[157295] in North American Network Operators' Group
RE: Detection of Rogue Access Points
daemon@ATHENA.MIT.EDU (Dustin Jurman)
Sun Oct 14 17:50:59 2012
From: Dustin Jurman <dustin@rseng.net>
To: 'Jonathan Rogers' <quantumfoam@gmail.com>, 'Tom Morris'
<blueneon@gmail.com>, "'nanog@nanog.org'" <nanog@nanog.org>
Date: Sun, 14 Oct 2012 17:47:19 -0400
In-Reply-To: <CAC47Z9=T72kSvrVDsOvEHi8kuyGhnS-tZbs1zqX6OgPZHq_FdA@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Automated solution would be something like Air defense or Air Scout with se=
nsors. Cheap solution would be to lock down your switches with port based =
authentication. =20
Dustin
Dustin Jurman
CEO
Rapid Systems Corporation=20
1211 N. West Shore Blvd. Suite 711
Tampa, FL 33607
Ph: 813-232-4887=20
http://www.rapidsys.com
"Building Better Infrastructure"=A0=20
-----Original Message-----
From: Jonathan Rogers [mailto:quantumfoam@gmail.com]=20
Sent: Sunday, October 14, 2012 5:34 PM
To: Tom Morris; nanog@nanog.org
Subject: Re: Detection of Rogue Access Points
I should probably mention that we do not have any legitimate wireless devic=
es at these locations. I realize that this complicates matters.
The most recent one we found was found exactly like Joe suggested; we were =
looking at an ARP table for other reasons and found suspicious things (smar=
tphones).
--JR
On Sun, Oct 14, 2012 at 5:30 PM, Tom Morris <blueneon@gmail.com> wrote:
> I have used the wigle app as a scanning and direction finding tool..=20
> it works OK. Not automated really as you'd have to walk and watch the=20
> screen but it works.
>
> I once walked into a glass wall inside a building while searching for=20
> a rogue AP... FOMP!!!!
> On Oct 14, 2012 5:02 PM, "Jonathan Rogers" <quantumfoam@gmail.com> wrote:
>
>> Gentlemen,
>>
>> An issue has come up in my organization recently with rogue access point=
s.
>> So far it has manifested itself two ways:
>>
>> 1. A WAP that was set up specifically to be transparent and provided=20
>> unprotected wireless access to our network.
>>
>> 2. A consumer-grade wireless router that was plugged in and "just worked=
"
>> because it got an address from DHCP and then handed out addresses on=20
>> its own little network.
>>
>> These are at remote sites that are on their own subnets=20
>> (10.100.x.0/24; about 130 of them so far). Each site has a decent=20
>> Cisco router at the demarc that we control. The edge is relatively=20
>> low-quality managed layer 2 switches that we could turn off ports on=20
>> if we needed to, but we have to know where to look, first.
>>
>> I'm looking for innovative ideas on how to find such a rogue device,=20
>> ideally as soon as it is plugged in to the network. With situation #2=20
>> we may be able to detect NAT going on that should not be there.=20
>> Situation #1 is much more difficult, although I've seen some research=20
>> material on how frames that originate from 802.11 networks look=20
>> different from regular ethernet frames. Installation of an advanced=20
>> monitoring device at each site is not really practical, but we may be=20
>> able to run some software on a Windows PC in each office. One idea=20
>> put forth was checking for NTP traffic that was not going to our=20
>> authorized NTP server, but NTP isn't necessarily turned on by=20
>> default, especially on consumer-grade hardware.
>>
>> Any ideas?
>>
>> Thank you for your time,
>>
>> Jonathan Rogers
>>
>
