Re: Wired detection of rogue access points

[Adam Crosby <acrosby () jlab org>]

It does have benefits though - such as preventing 'accidental' users of
your wireless infrastructure.  How many people can see your AP and if
they can connect, just go ahead and do so, to check their email or
whatever.  It's not going to be effective against an attacker, but like
a fence or hedge, it can prevent otherwise casual misuse of your systems.

--
adam

tim_holman () hotmail com wrote:
> Filtering by MAC gives you no additional security whatsoever, period.  MAC addresses can be easily spoofed and 
> although your solution may assist in spotting misconfigurations a determined intruder will get straight through....
>
> Sent from my BlackBerry® wireless device  
>
> -----Original Message-----
> From: "Adam Graham" <agraham () datastreamcowboys net>
> Date: Mon, 26 Mar 2007 15:52:21 
> To:<focus-ids () securityfocus com>
> Subject: RE: Wired detection of rogue access points
>
> First off is it even possible to buy a laptop that does not have wifi built
> in?
>
> I have set up an automated scan looking for MACs. If the MAC does not appear
> on my list I drop its packets in the IPTabes FW. It's rather simple to do.
> The main thing I do that seems to work the best is the APs are un-trusted
> and therefore stuck out in the DMZ. Before one can get to network resources
> they need to open the VPN client after connecting to the AP.  
>
> A simple way to handle MACs with IPTables (NOTE: simple rule if you need
> more instruction I can send it to you or just the complete iptable script):
>
> Let's create 2 text files:
> /tmp/whiteist
> /tmp/blackist
>
> Insert into whiteist  00:06:25:2E:56:A0
> Insert into blackist  00:06:25:2E:56:E1
>
>
> Add following to your IPTabes script
> TABLES = "filter nat mangle"
> iptables = /sbin/iptables
> touch /tmp/whiteist
> touch /tmp/blackist
> WHITELIST = `cat /tmp/whiteist | awk '{print $1}'
> BLACKLIST = `cat /tmp/blackist | awk '{print $1}'
>
> # Forward good MACs
> $iptables -t filter -I FORWARD 1 -m mark --mark 0x42 -j ACCEPT
>
> # mark all packets from the good macs
> for MAC in $WHITELIST ; do
>       $iptables -t mangle -I PREROUTING -m mac --mac-source $MAC -j MARK
> --set-mark 0x42
> done
>
> # drop all packets from the good macs
> for MAC in $BLACKLIST ; do
>       $iptables -t mangle -I PREROUTING -m mac --mac-source $MAC -j DROP
> done
>
>
>
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it 
> with real-world attacks from CORE IMPACT.
> Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
> to learn more.
> ------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------