Detection of Rogue Access Points

Joe Hamelin joe at nethead.com
Mon Oct 15 23:31:34 UTC 2012


On Mon, Oct 15, 2012 at 4:06 PM, Sean Harlow <sean at seanharlow.info> wrote:

>
> You are correct that deploying to a number of sites isn't cheap, but the
> actual relevant question is how does this cost compare to the cost of the
> original request to detect these things.  In this case almost all forms of
> detection/prevention except possibly looking at TTL will require new
> equipment to be deployed at the site(s) anyways based on the information we
> have, negating much of the extra cost.  Any active detection on the RF side
> of things is generally done using WAPs in a managed network or standalone
> devices that are pretty much repurposed WAP hardware anyways, but cost a
> lot more.
>
>
I think it would be cheaper to have a script written that would grab the
ARP table of each site and then compare to what is known.  Kind of an ARP
tripwire.  Sure you'll have to take the time with early runs to hunt down
non-company owned MACs but that is going to be a lot cheaper than managing
a 130 site roll-out.  Even if you did put RF monitoring equipment in each
site you would still have to monitor and manage it.  Either way, you'll be
getting a current inventory of devices.  From what I read, he wants to
detect non-company equipment on his network.  It's just WiFi that is the
main problem.   Even just watching the DHCP leases, which I assume the
little Cisco router is providing, will catch most of the rouge devices.

Get someone that knows networking and perl on the task for a month.  If
they don't have the local talent there are a lot of people that would love
to take the contract, considering most of it could be done remotely.

Jonathan stated that they have health data on the network and only company
issued devices are allowed.  I would suggest to him that he inventory the
equipment via MAC address (I'm guessing that it's mostly standard issue
stuff that would be easy to recognize) and then lock down unused ports and
setup up monitoring. If a new MAC appears on the network, then it better
have been sent there by IT.

--
Joe Hamelin, W7COM, Tulalip, WA, 360-474-7474


More information about the NANOG mailing list