RE: Wired detection of rogue access points

["Adam Graham" <agraham () datastreamcowboys net>]

First off is it even possible to buy a laptop that does not have wifi built
in?

I have set up an automated scan looking for MACs. If the MAC does not appear
on my list I drop its packets in the IPTabes FW. It's rather simple to do.
The main thing I do that seems to work the best is the APs are un-trusted
and therefore stuck out in the DMZ. Before one can get to network resources
they need to open the VPN client after connecting to the AP.  

A simple way to handle MACs with IPTables (NOTE: simple rule if you need
more instruction I can send it to you or just the complete iptable script):

Let's create 2 text files:
/tmp/whiteist
/tmp/blackist

Insert into whiteist  00:06:25:2E:56:A0
Insert into blackist  00:06:25:2E:56:E1


Add following to your IPTabes script
TABLES = "filter nat mangle"
iptables = /sbin/iptables
touch /tmp/whiteist
touch /tmp/blackist
WHITELIST = `cat /tmp/whiteist | awk '{print $1}'
BLACKLIST = `cat /tmp/blackist | awk '{print $1}'

# Forward good MACs
$iptables -t filter -I FORWARD 1 -m mark --mark 0x42 -j ACCEPT

# mark all packets from the good macs
for MAC in $WHITELIST ; do
        $iptables -t mangle -I PREROUTING -m mac --mac-source $MAC -j MARK
--set-mark 0x42
done

# drop all packets from the good macs
for MAC in $BLACKLIST ; do
        $iptables -t mangle -I PREROUTING -m mac --mac-source $MAC -j DROP
done





------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------