Rogue Access Point Detection? 53
Yossarian2000 asks: "With all the media attention WLANs have been getting lately, more and more businesses seem to be looking to better understand their implications as relates to company intranets. Whether a business is running a WLAN or not, detecting rogue access points is essential to maintaining some degree of security. Currently, it seems there are few options for detecting APs: subnet scans (which add overhead to the network and can still miss some APs), handheld devices (which require regular site surveys), and systems that use existing access points to detect rogues (this assumes you have APs covering your entire site). Has anyone heard of better methods for the detection of rogue APs?"
Tell people not to do it? (Score:3, Informative)
Re:Tell people not to do it? (Score:3, Insightful)
Re:Tell people not to do it? (Score:2)
Re:Tell people not to do it? (Score:2)
Trusting your employees to only open attachments that are safe is one thing.
Trusting your employees not to provide access to company resources to unauthorized persons is another.
Really bad viruses notwithstanding, I think we can safely say that the consequences of violating the former is significantly less serious than violating the latter.
Re:Tell people not to do it? (Score:2)
Trusting your employees to only open attachments that are safe is one thing.
Trusting your employees not to provide access to company resources to unauthorized persons is another.
Exactly, and trusting your employees not to set up rogue access points is an instance of the latter. State in no uncertain terms when someone joins your company that setting up rogue access points will result in immediate termination and referral to the FBI.
Re:Tell people not to do it? (Score:3, Insightful)
The only thing I was adding was the fact that it's possible not to trust at one level (rogue attachments) while still trusting them at another (not running rogue APs). Saying that you don't trust your employees at something fairly small doesn't mean that you distrust them completely.
State in no uncertain terms when someone joins your company that setting up rogue access points will result in immediate termination and referral to the FBI.
Sounds like a reasonable
Re:Tell people not to do it? (Score:3, Insightful)
Re:Tell people not to do it? (Score:2)
Because I trust my fellow employees not to do anything deliberately malicious.
So tell them that hooking up a rogue access point is deliberately malicious.
Re:Tell people not to do it? (Score:1, Troll)
The fallacy in your argument, IMHO, is that you seem to view trust as a black or white issue. I may not trust my employees, but I trust the public a whole heckuva lot less.
Re:Tell people not to do it? (Score:1)
I may not trust my employees, but I trust the public a whole heckuva lot less.
You don't trust employees not to go against your explicit demands and install a rouge access point. Frankly, I find it hard to see how you can trust someone less than that.
Re:Tell people not to do it? (Score:2)
The public, on the othe
Re:Tell people not to do it? (Score:1)
Someone who disregards a rule usually does it because they don't think the rule is valid, and it just "gets in the way".
Which is why I suggest making it crystal clear that this particular rule is one which is very serious, and will result in criminal charges for unauthorized access to a system being pressed against anyone who breaks it.
The public, on the other hand, has plenty of malice and destructive intent. I don't trust them with my data as far as I can throw 'em.
Frankly, the only real difference
Rules and Trust (Score:4, Insightful)
In a really, well-run company, the CIO will tell the CEO, "we have a problem with rogue APs". The CEO tells the VPs, who tell the department managers. The managers bring it up in department meetings. Because the managers have good working relationships with all their subordinates, they figure out who has APs and which ones need to be hardened. Problem solved, and no Big Brother nonsense necessary.
In the real world, no company is that well run. This manager or VP doesn't get along with his or her subordinates. That one is a control freak. This employee doesn't see what the big deal is, and won't let anybody look at his AP. That one never goes to department meetings, doesn't take orders from anybody, and has so much seniority that...
Oops, the trauma of my last job is showing! Point is, not all problems end up being solved by management/worker trust and collaboration. It's certainly desireable that you solve as many problems that way as you can. But there's always something you end up having to enforce with rules and snooping, and other nasty stuff. When that sort of thing gets out of hand, the company is probably in deep trouble. But you always have to deal with some of it.
Re:Rules and Trust (Score:1)
Just make it a companywide policy. Any large company is going to have an employee handbook and a method for updating it. Make it crystal clear that any installation of rogue access points will result in immediate termination and referral to the FBI.
Besides, somehow I doubt the person asking this question to slashdot was the CEO or CIO of a large company.
Re:Rules and Trust (Score:2)
Gee, here we are throwing nasty threats at our employees. What happened to trust?
