IDS mailing list archives
RE: Wired detection of rogue access points
From: "Adam Graham" <agraham () datastreamcowboys net>
Date: Mon, 26 Mar 2007 15:52:21 -0500
First off is it even possible to buy a laptop that does not have wifi built in? I have set up an automated scan looking for MACs. If the MAC does not appear on my list I drop its packets in the IPTabes FW. It's rather simple to do. The main thing I do that seems to work the best is the APs are un-trusted and therefore stuck out in the DMZ. Before one can get to network resources they need to open the VPN client after connecting to the AP. A simple way to handle MACs with IPTables (NOTE: simple rule if you need more instruction I can send it to you or just the complete iptable script): Let's create 2 text files: /tmp/whiteist /tmp/blackist Insert into whiteist 00:06:25:2E:56:A0 Insert into blackist 00:06:25:2E:56:E1 Add following to your IPTabes script TABLES = "filter nat mangle" iptables = /sbin/iptables touch /tmp/whiteist touch /tmp/blackist WHITELIST = `cat /tmp/whiteist | awk '{print $1}' BLACKLIST = `cat /tmp/blackist | awk '{print $1}' # Forward good MACs $iptables -t filter -I FORWARD 1 -m mark --mark 0x42 -j ACCEPT # mark all packets from the good macs for MAC in $WHITELIST ; do $iptables -t mangle -I PREROUTING -m mac --mac-source $MAC -j MARK --set-mark 0x42 done # drop all packets from the good macs for MAC in $BLACKLIST ; do $iptables -t mangle -I PREROUTING -m mac --mac-source $MAC -j DROP done ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Wired detection of rogue access points, (continued)
- Re: Wired detection of rogue access points Benjamin Hofstetter (Mar 21)
- Re: Wired detection of rogue access points tim_holman (Mar 20)
- Re: Wired detection of rogue access points Tõnu Samuel (Mar 20)
- Message not available
- Re: Wired detection of rogue access points Hari Sekhon (Mar 21)
- Re: Wired detection of rogue access points Tim Holman (Mar 21)
- Re: Wired detection of rogue access points Hari Sekhon (Mar 21)
- Re: Wired detection of rogue access points Eric Hacker (Mar 22)
- Re: Wired detection of rogue access points tim_holman (Mar 26)
- RE: Wired detection of rogue access points Bourque Daniel (Mar 26)
- RE: Wired detection of rogue access points Gabbard, Gregory (Mar 26)
- RE: Wired detection of rogue access points Adam Graham (Mar 26)
- Re: Wired detection of rogue access points tim_holman (Mar 27)
- Message not available
- Re: Wired detection of rogue access points Adam Crosby (Mar 27)
- Re: Wired detection of rogue access points Hari Sekhon (Mar 21)
- Re: Wired detection of rogue access points Hari Sekhon (Mar 22)
- RE: Wired detection of rogue access points Waters, Chris (Mar 22)
- Re: Wired detection of rogue access points Chad Mano (Mar 26)
- Re: Wired detection of rogue access points Eric Hacker (Mar 26)