Detect Wireless Access Points

I am searching for a way that a systems administrator can
locate/detect/identify unauthorized wireless access points in global (or
WAN) network, including those across the oceans, even not being physically
there!

One way is "war driving". However, it requires a person physically walking
inside the organization or driving around the organization's campus with a
"war driving" software.

Can one use a packet sniffer? But it may be "blocked" by VLANs.

Any advice / pointers are appreciated.

Thanks and have a nice weekend.

Doug Fox

On Sat, 2 Apr 2005 02:04:38 -0500, "Doug Fox" <>
wrote:

>I am searching for a way that a systems administrator can
>locate/detect/identify unauthorized wireless access points in global (or
>WAN) network, including those across the oceans, even not being physically
>there!
>
>One way is "war driving". However, it requires a person physically walking
>inside the organization or driving around the organization's campus with a
>"war driving" software.
>
>Can one use a packet sniffer? But it may be "blocked" by VLANs.
>
>Any advice / pointers are appreciated.
>
>Thanks and have a nice weekend.
>
###########################
AFAIK, you can forget about the "across oceans" part. Even if you
could detect access points that far away, you couldn't tell if they
were authorized or not. A sniffer works on the local level. I spoke
someone who uses ethereal for windows and even was able to get
airsnort for linux to work on windows as well. I haven't found one
for FreeBSD yet.
As more and more companies switch to wireless, wardriving is going to
become an issue if it's done to collect credit card and social
security numbers. It's one thing to look but another to start using
that information for identity theft. I consult for a mortgage company
and I just recommended that they don't go wireless when the move to
their new location.
donnie

On Sat, 02 Apr 2005 12:07:28 +0000, donnie wrote:
>
> I consult for a mortgage company
> and I just recommended that they don't go wireless when the move to
> their new location.

The only wireless we install is in bridge mode between two units, with MAC
and key filtering. When you set up the units in bridge mode they don't
allow outside connections.

I refuse to do wireless for any of our clients. We had one medical center
in LA that was adamant about having is install Wireless, we kept saying
now, then when the client got real demanding, we took out a laptop and did
a scan of the available networks, found 8 open networks in the area (all
from the main conference room)..... Once we showed them the problem it was
easy to dissuade them from implementing wireless.

--

remove 999 in order to email me

The challenge is some branch managers or some technies in a branch office
would installed AP disregarding company policies. The IT department wants
to identify these "rouge" wireless LAN remotely.

Someone has mentioned Cisco's WLSE or AirMagnet's products, but they cost an
arm and a leg.

We are looking for a "cheaper" solution

..
"Leythos" <> wrote in message
news:1Gx3e.4235$...
> On Sat, 02 Apr 2005 12:07:28 +0000, donnie wrote:
>>
>> I consult for a mortgage company
>> and I just recommended that they don't go wireless when the move to
>> their new location.
>
> The only wireless we install is in bridge mode between two units, with MAC
> and key filtering. When you set up the units in bridge mode they don't
> allow outside connections.
>
> I refuse to do wireless for any of our clients. We had one medical center
> in LA that was adamant about having is install Wireless, we kept saying
> now, then when the client got real demanding, we took out a laptop and did
> a scan of the available networks, found 8 open networks in the area (all
> from the main conference room)..... Once we showed them the problem it was
> easy to dissuade them from implementing wireless.
>
> --
>
> remove 999 in order to email me
>

In article <PKednaLGVIZg3tPfRVn->, Doug Fox wrote:

>I am searching for a way that a systems administrator can
>locate/detect/identify unauthorized wireless access points in global (or
>WAN) network, including those across the oceans, even not being physically
>there!

Without physical access - rather difficult. At the very least, you would
need some hardware on every network segment to be able to sniff all local
packats.

>Can one use a packet sniffer?

Certainly - but it needs to have it's sensor on that local wire. Then you
can look at hardware addresses (if the bad guy is st00pid enough to
physically connect a device directly), or use a passive O/S fingerprinter
to detect multiple hosts behind a single MAC. Much harder to detect if
all of the systems are running identical installs, but not impossible.
If the idiots are using windoze in the 'drop your pants and share' mode,
it should be much easier, but we don't allow microsoft software on our
nets, so I'm not an expert on that.

>Any advice / pointers are appreciated.

There is no substitute for physical presence - either yourself, or a
trusted and competent substitute. Be sure that company policy - WRITTEN
AND PUBLISHED company policy has informed people that this is a no-no, and
why. If you are worried about someone putting a passive only tap on your
network and stealing secret data, the ONLY way you will find that is a
physical inspection. Radio detection may not be enough - I have one link
that runs on IR, and you'd have to be physically in the line of sight
path to even detect it, never mind intercept it. It's a temporary point
to point link, substituting for an underground fiber that a back hoe
managed to discover.

Old guy

On Sat, 2 Apr 2005 12:28:29 -0500, "Doug Fox" <>
wrote:

>The challenge is some branch managers or some technies in a branch office
>would installed AP disregarding company policies. The IT department wants
>to identify these "rouge" wireless LAN remotely.
>
>Someone has mentioned Cisco's WLSE or AirMagnet's products, but they cost an
>arm and a leg.
>
>We are looking for a "cheaper" solution
#################################
I'm a little confused. How do you know someone installed a "rouge"
wireless LAN? If someone did, why does it have to be detected
remotely? Those signals don't go that far. I don't understand why
the IT department can't go there. I'm missing a piece of the story.
donnie.

