My company had an incident recently. A 'user' installed a WAP at a remote area on a flat portion of our network. The WAP's DHCP server started handing out 192.168 IP's. This caused a great deal of chaos. Problem detection was compounded by the fact that the 'flat' area is made up of several small, daisy-chained sites connected via radio hops.
I've been tasked with finding a wired WAP detector to help us track down unauthorized installations much quicker. We are going to implement NAC eventually, but we need this tool in the interim. Any suggestions on what to use? Price is not much of a concern. TIA.
Along the same lines as what the previous gentleman stated, i often use netstumbler or kismet and do weekly/bi-weekly walk throughs of my facility to attempt and detect any wireless rogue devices.
You can also utilize cisco's wireless lan solution engine (WLSE) to track down and detect rogue devices, there are several other benifits you will gain when deploying this. While I have this available to me, i have yet had the chance to 'play'..
Kismet runs on Linux platforms, a good use for old slow PCs.
The advantage of Kismet (other than the price - FREE -) is that you can multiple client stations report back to a master.
It works pretty well as a wireless IDS, and you get the benefit of ~real-time signal / noise / interference reports.
Kismet works pretty well. It takes a bit to get used to, but it's hard to beat, even with many commercial products.
If you want to try it without any serious committment of hardware or time, it is on the Knoppix CD/DVD (Knoppix is a full Linux system on CD that will boot on almost any system without needing to do the usual installation to hard drive - it operates entirely from CD).
Just put the Knoppix CD in a decent laptop, boot from the CD, and read the MAN or INFO pages on kismet.
It also has a number of handy utilities useful for troubleshooting and system recovery.
Knoppix is available as an .iso from http://www.knoppix.org - the main site comes up n german, just click the flag of the perferred language.
If money is not an issue I would definitely recommend Cisco WLSE or a third party application called AirMagnet. These will proactivly let you know when a rogue ap or ad-hoc connection is detected. To go a step further not only protect your wireless network but your wired network as well using a NAC app which based on policy enforcement and will block traffic at the port level. See this link. http://www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html Hope this helps.
Just to add to the Kismet recommendations, I have been looking into using Linksys WRT54G APs. They make cheap (~$50), small, low-power drones. I cannot vouch for how well it works, but couldn't hurt to try. There is good info about the wrt54g as a drone below:
Also, I got the impression from your first post that you had a problem of the AP offering DHCP on the LAN. If I misunderstood, sorry. However, if this was the problem, you might want to consider DHCP snooping as described at the below link. The link is 6500 specific, but you can find similar docs for other platforms you might have. DHCP snooping can prevent rogue DHCP servers from taking over your network, and it gets rid of several attack vectors.
Oh, and another Linux boot cd to check out is BackTrack (formerly Auditor). It has a TON of security tools including sniffers and attack tools. I use this for penetration testing sometimes, as well as for kismet surveys on laptops that do not have Linux installed. The site is:
< PRE >
(#)For this reason being that : - application that doesn't use multicast, sends one copy of each packet ( data unit of traffic at layer 3 ) to each client (" who seeks the traffic ).- application that does use multicast, sends ...
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...