Re: Detection of Rogue Access Points

[Sean Harlow <sean () seanharlow info>]

On Mon, Oct 15, 2012 at 7:31 PM, Joe Hamelin <joe () nethead com> wrote:

> Jonathan stated that they have health data on the network and only company
> issued devices are allowed.  I would suggest to him that he inventory the
> equipment via MAC address (I'm guessing that it's mostly standard issue
> stuff that would be easy to recognize) and then lock down unused ports and
> setup up monitoring. If a new MAC appears on the network, then it better
> have been sent there by IT.

I won't argue with that.  When no official wireless network is involved, a
MAC whitelist can be very effective.  It'll catch any casual user
attempting to homebrew a WiFi setup and significantly increase the odds of
detecting an actual attacker.  Even if the switches are at the lowest end
of "smart" and only expose a web interface it's not too hard to rig up a
screen scraper to list the connected devices on a regular basis and alert
if anything new is seen.  I'd expect that there are probably at least a
dozen commercial and/or open source tools that already exist for the
purpose, actually.