Re: Detection of Rogue Access Points

On 18/10/12 15:12, Joe Hamelin wrote: On Thu, Oct 18, 2012 at 7:00 AM, Jonathan Rogers wrote: I like the idea of looking at the ARP table periodically, but this presents some possible issues for us. Is it just WAPs that you are worried about or any rouge device at the remote sites? If you'

Re: Detection of Rogue Access Points

Nevermind, it appears SNMP is turned off on our routers and I do not have control over that. I can at least present this as a possible option to the person that does. Thank you very much for your suggestions, everyone. I'm so glad I joined this list; I've learned so much and it's great to talk to p

Re: Detection of Rogue Access Points

Raymond Burkholder (ray) writes: > > NetDisco knows how to scan networks for mac addresses, arp addresses, ip > addresses, etc. It keeps track of deltas. It may have be able to email > deltas or something similar.Or run a query against the database, as I > seem to recall it seems to hold his

Re: Detection of Rogue Access Points

On Thu, Oct 18, 2012 at 7:00 AM, Jonathan Rogers wrote: > I like the idea of looking at the ARP table periodically, but this presents > some possible issues for us. The edge routers at our remote sites are Cisco > 1841 devices, typically with either an MPLS T1 or a Public T1 (connected > via an IA

Re: Detection of Rogue Access Points

I, uh...don't actually know how to do that. I've not done very much with SNMP other than working with power management devices. If someone could direct me to a good tutorial, that would be much appreciated. --JR On Thu, Oct 18, 2012 at 12:31 PM, Chris Boot wrote: > On 18/10/12 15:12, Joe Hameli

Re: Detection of Rogue Access Points

On Thu, Oct 18, 2012 at 7:00 AM, Jonathan Rogers wrote: > I like the idea of looking at the ARP table periodically, but this presents > some possible issues for us. Is it just WAPs that you are worried about or any rouge device at the remote sites? If you're doing medical data then I would th

RE: Detection of Rogue Access Points

> I like the idea of looking at the ARP table periodically, but this presents > some possible issues for us. The edge routers at our remote sites are Cisco > 1841 devices, typically with either an MPLS T1 or a Public T1 (connected > via an IAD owned by Centurylink; router to router, so dumb). Aside

Re: Detection of Rogue Access Points

I like the idea of looking at the ARP table periodically, but this presents some possible issues for us. The edge routers at our remote sites are Cisco 1841 devices, typically with either an MPLS T1 or a Public T1 (connected via an IAD owned by Centurylink; router to router, so dumb). Aside from ma

Re: Detection of Rogue Access Points

Some very good points were made in the thread. I've dealt with this problem a few times. I'll admit, the only perfect solution I've found is to install a Internet-only (its own router interface or VLAN, firewalled off from everything else) AP for people to use because, frankly, consumer-grade A

Re: Detection of Rogue Access Points

On Sun, 14 Oct 2012 16:59:12 -0400 Jonathan Rogers wrote: > I'm looking for innovative ideas on how to find such a rogue device, Here is an old post that describes some techniques, while date, should still be at least partially effective and help form part of a more comprehensive solution:

Re: Detection of Rogue Access Points

On 10/14/12, Karl Auer wrote: > No-one has said this yet, so I will - why are people working around your > normal network policies? This is often a sign of something lacking that > people need in their daily work. You can often reduce this sort of While that's no reason to stop looking for rogues.

Re: Detection of Rogue Access Points

On Mon, Oct 15, 2012 at 04:31:34PM -0700, Joe Hamelin wrote: > I think it would be cheaper to have a script written that would grab the > ARP table of each site and then compare to what is known. Kind of an ARP > tripwire. Netdisco does this, and more (reports on ports which have more than 1 MAC

Re: Detection of Rogue Access Points

On Mon, Oct 15, 2012 at 09:00:56AM -0700, Joe Hamelin wrote: > On Mon, Oct 15, 2012 at 8:54 AM, Roy wrote: > > Why not give them wireless Internet access only? That will keep all the > > smartphone users happy. > Maybe because he has 130 sites and 130 truck rolls is not cheap. Also > company pol

Re: Detection of Rogue Access Points

On Mon, Oct 15, 2012 at 8:44 PM, George Herbert wrote: > This solution - the "don't care" solution - almost fails the > negligence test for certain security regimes including PCI (credit > cards) and possibly SOX for retail data locations (and HIPPA for > hospitals / medical locations, etc). > Of