Re:Rules and Trust (Score:2)
Rules without enforcement are worse than useless.
So go around once a month on a random day with a laptop.
And severe penalties just make the joke a sad one.
Hmm, I don't think the penalty is severe at all. Intentionally poking a hole in a corporation's security is a very severe crime.
Gee, here we are throwing nasty threats at our employees. What happened to trust?
When did I ever say an employer should trust his employees? He shouldn't.
Re:Rules and Trust (Score:2)
Re:Rules and Trust (Score:1)
It says: If you can't trust your employees, then why does it matter if non-employees have access. It implies that: If you can't trust your employees, then it doesn't matter if non-employees have access.
Now, there are two parts here:
1) If you can't trust your employees
I am stating that this part is correct.
2) then it doesn't matter if non-employees have access.
I am also stating that this part is correct.
However, I am leaving open the possibility that one could trust him employees. Then it would matte
Re:Rules and Trust (Score:2)
I am also stating that this part is correct.
If it doesn't matter whether non-employees have access, then why do you advocate implementing a company policy about rogue APs and going around once a month scanning for them? That seems like a lot of effort to throw at something that "doesn't matter."
Re:Rules and Trust (Score:2)
If it doesn't matter whether non-employees have access, then why do you advocate implementing a company policy about rogue APs and going around once a month scanning for them?
I don't. I was merely giving Yossarian2000 advice on how to get rid of rogue APs. I wasn't saying that getting rid of them is something useful.
AP logins (Score:2)
Well you could just create a script to scan port 80 for all IPs on the network. If you find an open port that is not a known web server and connecting to it asks for authentication, then you may have found yourself an AP.
Re:Tell people not to do it? (Score:2, Interesting)
Don't make it easy for anyone, not even the employee's.
Absolutely. Access to the network should be on a need to know basis. There shouldn't be any servers laying around with no passwords. Preferably everything will be access controlled down to the MAC address of each individual machine that's allowed to access it.
All that's a lot of work. Far too much work to be worrying about rogue access points. Sure, you should be randomly checking for them every once in a while, and firing those who have set th
Re:Tell people not to do it? (Score:1)
Re:Tell people not to do it? (Score:1)
You're aware that MAC addresses are spoofed almost as easily as IPs, aren't you?
1) Only if you know what the MAC address is. And 2) The same could be said about the detection method.
I never said it was a fool-proof solution, just that it was better than detection.
Rogue Access Point? (Score:1, Troll)
C'mon guys! Look, I admit that Anna Paquin is pretty darn cute but talking about her privates in such a crude manner is really tasteless. Shame on all of you.
GMD
Welll.... (Score:3, Informative)
However, I think a good start would be a fairly simple Ruby script that scans your IP ranges for SNMP agents, looking for anything unrecognizable.
The right way, of course, is to keep a careful database of what's on your network, and report any unscheduled/unauthorized changes. You could either use rmon or something similar or a few strategically placed Linux boxes running tcpdump to find IP addresses broadcasting on the network and send a trap. Or, you could look for changes in the ARP tables on your routers (which you could retrieve using SNMP pretty easily.) This would still leave you vulnerable to various kinds of sniffing attacks, but might be a start.
These are just ideas, but any of them could be implemented in 100 lines of ruby (or perl if you must.)
Re:Welll.... (Score:2, Insightful)
Can't most switches be set up to only allow a single MAC address to connect to a port? Why detect when you can prevent? (Well, maybe you want to weed out bad employees or something, sort of a network honeypot).
Re:Welll.... (Score:2)
Re:Welll.... (Score:1)
your plugging an access point into a switch which only allows one mac thus making it so only one computer can connect to the access point.
I thought the whole point was to not allow access points.
Re:Welll.... (Score:1)
Re:Welll.... (Score:4, Interesting)
Re:Welll.... (Score:2)
>your network, and report any unscheduled/unauthorized changes.
ARPwatch [lbl.gov] is an easy way to do what you described. It notifies you whenever an unfamiliar MAC addr shows up on your network.
ObJurrasicParkQuote: I know this, this is Unix! (Score:5, Interesting)
Shows signal strength too so you can do the James Bond homing-in-on-the-signal-with-gun-drawn type stuff.
