Friday, August 31, 2007

Rogue Wireless Access Points

Doug asks:

"...do you have a suggestion (besides NAC) for pinpointing a rogue access point on a lan from the wired side?"

Finding rogue AP's from the wired side is tricky. You can try scanning for them using Nessus or NMap, but I've had only limited success with these techniques. This is because the typical wireless router you get from Best Buy today isn't going to give up enough data for Queso TCP fingerprinting or banner grabbing to work if the 'outside' interface is plugged in to your network, which is pretty much required in order for it to work.

If the AP is just an AP (like my Linksys WAP11) and not a NAT router (like my Linksys WRT54G), then NMap or Nessus may work for you. Using your switches is another good way to find it - look for multiple ARP entries with a single MAC on any given switch port. There may be 'switchport port-security' features on your Cisco IDF/userland switches that can prevent regular APs from serving more than the first wireless client as well. Probably depends on the switch's IOS version and the AP's behavior.

You can also do things like dump ARP/CAM tables from your switches and match the first part of the MAC address against the IEEE database looking for manufacturers like Buffalo, Linksys, D-Link, TI, etc.

This works with AP's and routers alike, and is probably a good idea to do on any network without EAP/NAC, especially if you've standardized your workstations so you know all the NIC's are from just one or two OEMs, so anything else is worth tracking down.

However, I think that the best way to find rogue AP's is via wireless signal. Using something like the features built in to the Airespace/Cisco systems, a wireless IDS like AirDefense, or even just regular site checks with a laptop and Kismet (or a PDA and PocketWarrior) will yield the best results.

3 comments:

Doug said...

Thanks much for the advice. I intend to make regular wireless auditing part of the monthly IT plan. I heard from someone in IT at an area college that this is pretty much part of the chaos every year about this time, but I am guessing that their network is already segmented enough that this sort of thing doesn't affect very many people.

I can appreciate your point about the issues that schools face, I am guessing the high school/college age group can at times make corporate IT seem fairly sedate in comparison. Both in good ways and bad.

On a side note, I have a batch of Red Ale about to start fermenting. I believe good free advice is best rewarded with beer...

PaulM said...

I think that most colleges & universities have segmented residential networks from academic networks from admin networks. It wasn't that way back when I was a freshman, but my dorm only had 19.2K serial to a Xylogics Annex. Ethernet was only in labs and data centers. And Microsoft wasn't shipping an IP stack. And there were still woolly mammoths roaming the UP. :-)

Anyway, that doesn't mean that area colleges aren't spending money fighting rogue wireless networks, though:

http://www.airwave.com/docs/case_studies/GrandValley-CS.pdf

And yeah, K-12 and .edu are unique security environments. No place else that I know of are you tasked with providing network resources to kids that would just as soon hack your servers as type up their book reports.

And if you've got homebrew and are sharing, lay it on me, man!

Doug said...

Good to see GVSU is being proactive.

Too funny, for me the wayback machine goes back to a dumb terminal with about a 7" diagonal screen (amber, not green) in the dorm basement connecting to a Digital PDP-11. There were some early Macs in the lab, but those were for the business majors and the creative types. I think they were afraid the CS majors would get used to pretty pictures on the screen...