Re: Detection of Rogue Access Points

On Mon, Oct 15, 2012 at 4:06 PM, Sean Harlow wrote: > On Mon, Oct 15, 2012 at 12:00 PM, Joe Hamelin wrote: > >> >> Maybe because he has 130 sites and 130 truck rolls is not cheap. Also >> company policy says no. >> >> > You are correct that deploying to a number of sites isn't cheap, but the > a

Re: Detection of Rogue Access Points

On Mon, Oct 15, 2012 at 7:31 PM, Joe Hamelin wrote: > Jonathan stated that they have health data on the network and only company > issued devices are allowed. I would suggest to him that he inventory the > equipment via MAC address (I'm guessing that it's mostly standard issue > stuff that would

Re: Detection of Rogue Access Points

On Mon, Oct 15, 2012 at 4:06 PM, Sean Harlow wrote: > > You are correct that deploying to a number of sites isn't cheap, but the > actual relevant question is how does this cost compare to the cost of the > original request to detect these things. In this case almost all forms of > detection/pre

Re: Detection of Rogue Access Points

On Mon, Oct 15, 2012 at 12:00 PM, Joe Hamelin wrote: > > Maybe because he has 130 sites and 130 truck rolls is not cheap. Also > company policy says no. > > You are correct that deploying to a number of sites isn't cheap, but the actual relevant question is how does this cost compare to the cost

Re: Detection of Rogue Access Points

On Mon, Oct 15, 2012 at 8:54 AM, Roy wrote: > > > Why not give them wireless Internet access only? That will keep all the > smartphone users happy. > > Maybe because he has 130 sites and 130 truck rolls is not cheap. Also company policy says no. -- Joe Hamelin, W7COM, Tulalip, WA, 360-474-7474

Re: Detection of Rogue Access Points

Why not give them wireless Internet access only? That will keep all the smartphone users happy. On 10/15/2012 8:12 AM, Jonathan Rogers wrote: Well, quite frankly they have the tools they need. Our remote sites do not have any devices that require wireless. They don't have company-issued l

Re: Detection of Rogue Access Points

Well, quite frankly they have the tools they need. Our remote sites do not have any devices that require wireless. They don't have company-issued laptops, and personal laptops are not allowed. The policy is on the books but it isn't my department to make sure people know about it and follow it. Our

Re: Detection of Rogue Access Points

On Mon, 15 Oct 2012 13:11:00 +1100, Karl Auer said: > No-one has said this yet, so I will - why are people working around your > normal network policies? This is often a sign of something lacking that > people need in their daily work. You can often reduce this sort of > "innocent thievery" down t

Re: Detection of Rogue Access Points

How about some of the free network auditing tools like nmap even Spiceworks to detect the devices on your network? Martin On Sunday, 14 October 2012, Jonathan Rogers wrote: > Gentlemen, > > An issue has come up in my organization recently with rogue access points. > So far it has manifested itse

Re: Detection of Rogue Access Points

Do the layer 2 switches include sFlow instrumentation? http://sflow.org/products/network.php The following paper describes how IP TTL values can help identify unauthorized NAT devices. http://www.sflow.org/detectNAT/ Peter On Sun, Oct 14, 2012 at 1:59 PM, Jonathan Rogers wrote: > Gentlemen, >

Re: Detection of Rogue Access Points

On Sun, Oct 14, 2012 at 1:59 PM, Jonathan Rogers wrote: > Gentlemen, > > An issue has come up in my organization recently with rogue access points. > So far it has manifested itself two ways: > > 1. A WAP that was set up specifically to be transparent and provided > unprotected wireless access to

Re: Detection of Rogue Access Points

On 10/14/2012 1:59 PM, Jonathan Rogers wrote: Gentlemen, > > An issue has come up in my organization recently with rogue access > points. So far it has manifested itself two ways: > > 1. A WAP that was set up specifically to be transparent and provided > unprotected wireless access to our networ

Re: Detection of Rogue Access Points

On Sun, 2012-10-14 at 16:59 -0400, Jonathan Rogers wrote: > An issue has come up in my organization recently with > rogue access points. No-one has said this yet, so I will - why are people working around your normal network policies? This is often a sign of something lacking that people need in t

