[157330] in North American Network Operators' Group
Re: Detection of Rogue Access Points
daemon@ATHENA.MIT.EDU (Sean Harlow)
Mon Oct 15 20:29:46 2012
In-Reply-To: <CAO0-hXZAv-TrByy-8Ud9Xz4ssdVyFEFGRQ_xtHNSkiKMG16sJQ@mail.gmail.com>
Date: Mon, 15 Oct 2012 20:29:32 -0400
From: Sean Harlow <sean@seanharlow.info>
To: Joe Hamelin <joe@nethead.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mon, Oct 15, 2012 at 7:31 PM, Joe Hamelin <joe@nethead.com> wrote:
> Jonathan stated that they have health data on the network and only company
> issued devices are allowed. I would suggest to him that he inventory the
> equipment via MAC address (I'm guessing that it's mostly standard issue
> stuff that would be easy to recognize) and then lock down unused ports and
> setup up monitoring. If a new MAC appears on the network, then it better
> have been sent there by IT.
>
I won't argue with that. When no official wireless network is involved, a
MAC whitelist can be very effective. It'll catch any casual user
attempting to homebrew a WiFi setup and significantly increase the odds of
detecting an actual attacker. Even if the switches are at the lowest end
of "smart" and only expose a web interface it's not too hard to rig up a
screen scraper to list the connected devices on a regular basis and alert
if anything new is seen. I'd expect that there are probably at least a
dozen commercial and/or open source tools that already exist for the
purpose, actually.