The company has over 100 offices 5 continents. It is costly to visit each
office. It is contemplating if it is can done remotely. Management has
accidentally found some offices installed AP without authorization.


"donnie" <> wrote in message
news:...
> On Sat, 2 Apr 2005 12:28:29 -0500, "Doug Fox" <>
> wrote:
>
>>The challenge is some branch managers or some technies in a branch office
>>would installed AP disregarding company policies. The IT department wants
>>to identify these "rouge" wireless LAN remotely.
>>
>>Someone has mentioned Cisco's WLSE or AirMagnet's products, but they cost
>>an
>>arm and a leg.
>>
>>We are looking for a "cheaper" solution
> #################################
> I'm a little confused. How do you know someone installed a "rouge"
> wireless LAN? If someone did, why does it have to be detected
> remotely? Those signals don't go that far. I don't understand why
> the IT department can't go there. I'm missing a piece of the story.
> donnie.

Thanks, Moe Trin.

"Moe Trin" <> wrote in message
news:...
> In article <PKednaLGVIZg3tPfRVn->, Doug Fox wrote:
>
>>I am searching for a way that a systems administrator can
>>locate/detect/identify unauthorized wireless access points in global (or
>>WAN) network, including those across the oceans, even not being physically
>>there!
>
> Without physical access - rather difficult. At the very least, you would
> need some hardware on every network segment to be able to sniff all local
> packats.
>
>>Can one use a packet sniffer?
>
> Certainly - but it needs to have it's sensor on that local wire. Then you
> can look at hardware addresses (if the bad guy is st00pid enough to
> physically connect a device directly), or use a passive O/S fingerprinter
> to detect multiple hosts behind a single MAC. Much harder to detect if
> all of the systems are running identical installs, but not impossible.
> If the idiots are using windoze in the 'drop your pants and share' mode,
> it should be much easier, but we don't allow microsoft software on our
> nets, so I'm not an expert on that.
>
>>Any advice / pointers are appreciated.
>
> There is no substitute for physical presence - either yourself, or a
> trusted and competent substitute. Be sure that company policy - WRITTEN
> AND PUBLISHED company policy has informed people that this is a no-no, and
> why. If you are worried about someone putting a passive only tap on your
> network and stealing secret data, the ONLY way you will find that is a
> physical inspection. Radio detection may not be enough - I have one link
> that runs on IR, and you'd have to be physically in the line of sight
> path to even detect it, never mind intercept it. It's a temporary point
> to point link, substituting for an underground fiber that a back hoe
> managed to discover.
>
> Old guy

donnie wrote:

> On Sat, 2 Apr 2005 02:04:38 -0500, "Doug Fox" <>
> wrote:
>
>>I am searching for a way that a systems administrator can
>>locate/detect/identify unauthorized wireless access points in global (or
>>WAN) network, including those across the oceans, even not being physically
>>there!
>>
>>One way is "war driving". However, it requires a person physically
>>walking inside the organization or driving around the organization's
>>campus with a "war driving" software.
>>
>>Can one use a packet sniffer? But it may be "blocked" by VLANs.
>>
>>Any advice / pointers are appreciated.
>>
>>Thanks and have a nice weekend.
>>
> ###########################
> AFAIK, you can forget about the "across oceans" part. Even if you
> could detect access points that far away, you couldn't tell if they
> were authorized or not. A sniffer works on the local level. I spoke
> someone who uses ethereal for windows and even was able to get
> airsnort for linux to work on windows as well. I haven't found one
> for FreeBSD yet.

FreeBSD 5.3 supports Etherreal and I use Snort quite well on a 4.8 box...

> As more and more companies switch to wireless, wardriving is going to
> become an issue if it's done to collect credit card and social
> security numbers. It's one thing to look but another to start using
> that information for identity theft. I consult for a mortgage company
> and I just recommended that they don't go wireless when the move to
> their new location.
> donnie

Yup but, I bet they still do it

Michael

--

"Microsoft isn't evil, they just make really crappy operating systems." -
Linus Torvald

Leythos wrote:

> On Sat, 02 Apr 2005 12:07:28 +0000, donnie wrote:
>>
>> I consult for a mortgage company
>> and I just recommended that they don't go wireless when the move to
>> their new location.
>
> The only wireless we install is in bridge mode between two units, with MAC
> and key filtering. When you set up the units in bridge mode they don't
> allow outside connections.
>
> I refuse to do wireless for any of our clients. We had one medical center
> in LA that was adamant about having is install Wireless, we kept saying
> now, then when the client got real demanding, we took out a laptop and did
> a scan of the available networks, found 8 open networks in the area (all
> from the main conference room)..... Once we showed them the problem it was
> easy to dissuade them from implementing wireless.
>

Cisco has a nice product line basically using VPN over wireless...EAP
EAP/LEAP, etc..

Michael

--

"Microsoft isn't evil, they just make really crappy operating systems." -
Linus Torvald