Detect Wireless Access Points

Discussion in 'Computer Security' started by Doug Fox, Apr 2, 2005.

  1. Doug Fox

    Doug Fox Guest

    I am searching for a way that a systems administrator can
    locate/detect/identify unauthorized wireless access points in global (or
    WAN) network, including those across the oceans, even not being physically

    One way is "war driving". However, it requires a person physically walking
    inside the organization or driving around the organization's campus with a
    "war driving" software.

    Can one use a packet sniffer? But it may be "blocked" by VLANs.

    Any advice / pointers are appreciated.

    Thanks and have a nice weekend.
    Doug Fox, Apr 2, 2005
    1. Advertisements

  2. Doug Fox

    donnie Guest

    AFAIK, you can forget about the "across oceans" part. Even if you
    could detect access points that far away, you couldn't tell if they
    were authorized or not. A sniffer works on the local level. I spoke
    someone who uses ethereal for windows and even was able to get
    airsnort for linux to work on windows as well. I haven't found one
    for FreeBSD yet.
    As more and more companies switch to wireless, wardriving is going to
    become an issue if it's done to collect credit card and social
    security numbers. It's one thing to look but another to start using
    that information for identity theft. I consult for a mortgage company
    and I just recommended that they don't go wireless when the move to
    their new location.
    donnie, Apr 2, 2005
    1. Advertisements

  3. Doug Fox

    Leythos Guest

    The only wireless we install is in bridge mode between two units, with MAC
    and key filtering. When you set up the units in bridge mode they don't
    allow outside connections.

    I refuse to do wireless for any of our clients. We had one medical center
    in LA that was adamant about having is install Wireless, we kept saying
    now, then when the client got real demanding, we took out a laptop and did
    a scan of the available networks, found 8 open networks in the area (all
    from the main conference room)..... Once we showed them the problem it was
    easy to dissuade them from implementing wireless.
    Leythos, Apr 2, 2005
  4. Doug Fox

    Doug Fox Guest

    The challenge is some branch managers or some technies in a branch office
    would installed AP disregarding company policies. The IT department wants
    to identify these "rouge" wireless LAN remotely.

    Someone has mentioned Cisco's WLSE or AirMagnet's products, but they cost an
    arm and a leg.

    We are looking for a "cheaper" solution :-(

    Doug Fox, Apr 2, 2005
  5. Doug Fox

    Moe Trin Guest

    Without physical access - rather difficult. At the very least, you would
    need some hardware on every network segment to be able to sniff all local
    Certainly - but it needs to have it's sensor on that local wire. Then you
    can look at hardware addresses (if the bad guy is st00pid enough to
    physically connect a device directly), or use a passive O/S fingerprinter
    to detect multiple hosts behind a single MAC. Much harder to detect if
    all of the systems are running identical installs, but not impossible.
    If the idiots are using windoze in the 'drop your pants and share' mode,
    it should be much easier, but we don't allow microsoft software on our
    nets, so I'm not an expert on that.
    There is no substitute for physical presence - either yourself, or a
    trusted and competent substitute. Be sure that company policy - WRITTEN
    AND PUBLISHED company policy has informed people that this is a no-no, and
    why. If you are worried about someone putting a passive only tap on your
    network and stealing secret data, the ONLY way you will find that is a
    physical inspection. Radio detection may not be enough - I have one link
    that runs on IR, and you'd have to be physically in the line of sight
    path to even detect it, never mind intercept it. It's a temporary point
    to point link, substituting for an underground fiber that a back hoe
    managed to discover.

    Old guy
    Moe Trin, Apr 2, 2005
  6. Doug Fox

    donnie Guest

    I'm a little confused. How do you know someone installed a "rouge"
    wireless LAN? If someone did, why does it have to be detected
    remotely? Those signals don't go that far. I don't understand why
    the IT department can't go there. I'm missing a piece of the story.
    donnie, Apr 2, 2005
  7. Doug Fox

    Doug Fox Guest

    The company has over 100 offices 5 continents. It is costly to visit each
    office. It is contemplating if it is can done remotely. Management has
    accidentally found some offices installed AP without authorization.
    Doug Fox, Apr 3, 2005
  8. Doug Fox

    Doug Fox Guest

    Thanks, Moe Trin.

    Doug Fox, Apr 3, 2005
  9. FreeBSD 5.3 supports Etherreal and I use Snort quite well on a 4.8 box...
    Yup but, I bet they still do it :-(

    Michael Pelletier, Apr 3, 2005
  10. Cisco has a nice product line basically using VPN over wireless...EAP
    EAP/LEAP, etc..

    Michael Pelletier, Apr 3, 2005

  11. I have had the same problem. It is difficult. There are a couple of things
    we did.

    1) We got a piece of software that scans PCs for installed software and
    hardware. Once a week one of the helpdesk guys goes through it looking for
    any wireless cards. The thing to remember is some laptops have one built
    in. However, if the number of these are small, it does work quite well.
    Since we knew OUR PCs do SHOULD NOT have wireless cards, if we found one,
    we found 5 actually, promptly shut them down.

    2) I have several SNORT/NTop boxes per campus. I added airsnort (and a
    wireless card) to these UNIX (FreeBSD) probes. I have a script that alerts
    me when a new wireless network is found. Again, I still have to do an
    investigation but at least I get alerted.

    Those are the only solutions I could think of at the time...