-n
Re:ObJurrasicParkQuote: I know this, this is Unix! (Score:3, Informative)
I'm more inclined to trust a radio detection method than trusting IP based soluti
Re:ObJurrasicParkQuote: I know this, this is Unix! (Score:1)
Re:ObJurrasicParkQuote: I know this, this is Unix! (Score:2)
Not the right tool for the job. If it did have the sensitivity of 1uV, it would pick up the entire noise floor of the radio spectrum as its not tuned to a particular band. Every two way radio and broadcast channel would tick its clock. Needs to discriminate the desired signal from the noise.
Re:ObJurrasicParkQuote: I know this, this is Unix! (Score:1)
A radio with a sensitivity of 1uV (SINAD or quieting, you pick) would be quite deaf. Most scanners (which have a looser frontend) are in the ballpark of 0.15uV, while most commercial radios (such as Motorola Spectra/MCS2000/etc.) are in the ballpark of 0.3uV. Even older radios, such as the Motorola Syntor X9000, are a mere 0.4uV without a preamp in the front end. The way a frequency counter works is by looking for a spike FAR above the noise floor. These spikes are
user specific registration (Score:2)
Not only will the network restrict based on their network card address, but also their user authentication (l/p)...
MAC filtering revisited. (Score:4, Interesting)
No, no easy way. (Score:5, Informative)
However, I did it fairly properly, I installed a Linux box configured as a firewall, configured the filtering on the firewall so that all the through traffic could only go off to the official company contivity VPN server (which happened to be on another site!), and ran VPN software on all the clients.
Basically, it was very secure, short of hacking the firewall (tricky, the filtering rules were pretty brutal), or one of the clients (I put personal firewalls on each of the clients too), there was no way in. Even the building was pretty much a Faraday shield due to metallised windows(!)
From the network side, the WiFi AP is very difficult to spot- the firewall just looks like a Linux box; which is what it is; it just NATs the AP off of itself. There may be ways to find it, but I can recompile the firewall to make it very difficult.
The only definite way to find it was if you knew it was there or went around with a WiFi receiver looking for networks. I suppose you might get a bit suspicious about the NATed network there are ways to spot those, but that depends on your network connectivity rules, they may well be legal anyway.
The whole thing only tied up 1 pc and only then because we didn't have a linux box hanging around we could configure to be a firewall. The network guys had put in some ridiculous estimate on how much it would cost to install... thousands of pounds.
Re:No, no easy way. (Score:2)
I don't think there was a connection between the rogue LAN and getting laid off.
Atleast, I think laying off my manager and my manager's manager and my manager's manager's manager and everyone below was probably unrelated. Probably ;-)
It's called a laptop with a wireless NIC (Score:2, Funny)
It's called "scalability" (Score:1)
Great. The HQ building is over thirty stories, some of which I can only access with an escort from the "executive protection" group.
Then we have the primary metro plant, which covers a couple of square miles and is connected to HQ via "GigaMAN". Plus a half dozen major suburban sites connected via either leased line, ATM, mi
Authenticated association... (Score:2, Interesting)
What is needed is some kind of cert inside the beacon so that the PC Client can validate that the AP he is associated with contain a valid cert signed with the proper CA.
And only associate with that AP after a key verification. This would work like SSL on the browser and wo
Possibilities.. (Score:2, Insightful)
1) Move to IP Locking. Only allow 'approved' IPs to pass through your network. This would limit use of the APs, although they could still 'proxy' (some APs have NAT) using the persons assigned IP while they use an internal IP on their laptop, etc. This could be solved by:
2) MAC locking, either on firewall or DHCP. Even if you simply locked out a 'class of MACs' (IIRC, each manufacterer/product type has a block of MAC that identifies manufacturer + produc
explored this at length (Score:2, Interesting)
Currently, we are considering AirDefense, which is a commercial solution, suitable for "enterprise". It has a server that holds a database of information gleaned from the sensors, which are little more than refirmwared Cisco APs.
Another option we have been considering is Kismet. The later CVS stuff includes supports for "drones", which is basic
Paper I'm writing (Score:3, Informative)
You can view this also at www.robtimko.com
Detecting Wireless Threats on your Network from (802.11)A to B to G
Introduction
In todays IT world, insecure wireless technology has become a serious problem among IT professionals. As The Keeper said in The Invisible Man -- "When you're invisible, the only one really watching you is you." This holds true with wireless techology. Becuase of the intangable communication methods, detection of threats become close to impossible using conventional vulnerability and threat scanning methods. This paper will demonstrate best practices for detecting these threats.
