Detection of Rogue Access Points
Kenneth M. Chipps Ph.D.
chipps at chipps.com
Sun Oct 14 22:27:36 UTC 2012
Scan for devices with open port 80 as these are managed by a GUI.
From: Jonathan Rogers [mailto:quantumfoam at gmail.com]
Sent: Sunday, October 14, 2012 3:59 PM
To: nanog at nanog.org
Subject: Detection of Rogue Access Points
An issue has come up in my organization recently with rogue access points.
So far it has manifested itself two ways:
1. A WAP that was set up specifically to be transparent and provided
unprotected wireless access to our network.
2. A consumer-grade wireless router that was plugged in and "just worked"
because it got an address from DHCP and then handed out addresses on its own
These are at remote sites that are on their own subnets (10.100.x.0/24;
about 130 of them so far). Each site has a decent Cisco router at the demarc
that we control. The edge is relatively low-quality managed layer 2 switches
that we could turn off ports on if we needed to, but we have to know where
to look, first.
I'm looking for innovative ideas on how to find such a rogue device, ideally
as soon as it is plugged in to the network. With situation #2 we may be able
to detect NAT going on that should not be there. Situation #1 is much more
difficult, although I've seen some research material on how frames that
originate from 802.11 networks look different from regular ethernet frames.
Installation of an advanced monitoring device at each site is not really
practical, but we may be able to run some software on a Windows PC in each
office. One idea put forth was checking for NTP traffic that was not going
to our authorized NTP server, but NTP isn't necessarily turned on by
default, especially on consumer-grade hardware.
Thank you for your time,
More information about the NANOG