    Michael Pelletier, Apr 3, 2005
  12. Doug Fox

    donnie Guest

    If the company is that big, they shouldn't be worried about what it
    costs to secure their system.
    donnie, Apr 3, 2005
  13. Doug Fox

    donnie Guest

    Those are all good ideas but if that were my company, I'd be at every
    location or hire someone to be there.
    donnie, Apr 3, 2005
  14. Doug Fox

    Unruh Guest

    Unruh, Apr 3, 2005
  15. Honestly, I tried suggesting this to mgmt. However, when you are a global
    entity, it is very difficult. You need trained people (remember not every
    site has an IT guy/girl). Convincing some worker who does not do IT to
    spend a couple of hours per week to do this is almost impossible unless you
    have proof that their is something there that is suspicious. Most people
    just do not have the time or want to "donate" free time.

    When I do travel I check for these things.

    Michael Pelletier, Apr 3, 2005
  16. Doug:

    Send out pre-configured cheap laptops (use ones work fine) with Wireless
    cards installed, wired NICs, and PC Anywhere or Carbon Copy, or any remote
    control product on it. Have someone at the site simply plug in the network
    card and boot the machines. Let them sit there. Visit them periodically
    with remote control, and open the Wireless connect application. Scan for
    wireless access points. Nothing complex, nor expensive.
    Richard Johnson, Apr 3, 2005
  17. Doug Fox

    donnie Guest

    I understand all that. I guess it's a matter of preference, what's
    important to whom. I can only say what I would do.
    donnie, Apr 4, 2005
  18. I hear ya on that. However, sometimes "convincing" mgmt is like that old
    saying "pick your battles" Or even better "Never argue with the village
    idiot" pick. It seems sometimes that secuity is never an issue UNTIL
    something is a shame.

    Michael Pelletier, Apr 4, 2005
  19. Doug Fox

    winged Guest

    One system we have found effective at ensuring only authorized devices
    connect to our network wireless systems is product called Cranite.

    It has the nominal administrative overhead of any server (OS patches
    etc). Unless a device has a certificate, the APs will not respond. The
    APs do not broadcast presence except to certified device. Certificates
    are married to the device and the wireless card, if either are changed
    the APs will not negotiate. The APs do not respond to wardriving
    techniques and are FIPS 140-2 compliant. Since it is a level 2 access
    instead of level 3 (like a standard VPN solution) it enhances the
    security envelope significantly.

    It does require managing a Win server and establishing VLANS to the
    server DMZ (server lives in its own isolated DMZ properly configured),
    but the product does work and the encryption does not impact
    communications speed significantly.

    A drawback is there are only a few APs that will work with the system,
    so this solution is best when one is starting a wireless network from
    scratch as most of your old APs are not suited to operate properly with
    the exception of the wireless NIC card. There is an additional limit of
    only Win OS (2000, XP, or CE) though I have run Linux inside a VM on a
    XP box.

    It has the additional advantage of setting up dynamic effective VPNs
    from remote public access points (using the remote access software)
    keeping the communications secure even outside of controlled boundaries
    tunneling the communications through the authentication point. While
    this may not be a "home" solution, the technology "seems" to be immune
    to many unauthorized communication attempts (I have not found any way to
    compromise the network or the data, but I am still trying).

    The components are equitably priced with other commercial use APs (200$
    range + antenna) and the software was much cheaper per simultaneous
    seats than I expected (less than 50$ per simultaneous seat (prices go
    down with quantity)), though I do recommend testing the various beams
    antaneas (which cost as much as the access points) for large facilities.
    Using beams in our case reduced the access points required to 1/4 as
    many APs in turn reducing management overhead.

    Additionally you can restrict the client to a domain, (requires the
    additional authorization credentials of the domain), route it outside
    for general Internet use, mainframes etc, depending on the user work
    requirement. You can pretty much control and localize where these
    devices are allowed to communicate to, using the same group policies
    (does not relate necessarily to domain policies) that we have a grown to
    love. This finite control of the network activity allowed to the device
    is just as essential as controlling wired network communications.
    Activity monitoring is very good.

    Like any other network, when in design phase, plan IDS APs to monitor
    for unauthorized access attempts. Each IDS requires it's own AP, each
    AP ideally needs an accompanied IDS AP for monitoring for unauthorized
    rogue devices, though you can fudge somewhat by placing the IDS between
    two APs.

    The fact users are putting rogues on the network is "usually" an
    indicator of an un-met requirement. When you attend that next meeting
    with full access to your data, it does make meetings more productive.

    Once you make APs available for users rogue use drops significantly,
    especially after word gets out about the device confiscation and
    supplementary personnel removal action.

    If you are looking for a good solution for the business environment,
    this one seems to be reasonably secure. I wish I had a similar secure
    solution available for the home environment.

    I can vouch for 3 minutes to enter a standard WEP device especially if
    it is being used, even if all the AP security features are turned on,
    just ask my neighbors... ;-)

    winged, Apr 6, 2005
  20. Doug Fox

    winged Guest

    Costs always are a factor even in big companies. Worse, securing the
    jewels often is second place to the bottom line. Hopping that jet to
    look at a potential issue is seldom an option. When I suggest I visit a
    remote site such as the one in Hawaii or Germany they often think I am
    trying to get a free vacation, go figure...

    winged, Apr 6, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.