I think it was called... APTool or something like that. Interesting stuff this rogue AP... look forward to hearing what other folks are doing on an enterprise basis. Dennis Archambault St Paul Cos. -------------------------------------------------------------------------------------------------- On Fri, 9 Aug 2002, Paul Robertson wrote:
How are people starting to deal with hunting down and killing rogue Wireless Access Points (WAPs)[1]? It seems pretty easy in environments where wireless isn't allowed at all, but is anyone dealing with the
situation in
an environment where there are sanctioned wireless networks? Thanks, Paul [1] I'm thinking a lot about the built-in laptop WAPs, people bringing in
802.11b-enabled hubs, and only slightly about the cleaning folks hiding one in the ceiling tiles.
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal
opinions
proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure
Corporation
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Wireless, (continued)
- RE: Wireless Paul Robertson (Aug 09)
- RE: Wireless R. DuFresne (Aug 09)
- RE: Wireless Carl Friedberg (Aug 09)
- RE: Wireless Paul Robertson (Aug 09)
- RE: Wireless Loomis, Rip (Aug 09)
- RE: Wireless Loomis, Rip (Aug 09)
- RE: Wireless Frank Darden (Aug 09)
- RE: Wireless R. DuFresne (Aug 09)
- Re: Wireless Roger Marquis (Aug 09)
- Re: Re: Wireless Gary Flynn (Aug 09)
- Re: Wireless Dennis.Archambault (Aug 09)
- Re: Re: Wireless Paul Robertson (Aug 09)
- Re: Re: Wireless Adam Shostack (Aug 11)
- Re: Re: Wireless Dennis.Archambault (Aug 12)
- Re: Re: Wireless kadokev (Aug 12)
- Re: Re: Wireless Kirby Kuehl (Aug 12)
- Re: Re: Wireless kadokev (Aug 12)
- RE: Wireless Frank Darden (Aug 19)