I work in a company that doesn't permit wireless (I know, I know). Anyway, they would however like to be able to detect when an employee decides to put up an unsecured wireless device which may compromise our network by exposing it to external entities.
I've done some reviewing of software that'll detect rogue wireless devices, but I'm really looking for something like the following:
1. Appliance (i.e. don't have to invest in a server and all that crap).
2. Upon start up, the device will detect and advise of all known wireless signals in its vacinity.
3. Notification would be via email and continued email every so often (interval) until the new device is either acknowledged via some sort of web interface on the appliance.
4. The list of APs and their MACs would show up, so we could easily locate the device on the network by scanning the CAM table on switches.
Anyway, that's what I'm looking for. Nothing insanely complicated. Just something simple that'll sit there and detect WLANs.
Anyone ever heard of such an animal? Doesn't have to be Cisco (herasy, I know), but it could be too. I see that Cisco does seem to have such a product, but it looks like way more than we're really looking for.
Anyway, if you know of anything, please let me know. Or maybe I just gave someone a good idea for an invention.
I have been looking around and have not been able to find anything of the sort. I can however, make a few suggestions.
1. Fire up NetStumbler on your laptop and toss in a wireless card. Walk around and look for access points. (Unless you have lots of locations spread out and this isn't possible)
2. Enable port security on your switchports. Allow only one MAC so that if anything new is plugged into the port it will go into error disable state.
3. Shutdown all unused ports.
4. There is also no substitute for proper user training when it comes to security measures. Informing all of your users on the risks involved is a very good way of keeping wireless APs off of the network.
5. Cisco's wireless location server is a tremendous way of doing what you need to do, but the cost can be very prohibitive.
You set up port security with MAC address sticky so that the only MAC it will allow is the 1st one it sees. If you shutdown all unused ports then this will be the MAC of the PC that is 1st plugged into it. Unless the user has the forsight to plug the AP into power and configure it with a spoofed MAC before plugging it into the network you shouldn't have an issue. And even then, I believe that a Cisco switch will detect the spoofed MAC. I know my wireless system detects spoofed MACs.
Yes sir, with a wireless router it will present only one MAC address however, if you use the following command the port will go into error disable if any MAC is seen other than the very 1st MAC that was plugged into the port. If they unplug their PC and plug in the router, yes, the port will only see one MAC, but it will not be the MAC it knows and will shutdown the port.
switchport port-security mac-address sticky (optional here to actually input the MAC or MACs that are allowed on the interface otherwise it will use the very 1st MAC it sees and shutdown the port if it ever sees a single different MAC)
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...