Do the layer 2 switches include sFlow instrumentation? http://sflow.org/products/network.php
The following paper describes how IP TTL values can help identify unauthorized NAT devices. http://www.sflow.org/detectNAT/ Peter On Sun, Oct 14, 2012 at 1:59 PM, Jonathan Rogers <quantumf...@gmail.com> wrote: > Gentlemen, > > An issue has come up in my organization recently with rogue access points. > So far it has manifested itself two ways: > > 1. A WAP that was set up specifically to be transparent and provided > unprotected wireless access to our network. > > 2. A consumer-grade wireless router that was plugged in and "just worked" > because it got an address from DHCP and then handed out addresses on its > own little network. > > These are at remote sites that are on their own subnets (10.100.x.0/24; > about 130 of them so far). Each site has a decent Cisco router at the > demarc that we control. The edge is relatively low-quality managed layer 2 > switches that we could turn off ports on if we needed to, but we have to > know where to look, first. > > I'm looking for innovative ideas on how to find such a rogue device, > ideally as soon as it is plugged in to the network. With situation #2 we > may be able to detect NAT going on that should not be there. Situation #1 > is much more difficult, although I've seen some research material on how > frames that originate from 802.11 networks look different from regular > ethernet frames. Installation of an advanced monitoring device at each site > is not really practical, but we may be able to run some software on a > Windows PC in each office. One idea put forth was checking for NTP traffic > that was not going to our authorized NTP server, but NTP isn't necessarily > turned on by default, especially on consumer-grade hardware. > > Any ideas? > > Thank you for your time, > > Jonathan Rogers
