Detection of Rogue Access Points

Peter Phaal peter.phaal at gmail.com
Mon Oct 15 04:42:01 UTC 2012


Do the layer 2 switches include sFlow instrumentation?

http://sflow.org/products/network.php

The following paper describes how IP TTL values can help identify
unauthorized NAT devices.

http://www.sflow.org/detectNAT/

Peter

On Sun, Oct 14, 2012 at 1:59 PM, Jonathan Rogers <quantumfoam at gmail.com> wrote:
> Gentlemen,
>
> An issue has come up in my organization recently with rogue access points.
> So far it has manifested itself two ways:
>
> 1. A WAP that was set up specifically to be transparent and provided
> unprotected wireless access to our network.
>
> 2. A consumer-grade wireless router that was plugged in and "just worked"
> because it got an address from DHCP and then handed out addresses on its
> own little network.
>
> These are at remote sites that are on their own subnets (10.100.x.0/24;
> about 130 of them so far). Each site has a decent Cisco router at the
> demarc that we control. The edge is relatively low-quality managed layer 2
> switches that we could turn off ports on if we needed to, but we have to
> know where to look, first.
>
> I'm looking for innovative ideas on how to find such a rogue device,
> ideally as soon as it is plugged in to the network. With situation #2 we
> may be able to detect NAT going on that should not be there. Situation #1
> is much more difficult, although I've seen some research material on how
> frames that originate from 802.11 networks look different from regular
> ethernet frames. Installation of an advanced monitoring device at each site
> is not really practical, but we may be able to run some software on a
> Windows PC in each office. One idea put forth was checking for NTP traffic
> that was not going to our authorized NTP server, but NTP isn't necessarily
> turned on by default, especially on consumer-grade hardware.
>
> Any ideas?
>
> Thank you for your time,
>
> Jonathan Rogers



More information about the NANOG mailing list