Appliance To Detect Wireless APs

david.walsh · ‎01-18-2008

Hi,

I work in a company that doesn't permit wireless (I know, I know). Anyway, they would however like to be able to detect when an employee decides to put up an unsecured wireless device which may compromise our network by exposing it to external entities.

I've done some reviewing of software that'll detect rogue wireless devices, but I'm really looking for something like the following:

1. Appliance (i.e. don't have to invest in a server and all that crap).

2. Upon start up, the device will detect and advise of all known wireless signals in its vacinity.

3. Notification would be via email and continued email every so often (interval) until the new device is either acknowledged via some sort of web interface on the appliance.

4. The list of APs and their MACs would show up, so we could easily locate the device on the network by scanning the CAM table on switches.

Anyway, that's what I'm looking for. Nothing insanely complicated. Just something simple that'll sit there and detect WLANs.

Anyone ever heard of such an animal? Doesn't have to be Cisco (herasy, I know), but it could be too. I see that Cisco does seem to have such a product, but it looks like way more than we're really looking for.

Anyway, if you know of anything, please let me know. Or maybe I just gave someone a good idea for an invention.

Thanks,

Dave

jordanperks · ‎01-22-2008

I have been looking around and have not been able to find anything of the sort. I can however, make a few suggestions.

1. Fire up NetStumbler on your laptop and toss in a wireless card. Walk around and look for access points. (Unless you have lots of locations spread out and this isn't possible)

2. Enable port security on your switchports. Allow only one MAC so that if anything new is plugged into the port it will go into error disable state.

3. Shutdown all unused ports.

4. There is also no substitute for proper user training when it comes to security measures. Informing all of your users on the risks involved is a very good way of keeping wireless APs off of the network.

5. Cisco's wireless location server is a tremendous way of doing what you need to do, but the cost can be very prohibitive.

david.walsh · ‎01-22-2008

Thanks.

However, there are a number of problems with what you suggest:

1. The NetStumbler suggestion would require manual effort (i.e. moving around and checking periodically). Plus it's a lot of territory to cover.

2. Port security will work, but only if it's an AP. If it's a wirless router, it'll all be hidden behind the one MAC.

3. We already shutdown unused ports.

4. User training. Hmmm... good suggestion, but it's human nature to gravitate toward what's easiest for them.

5. Yep, the Cisco solution is $$.

Hmmm....maybe I have an invention here :-).

Thanks,

Dave

jordanperks · ‎01-22-2008

You set up port security with MAC address sticky so that the only MAC it will allow is the 1st one it sees. If you shutdown all unused ports then this will be the MAC of the PC that is 1st plugged into it. Unless the user has the forsight to plug the AP into power and configure it with a spoofed MAC before plugging it into the network you shouldn't have an issue. And even then, I believe that a Cisco switch will detect the spoofed MAC. I know my wireless system detects spoofed MACs.

david.walsh · ‎01-22-2008

Right, I understand what you're saying, but if it's a wireless router (i.e not an AP/hub), then it'll only present one MAC, right? If that's the case, port security won't do anything, correct?

Thanks,

Dave

jordanperks · ‎01-22-2008

Yes sir, with a wireless router it will present only one MAC address however, if you use the following command the port will go into error disable if any MAC is seen other than the very 1st MAC that was plugged into the port. If they unplug their PC and plug in the router, yes, the port will only see one MAC, but it will not be the MAC it knows and will shutdown the port.

Good port security documentation;

http://cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_35_se/configuration/guide/swtrafc.html#wp1038501

switchport port-security

switchport port-security maximum 1

switchport port-security violation shutdown

switchport port-security mac-address sticky (optional here to actually input the MAC or MACs that are allowed on the interface otherwise it will use the very 1st MAC it sees and shutdown the port if it ever sees a single different MAC)