Detection of Rogue Access Points
Jimmy Hess
mysidia at gmail.com
Mon Oct 15 01:27:34 UTC 2012
On 10/14/12, Jonathan Lassoff <jof at thejof.com> wrote:
> I've yet to see a solid methodology for detecting NATing devices,
> short of requiring 802.1x authentication using expiring keys and
> one-time passwords. :p
Or implement network access protection, w IPsec between the hosts
and the resources on the LAN; the systems behind the rogue NAT device
won't be able to prove their identity, pass system health checks for
antimalware, and get the x509 certificates required to communicate
with hosts on the LAN...
Packet sniffer, and look for packets sourced from hosts on the LAN
with a TTL not matching the default TTL of OS'es in use on the network.
Monitor ARP traffic. Start with the assumption that all devices are
NAT devices,
or malicious/unauthorized devices. Use TCP probes, to detect devices
listening on common ports which can be identified as OSes (eg
Windows, Printers, etc), which are known hosts on the network with a
known user, or known purpose, and known to not be NAT devices.
Delete known devices from the list of assumed rogue IP addresses.
All the remaining IPs have to be investigated, and get their MAC
address, hostname,
and purpose documented.
Once MAC addresses of all _known_ hosts are documented and manually verified,
by process of elimination, you can detect any unknown IP
addresses/MAC addresses,
which might be any kind of unauthorized device.
A NAT device is one example.....
another example of an unauthorized device could be an unauthorized
hardware keylogger/
network backdoor, with unauthorized connectivity to the LAN, and
possible covert
channels/backdoors/firewall bypasses.
> Cheers,
> jof
--
-JH
More information about the NANOG
mailing list