The Threats
In order to effectivly recognize a threat, you first must understand what you are looking for. A threat is any potential event or act that could cause one or more of the following to occur: unauthorized disclosure, destruction, removal, modification or interruption of sensitive information, assets, or services or injury to people. A threat can be deliberate or accidental. An example of threat is a concentrated attack by hackers inside an organization or from outside an organization.
Wireless Detection
The saying "The right tool for the right job" holds true in wireless threat detection. Taken from the website, Kismet is an 802.11 wireless network sniffer - this is different from a normal network sniffer (such as Ethereal or tcpdump) because it separates and identifies different wireless networks in the area. Kismet works with any 802.11b wireless card which is capable of reporting raw packets (rfmon support), which include any prism2 based card (Linksys, D-Link, Rangelan, etc), Cisco Aironet cards, and Orinoco based cards. Kismet also supports the WSP100 802.11b remote sensor by Network Chemistry and is able to monitor 802.11a networks with cards which use the ar5k chipset. Other tools include Netstumbler (www.netstumbler.com) and Wellenweighter. Many people opt to use handhelds to detect,
Passive vs. Active
Kismet is a passive tool. It listens, and reports, whereas Netstumbler is active. It constantly sends out packets of data and reports on devices that respond. These are two major differences.
MAC Signatures
MAC Signature detection is detection based on the MAC or hardware address of the device. Since each is unique and usually easly detectable and matched to a specific vender, it is a good way to see what the device you are actually looking for is. There is however, one pitfall. MAC Spoofing.
Wired Detection
Enterprises who believe they are effective in detecting rogue AP's in their networks are evidently missing more than 50% of the wireless threats to their organizations.Ã Similar in fashion to using vulnerability assessment tools - using nmap to scan your enterprise for AP's will give you known, obvious threats -- not unknown threats. Nessus (www.nessus.org) is a popular security scanner which can used to detect signatures on wireless access points which are connected and configured on your network. It works with http and ftp signatures and is helpful when you are scanning a part of a network which cannot be accessed at the moment.
Locating the Threat
How do you catch an invisible man? Unfortunatly you cannot follow wires to find wireless devices as you would a rogue router or system. Becuase of this, more sophisticated methods need to be used in determining "where" exactly this device is to properly deal with it. Kismet and other wireless detection software have features built-in to facilitate this. These features include the ability to monitor a devices signal strength, and GPS capabilities. Using these features, it is possible to locate a device with minimal work using basic triangulation.
Conclusion
Darien Fawkes: The
First Things first (Score:3, Interesting)
Who Wants in,
a. Employess wanting to access the network for legit work but using unauthorized means;
b. Script kiddies looking to gain a reputation for hacking your network;
c. industrial spy's;
d. multi-national corp or governments?
What do they want
a. all of our data just went out in a press release anyways;
b. to access data they are authorized while moving arround with thier laptop for the cool factor;
c. competitor seeking a market place advantage;
d. nefarious persons seeking to destroy your company and put everybody in prison
e. forgien inteligence agencies seeking national security information.
2 Cost to benifit analysis
Nothing is secure you want to make the threat's percieved value of your data less than the cost of aquiring that data and you want to spend resources in manpower, hardware and software costs that are less than the actual value of the data to be protected. If a sucessful intrution, is likely to causes the CEO to wig-out and order unreasonal expenditures to protect the network, factor in a agravation expense too.
I think the minimum you want to do is,
a. periodic site scan with a laptop and wireless cards.
b. periodic wardial your pool of phone numbers to look for unauthorised modems and fax machines.
c. use nmap or similar program to map your network from both the inside and outside, do network segments seperate.
d. select a computer population sub-sample and run a spyware detection program on them like Spybot S&D, also might as well check for licienses for the software at the same time.
e. treat your employess with respect, and actualy pay them enough so that they have a little real loyalty to the company, and aren't so easy to compromise.
f. employee education, just tell them no unauthorised software/hardware and give them a mechanism to get things authorised also.
After that I'd think about looking for cameras like those x10 cameras, bug sweeps; maybe even hiring a pro to check things once a year, and before and durring a particularly valuable project.