Hardening Wireless LAN Connections Part 1 - Detecting Unauthorized WAPs from the Wired Network
(Page 4 of 11 )
Detecting unauthorized WAPs from the wired network is generally not as easy a process as it is to detect them wirelessly. After all, it doesn’t get much simpler than walking around with a laptop and a wireless card. At the same time, you can’t really do much about the biggest problem with trying to detect a WAP wirelessly — namely — detecting a WAP that is not broadcasting its SSID.
Using a wired detection process can alleviate some of the disadvantages to trying to detect an unauthorized WAP wirelessly. For example, a wired detection process is not susceptible to missing WAPs that do not broadcast their SSIDs. In addition, a wired detection process can be used to survey remote sites and can even be scheduled and scripted to increase ease of use.
Unfortunately, there are some drawbacks to this method. It can be difficult to locate all the unauthorized access points. This is largely due to the lack of mature or specialized products for this task. Currently, most techniques rely on using MAC addresses (because all vendors are assigned a MAC address range) or OS fingerprinting to identify the WAP, both of which are an imprecise science. Here are two tools that can assist you in identifying an unauthorized AP by monitoring MAC addresses:
Here are some tools that can assist you in OS fingerprinting:
Both of these methods share the common problem of generating false positives. For example, Nmap recognizes a Linksys WAP54G as a Linux device because it actually runs Linux for the OS. This can make it difficult to determine whether the device is indeed a WAP or just a Linux host running on your network. MAC address tools rely on identifying a device due to it having a MAC address that has been assigned to a wireless vendor. That can make it difficult to distinguish between a Cisco AP and a Cisco switch if the database of MAC addresses has not been accurately updated.
Detecting WAPs from the Wired Network While I was writing this, I got into a discussion with a colleague about the inconsistencies and difficulties of detecting a rogue wireless AP on the network. He mentioned that he was testing an alpha version of Network Associates ePolicy Orchestrator (EPO; http://www.nai.com/us/products/mcafee/mgmt_solutions/epo.htm) that has the ability to detect rogue wireless APs. When I asked him how well it worked, he mentioned that he had tested EPO with a number of different wireless APs and that it detected all of them within 5–8 minutes of being brought online. The technology is definitely improving, and the accuracy of the detection algorithms is getting much better. |
Removing Rogue WAPs Once you have detected a rogue WAP, you have a couple of methods you can use to shut it down. One option is to attempt to physically locate and disconnect the WAP from the network. However, this can be both time consuming and prone to failure. The obvious difficulty in this method is that it can be very difficult to locate the WAP, usually through a trial-and-error process. (Is the WAP here? No. Is it here? No.)
Another option is to locate the switch port that the MAC address is connected to and shut that switch port down. Similarly, you can determine the IP address of the WAP and attempt to block the IP address. Personally, I recommend shutting down the switch port. In many cases, this will cause the person to seek you out, saving you the time and effort of trying to find them.
User: Uh, yes, I can’t access anything on the network anymore. I don’t know what happened.
You: No problem. We know exactly what is going on. What office are you in?
 This is from Hardening Network Infrastructure, by Wesely Noonan (McGraw-Hill/Osborne, ISBN 0072255021). Check it out at your favorite bookstore today. Buy this book now. |
/ 8 
