Detection of Rogue Access Points

Mon Oct 15 15:12:30 UTC 2012

Well, quite frankly they have the tools they need. Our remote sites do not
have any devices that require wireless. They don't have company-issued
laptops, and personal laptops are not allowed. The policy is on the books
but it isn't my department to make sure people know about it and follow it.
Our end users at these branch offices are typically not very technically
inclined and have no idea what a security risk this is (especially
considering that we have EPHI on our network, although I can't really say
more in detail than that). The person who put in the WAP I discovered
doesn't even work for us any more.

Port-based security might work, but our edge switches are total garbage
(don't get me started, not in my control). I didn't find this WAP via
nmap...it didn't show up. I believe it probably didn't have a valid
management interface IP for some reason. We saw suspicious entries in the
router's ARP table and starting looking around the office from there.

--JR

On Mon, Oct 15, 2012 at 11:05 AM, <Valdis.Kletnieks at vt.edu> wrote:

> On Mon, 15 Oct 2012 13:11:00 +1100, Karl Auer said:
>
> > No-one has said this yet, so I will - why are people working around your
> > normal network policies? This is often a sign of something lacking that
> > people need in their daily work. You can often reduce this sort of
> > "innocent thievery" down to a manageable minimum simply by making sure
> > that people have the tools they need to work.
> >
> > Sometimes it's cheaper to give people what they want than to prevent
> > them taking it. Maybe at least consider that as an option.
>
> Amen to that - detecting rogue access points is one thing, but in order
> to make the users stop doing it, you're going to need either a sufficiently
> large carrot or a sufficiently large stick.  If you don't deploy at least
> one,
> the problem *will* keep recurring.
>