Re: Detection of Rogue Access Points

SSL throughout the network, with access control enforced using certificates is certainly a good idea. But most of the problem you face is metrics and inventory control of authorized devices. Commercial WIPS gear does a lot of this heavy lifting without your having to script it all yourself. On M

Re: Detection of Rogue Access Points

On 10/14/12, Jonathan Lassoff wrote: > I've yet to see a solid methodology for detecting NATing devices, > short of requiring 802.1x authentication using expiring keys and > one-time passwords. :p Or implement network access protection, w IPsec between the hosts and the resources on the LAN;

Re: Detection of Rogue Access Points

restricting the number of mac addresses per switch port to one for your dhcp pool too, though more than one ap clones mac addresses. and make it unpopulr for the usual use cases by firewalling off stuff like dropbox, siri and icloud. there is of course commercial wips gear like this .. http://www

Re: Detection of Rogue Access Points

On Sun, Oct 14, 2012 at 1:59 PM, Jonathan Rogers wrote: > Gentlemen, > > An issue has come up in my organization recently with rogue access points. > So far it has manifested itself two ways: > > 1. A WAP that was set up specifically to be transparent and provided > unprotected wireless access to

RE: Detection of Rogue Access Points

Scan the local network from the local network. From: Aaron C. de Bruyn [mailto:aa...@heyaaron.com] Sent: Sunday, October 14, 2012 5:44 PM To: Kenneth M. Chipps Ph.D. Cc: nanog@nanog.org Subject: Re: Detection of Rogue Access Points On Sun, Oct 14, 2012 at 3:27 PM, Kenneth M. Chipps Ph.D

Re: Detection of Rogue Access Points

On Sun, Oct 14, 2012 at 3:27 PM, Kenneth M. Chipps Ph.D. wrote: > Scan for devices with open port 80 as these are managed by a GUI. > That'd be tough if they plug the WAN port into your network and remote access isn't enabled. -A

RE: Detection of Rogue Access Points

Scan for devices with open port 80 as these are managed by a GUI. -Original Message- From: Jonathan Rogers [mailto:quantumf...@gmail.com] Sent: Sunday, October 14, 2012 3:59 PM To: nanog@nanog.org Subject: Detection of Rogue Access Points Gentlemen, An issue has come up in my

Re: Detection of Rogue Access Points

On 2012-10-14, at 14:56 PM, Matthias Waehlisch wrote: > do you mean http://conferences.sigcomm.org/imc/2007/papers/imc122.pdf > ? That's the one!

Re: Detection of Rogue Access Points

On Sun, 14 Oct 2012, Lyndon Nerenberg wrote: > There was a SIGCOMM paper a few years back that described a scheme > based on measuring the the ACK delays of TCP sessions. In a nutshell, > you can detect nodes on the wireless network by looking for the extra > delay added by the radio link. It

RE: Detection of Rogue Access Points

://www.rapidsys.com "Building Better Infrastructure"  -Original Message- From: Jonathan Rogers [mailto:quantumf...@gmail.com] Sent: Sunday, October 14, 2012 5:34 PM To: Tom Morris; nanog@nanog.org Subject: Re: Detection of Rogue Access Points I should probably mention

Re: Detection of Rogue Access Points

> I'm looking for innovative ideas on how to find such a rogue device, > ideally as soon as it is plugged in to the network. There was a SIGCOMM paper a few years back that described a scheme based on measuring the the ACK delays of TCP sessions. In a nutshell, you can detect nodes on the wirele

Re: Detection of Rogue Access Points

I should probably mention that we do not have any legitimate wireless devices at these locations. I realize that this complicates matters. The most recent one we found was found exactly like Joe suggested; we were looking at an ARP table for other reasons and found suspicious things (smartphones).

Re: Detection of Rogue Access Points

-- Joe Hamelin, W7COM, Tulalip, WA, 360-474-7474 On Sun, Oct 14, 2012 at 1:59 PM, Jonathan Rogers wrote: > Gentlemen, > > > I'm looking for innovative ideas on how to find such a rogue device, > Check ARP tables for MAC address of wireless devices (first few nybbles show manufacturer.) Or for

Detection of Rogue Access Points

Gentlemen, An issue has come up in my organization recently with rogue access points. So far it has manifested itself two ways: 1. A WAP that was set up specifically to be transparent and provided unprotected wireless access to our network. 2. A consumer-grade wireless router that was plugged in