Preventing unauthorized wireless access points

[Siberian]

Here's the problem. One of my clients has adopted a company wide policy of no wireless access. However, because of this from time to time he has employees who bring in and self-install their own wireless access points.

Basically he's interested in a way of easily tracking this issue or blocking it from happening. Right now he wanders the building (3 floors, thick walls so wireless doesn't usually travel far) with a laptop searching for wiresless signals.

Is anyone aware of a way to lock down the network to prevent rogue WAPs or at least monitor for thier presence?

I'm off to research it more just was interested if anyone here had thought about it / had experience doing it.

Thanks

[Negative]

Something like Campus Manager should do the trick, although it's probably overkill if all he wants to do is prevent users from installing rogue WAPs.

How about MAC address control?

[phishphreek]

Good question. I have a little hand held wifi detector that proves useful. Its a lot lighter than a laptop.

Another idea I had was to strategically put a WIFI card in a couple of boxes around the network. Configure them so all it does is sniff (network stumbler, airsnort, etc)
Then check the logs to see if there is any activity. If there is, then trace it down and give the offender the boot. Make an example of them. You probably won't have it happen again.

Negative: I was going to suggest this too... but all the user has to do is spoof their authorized PC MAC and setup NAT through the WAP. Won't do too much good...

[paranoid_sonic]

Yeah,
netstumbler, airsnort, ethereal... should do for monitoring

And if you think you can reach an area that's wide enough, you could do a denial of service-attack, although i don't know any program that automatically detects the APs AND denials. But if you should know the MACadress of the APs used, you could search for the Airjackdriver and tools (the oldest airjackpackages should still contain denialtools). And so, if it's still the same AP, they wouldn't be able to connect to it again.
And MAYBE there's a program that just creates NOISE to interfere with the other wireless signals...

[phishphreek]

Very true...

http://www.mle.ie/~jonah/projects/wifihog.html

wifi jammers (hog)...

[THEJRC]

In any environment, you should only provision (enable) switch ports that are in use, if your users dont have a nettwork jack to plug an ap into they cant get the ap on the network. There are still the possibilities of users armed with hubs / switches and the like but by keeping an eye on your switch and dhcp tables along looking at the physical aspect now and then I've found that you can keep rogue nodes off your network without too much trouble.

[phishphreek]

THEJRC: Yes, but:

If a user has an enabled port, they can spoof the MAC of their desktops ethernet card via the wireless router and create their own private network off your network. Your DHCP logs won't be too helpful because it'll just look like that user still has their normal network card plugged in. When in fact, they are plugged into the switch that the wireless router provides. (most have wired ports too).

APs cost as much if not more than a wireless router.
So, they are most likely going to be installing a router and not just an AP.

But, I could be wrong.

Just like it is explained in the following link:
http://kbserver.netgear.com/kb_web_files/n101227.asp

[THEJRC]

Yes this may be true, but in a real world network one needs to remember that the user's workstation needs to authenticate and access server based resources. Unless your users have knowledge of advanced routing / port forwarding techniques they'll be giving up they're workstation for a wireless link.

If your network is large enough that you wont notice a wireless router / access point under someones desk, you should be running some sort f advanced authentication and/or monitoring so this would not be a true problem.

Even so a quick pass with netstumbler or kismet (or even windows XP's little built in wireless configuration) will oust your user fairly easily. Controlling this in a lare network is undoubtedly a problem, but if your network is large enough that you cant keep an eye on it's users physically perhaps you should be excersizing better NIDS and access control at the backbone. If all your user is after with the wireless AP is internet access perhaps a simple proxy requiring certificate based authentication is a quick solution.

Granted mac spoofing and the like present ways around things, but all of these require a little bit more knowledge than your average user, and if your like me, you keep a closer eye on those with just enough knowledge to be dangerous (it also helps if you strike the fear of god into them from time to time with the handy use of your activity logs).

[mrg81]

Hi,

Even I am new to this filed but you might want to try

For detecting Rogue Access-points you might want to use Airopeek also Netasyst can be useful.

Also if you are using Cisco AP's then even if some one spoofs the MAC ID's you can check in the Log and it should show as Virtual Router, This will work if you have configured MAC iD filtering.

Also if you wish to get some more information you can go on to :


http://www.cisco.com/en/US/products/...800b469f.shtml

This paper covers the Basics of wireless networking.

MRG
Detroit MI

[hellforgedangel]

Another idea I had was to strategically put a WIFI card in a couple of boxes around the network. Configure them so all it does is sniff (network stumbler, airsnort, etc)

If you use multiple WIFI cards around the building would they not pick each other up?