Preventing unauthorized wireless access points
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Preventing unauthorized wireless access points

  1. #1
    Junior Member
    Join Date
    Mar 2004
    Posts
    2

    Question Preventing unauthorized wireless access points

    Here's the problem. One of my clients has adopted a company wide policy of no wireless access. However, because of this from time to time he has employees who bring in and self-install their own wireless access points.

    Basically he's interested in a way of easily tracking this issue or blocking it from happening. Right now he wanders the building (3 floors, thick walls so wireless doesn't usually travel far) with a laptop searching for wiresless signals.

    Is anyone aware of a way to lock down the network to prevent rogue WAPs or at least monitor for thier presence?

    I'm off to research it more just was interested if anyone here had thought about it / had experience doing it.

    Thanks

  2. #2
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    Something like Campus Manager should do the trick, although it's probably overkill if all he wants to do is prevent users from installing rogue WAPs.

    How about MAC address control?

  3. #3
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Good question. I have a little hand held wifi detector that proves useful. Its a lot lighter than a laptop.

    Another idea I had was to strategically put a WIFI card in a couple of boxes around the network. Configure them so all it does is sniff (network stumbler, airsnort, etc)
    Then check the logs to see if there is any activity. If there is, then trace it down and give the offender the boot. Make an example of them. You probably won't have it happen again.

    Negative: I was going to suggest this too... but all the user has to do is spoof their authorized PC MAC and setup NAT through the WAP. Won't do too much good...
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  4. #4
    Junior Member
    Join Date
    Jan 2004
    Posts
    14
    Yeah,
    netstumbler, airsnort, ethereal... should do for monitoring

    And if you think you can reach an area that's wide enough, you could do a denial of service-attack, although i don't know any program that automatically detects the APs AND denials. But if you should know the MACadress of the APs used, you could search for the Airjackdriver and tools (the oldest airjackpackages should still contain denialtools). And so, if it's still the same AP, they wouldn't be able to connect to it again.
    And MAYBE there's a program that just creates NOISE to interfere with the other wireless signals...
    The following statement is correct.
    The previous statement is false.

  5. #5
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Very true...

    http://www.mle.ie/~jonah/projects/wifihog.html

    wifi jammers (hog)...
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  6. #6
    Senior Member
    Join Date
    Dec 2001
    Posts
    291
    In any environment, you should only provision (enable) switch ports that are in use, if your users dont have a nettwork jack to plug an ap into they cant get the ap on the network. There are still the possibilities of users armed with hubs / switches and the like but by keeping an eye on your switch and dhcp tables along looking at the physical aspect now and then I've found that you can keep rogue nodes off your network without too much trouble.
    ~THEJRC~
    I\'ll preach my pessimism right out loud to anyone that listens!
    I\'m not afraid to be alive.... I\'m afraid to be alone.

  7. #7
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    THEJRC: Yes, but:

    If a user has an enabled port, they can spoof the MAC of their desktops ethernet card via the wireless router and create their own private network off your network. Your DHCP logs won't be too helpful because it'll just look like that user still has their normal network card plugged in. When in fact, they are plugged into the switch that the wireless router provides. (most have wired ports too).

    APs cost as much if not more than a wireless router.
    So, they are most likely going to be installing a router and not just an AP.

    But, I could be wrong.

    Just like it is explained in the following link:
    http://kbserver.netgear.com/kb_web_files/n101227.asp
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  8. #8
    Senior Member
    Join Date
    Dec 2001
    Posts
    291
    Yes this may be true, but in a real world network one needs to remember that the user's workstation needs to authenticate and access server based resources. Unless your users have knowledge of advanced routing / port forwarding techniques they'll be giving up they're workstation for a wireless link.

    If your network is large enough that you wont notice a wireless router / access point under someones desk, you should be running some sort f advanced authentication and/or monitoring so this would not be a true problem.

    Even so a quick pass with netstumbler or kismet (or even windows XP's little built in wireless configuration) will oust your user fairly easily. Controlling this in a lare network is undoubtedly a problem, but if your network is large enough that you cant keep an eye on it's users physically perhaps you should be excersizing better NIDS and access control at the backbone. If all your user is after with the wireless AP is internet access perhaps a simple proxy requiring certificate based authentication is a quick solution.

    Granted mac spoofing and the like present ways around things, but all of these require a little bit more knowledge than your average user, and if your like me, you keep a closer eye on those with just enough knowledge to be dangerous (it also helps if you strike the fear of god into them from time to time with the handy use of your activity logs).
    ~THEJRC~
    I\'ll preach my pessimism right out loud to anyone that listens!
    I\'m not afraid to be alive.... I\'m afraid to be alone.

  9. #9
    Senior Member
    Join Date
    Mar 2004
    Posts
    113
    Hi,

    Even I am new to this filed but you might want to try

    For detecting Rogue Access-points you might want to use Airopeek also Netasyst can be useful.

    Also if you are using Cisco AP's then even if some one spoofs the MAC ID's you can check in the Log and it should show as Virtual Router, This will work if you have configured MAC iD filtering.

    Also if you wish to get some more information you can go on to :


    http://www.cisco.com/en/US/products/...800b469f.shtml

    This paper covers the Basics of wireless networking.

    MRG
    Detroit MI

  10. #10
    Member
    Join Date
    Apr 2003
    Posts
    95
    Another idea I had was to strategically put a WIFI card in a couple of boxes around the network. Configure them so all it does is sniff (network stumbler, airsnort, etc)
    If you use multiple WIFI cards around the building would they not pick each other up?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •