RE: Detection of Rogue Access Points

[Dustin Jurman <dustin () rseng net>]

Automated solution would be something like Air defense or Air Scout with sensors.  Cheap solution would be to lock down 
your switches with port based authentication.  

Dustin


Dustin Jurman
CEO
Rapid Systems Corporation 
1211 N. West Shore Blvd. Suite 711
Tampa, FL 33607
Ph: 813-232-4887 
http://www.rapidsys.com
"Building Better Infrastructure"  







-----Original Message-----
From: Jonathan Rogers [mailto:quantumfoam () gmail com] 
Sent: Sunday, October 14, 2012 5:34 PM
To: Tom Morris; nanog () nanog org
Subject: Re: Detection of Rogue Access Points

I should probably mention that we do not have any legitimate wireless devices at these locations. I realize that this 
complicates matters.

The most recent one we found was found exactly like Joe suggested; we were looking at an ARP table for other reasons 
and found suspicious things (smartphones).

--JR

On Sun, Oct 14, 2012 at 5:30 PM, Tom Morris <blueneon () gmail com> wrote:

> I have used the wigle app as a scanning and direction finding tool.. 
> it works OK. Not automated really as you'd have to walk and watch the 
> screen but it works.
>
> I once walked into a glass wall inside a building while searching for 
> a rogue AP... FOMP!!!!
> On Oct 14, 2012 5:02 PM, "Jonathan Rogers" <quantumfoam () gmail com> wrote:
>
> > Gentlemen,
> >
> > An issue has come up in my organization recently with rogue access points.
> > So far it has manifested itself two ways:
> >
> > 1. A WAP that was set up specifically to be transparent and provided 
> > unprotected wireless access to our network.
> >
> > 2. A consumer-grade wireless router that was plugged in and "just worked"
> > because it got an address from DHCP and then handed out addresses on 
> > its own little network.
> >
> > These are at remote sites that are on their own subnets 
> > (10.100.x.0/24; about 130 of them so far). Each site has a decent 
> > Cisco router at the demarc that we control. The edge is relatively 
> > low-quality managed layer 2 switches that we could turn off ports on 
> > if we needed to, but we have to know where to look, first.
> >
> > I'm looking for innovative ideas on how to find such a rogue device, 
> > ideally as soon as it is plugged in to the network. With situation #2 
> > we may be able to detect NAT going on that should not be there. 
> > Situation #1 is much more difficult, although I've seen some research 
> > material on how frames that originate from 802.11 networks look 
> > different from regular ethernet frames. Installation of an advanced 
> > monitoring device at each site is not really practical, but we may be 
> > able to run some software on a Windows PC in each office. One idea 
> > put forth was checking for NTP traffic that was not going to our 
> > authorized NTP server, but NTP isn't necessarily turned on by 
> > default, especially on consumer-grade hardware.
> >
> > Any ideas?
> >
> > Thank you for your time,
> >
> > Jonathan Rogers