cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
678
Views
17
Helpful
6
Replies

Wired WAP Detection?

h.bradley
Level 1
Level 1

My company had an incident recently. A 'user' installed a WAP at a remote area on a flat portion of our network. The WAP's DHCP server started handing out 192.168 IP's. This caused a great deal of chaos. Problem detection was compounded by the fact that the 'flat' area is made up of several small, daisy-chained sites connected via radio hops.

I've been tasked with finding a wired WAP detector to help us track down unauthorized installations much quicker. We are going to implement NAC eventually, but we need this tool in the interim. Any suggestions on what to use? Price is not much of a concern. TIA.

Hugh

6 Replies 6

gpulos
Level 8
Level 8

look into 'digital hotspotter' at http://www.canarywireless.com. (around $50)

this device is their next generation device and provides a wealth of information, not just if a wireless network is there and in which general direction.

this does not detect 802.11 5ghz nor will it work with 802.11n. (is my understanding)

also, you can search the net for 'wap detectors' to get a list of many other options.

robert.wright
Level 1
Level 1

Along the same lines as what the previous gentleman stated, i often use netstumbler or kismet and do weekly/bi-weekly walk throughs of my facility to attempt and detect any wireless rogue devices.

You can also utilize cisco's wireless lan solution engine (WLSE) to track down and detect rogue devices, there are several other benifits you will gain when deploying this. While I have this available to me, i have yet had the chance to 'play'..

Another vote for Kismet.

Kismet runs on Linux platforms, a good use for old slow PCs.

The advantage of Kismet (other than the price - FREE -) is that you can multiple client stations report back to a master.

It works pretty well as a wireless IDS, and you get the benefit of ~real-time signal / noise / interference reports.

Kismet works pretty well. It takes a bit to get used to, but it's hard to beat, even with many commercial products.

If you want to try it without any serious committment of hardware or time, it is on the Knoppix CD/DVD (Knoppix is a full Linux system on CD that will boot on almost any system without needing to do the usual installation to hard drive - it operates entirely from CD).

Just put the Knoppix CD in a decent laptop, boot from the CD, and read the MAN or INFO pages on kismet.

It also has a number of handy utilities useful for troubleshooting and system recovery.

Knoppix is available as an .iso from http://www.knoppix.org - the main site comes up n german, just click the flag of the perferred language.

FWIW

Scott

richkrissi
Level 1
Level 1

If money is not an issue I would definitely recommend Cisco WLSE or a third party application called AirMagnet. These will proactivly let you know when a rogue ap or ad-hoc connection is detected. To go a step further not only protect your wireless network but your wired network as well using a NAC app which based on policy enforcement and will block traffic at the port level. See this link. http://www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html Hope this helps.

Just to add to the Kismet recommendations, I have been looking into using Linksys WRT54G APs. They make cheap (~$50), small, low-power drones. I cannot vouch for how well it works, but couldn't hurt to try. There is good info about the wrt54g as a drone below:

http://www.renderlab.net/projects/wrt54g/

Also, I got the impression from your first post that you had a problem of the AP offering DHCP on the LAN. If I misunderstood, sorry. However, if this was the problem, you might want to consider DHCP snooping as described at the below link. The link is 6500 specific, but you can find similar docs for other platforms you might have. DHCP snooping can prevent rogue DHCP servers from taking over your network, and it gets rid of several attack vectors.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080435791.html

Oh, and another Linux boot cd to check out is BackTrack (formerly Auditor). It has a TON of security tools including sniffers and attack tools. I use this for penetration testing sometimes, as well as for kismet surveys on laptops that do not have Linux installed. The site is:

http://www.remote-exploit.org/index.php/Main_Page

-Eric

Thanks Eric, The DHCP snooping link is very worthwhile!

Regards,

Hugh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: