RE: Wired detection of rogue access points

["Gabbard, Gregory" <Gregory.Gabbard () lendingtree com>]

802.1x is a good starting point.  I'd go on to say it's far from absolute.  Rogue detection is critical (multiple ways 
to do it and many good tools,,,due diligence is in order.)  

If you're responsible for your wifi security you should know exactly where every AP is located; you should have some 
*tool* that maps them; you should be able to identify rouge AP's in short order.  

If you have 802.1x, you know where all your AP's are, you have a rock solid map of your entire network, etc, etc, etc, 
you're still at risk.  You must be as aggressive as your corporate food-chain will allow (once you find what the 
limitation is I recommend pushing just a bit further.)


 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Bourque Daniel
Sent: Thursday, March 22, 2007 7:46 PM
To: Eric Hacker; focus-ids () securityfocus com
Subject: RE: Wired detection of rogue access points

No solution is absolute.

Activate 802.1x Port base auth on your network and you increase the level of expertise necessary to connect a rogue AP.
Install Wifi sensors on every floor of every building and use something like AirDefense to centrally manage them. 
Scan the network from the wire side.
Install agent on all your laptops to disable the WiFi port as soon as the Ethernet port is active.
Put filters on your vlans so that PC cannot talk across vlan to other PC but only at the server's vlan.  A good 
structure IP Address plan is very helpfull for that Etc...




-----Message d'origine-----
De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De la part de Eric Hacker Envoyé : 21 
mars 2007 14:11 À : focus-ids () securityfocus com Objet : Re: Wired detection of rogue access points

Haven't we gone through this before?

For each of you that thinks they have a way to detect a wireless access point using only the LAN, please demonstrate 
how you would detect this.

A wireless router is hooked up to the network jack of a printer. The wireless router is configured to use the printer's 
MAC address. The wireless router is set up with the printer's new IP address as it's DMZ  host[1]. From the outside, 
all port scans and probes are going to the printer.

There might be some IP stack differences, but you'd have to have a very comprehensive database to figure that out, and 
the time to scan at that level could prevent that level of probing on large networks.

> From Mr. Waters, I expect no less than the results of an actual scan on a live network with this set up running on it. 
> :)

Now that was easy. No real expertise required on the person who set up the rogue access point, just a little 
cleverness. So lets say I want to put the rogue access point on your network.

Same router, new firmware. My new OS is reconfigured a bit.

The WAN port bridges to LAN1. WAN plugged in to wall, LAN1 plugged in to printer. All other ports and the wireless are 
configured for the private LAN on the router.

My OS sniffs packets and determines the IP address in use by the printer. Now it statefully NAT's packets from it's 
private network to the printer's IP address. It filters return packets on the bridge so that the printer doesn't see 
any of the traffic.

Now how do you find it over ethernet with scanning or probing? It doesn't respond to anything. It doesn't interfere 
with the printer's IP stack fingerprints when the printer is probed. Only watching the unusual traffic coming from the 
printer or scanning for the RF would pick this up.

Oh yeah, heaven forbid that I go all out and not use normal wireless frequencies. Maybe pop in an EVDO card instead of 
an 802.11 one. Who would want their own Internet accessible back door into your intranet anyway?

OK, so my OS isn't completely off the shelf, and I haven't had the time to sit down and make it work yet. The open 
source pieces are all there, however, just waiting for the right person to come along and duct tape them all together.

Bottom line: Ethernet cannot be completely secured. Either encrypt everything, watch everything, or physically control 
access to everything.

Regards,
Eric Hacker, CISSP

[1] I hate using the term DMZ for this use, but that's what is used on all the router configurations.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------