IDS mailing list archives
RE: Wired detection of rogue access points
From: "Adam Graham" <agraham () datastreamcowboys net>
Date: Wed, 28 Mar 2007 11:55:51 -0500
Why is everyone concentrating on MAC filtering..... MAC filters are just a front line first wave deterrent. Yeah anyone can go download sirMacsalot and spoof their MAC easily. The key is that wireless equipment should not be trustedI placed mine outside the firewall, so users must use the VPN to get in, because I trust Firewall/VPN equipment 1000 times more than any wireless equipment -----Original Message----- From: Adam Powers [mailto:apowers () lancope com] Sent: Wednesday, March 28, 2007 9:41 AM To: tim_holman () hotmail com; Adam Graham; listbounce () securityfocus com; Focus-Ids@Securityfocus. Com Subject: Re: Wired detection of rogue access points "Filtering by MAC gives you no additional security whatsoever, period" Meh, this is simply not true. My home AP might is plenty secure from my SOHO technology noob neighbors with MAC filtering - few, if any, of them even know what an "AP" is much less "MAC spoofing". Having said that filtering technologies such as MAC filtering are far too difficult to manage given the relatively small security return provided and as such should be avoided given the fact that other superior authentication and access control mechanisms exist. On 3/26/07 7:24 PM, "tim_holman () hotmail com" <tim_holman () hotmail com> wrote:
Filtering by MAC gives you no additional security whatsoever, period. MAC addresses can be easily spoofed and although your solution may assist in spotting misconfigurations a determined intruder will get straight
through....
Sent from my BlackBerryR wireless device -----Original Message----- From: "Adam Graham" <agraham () datastreamcowboys net> Date: Mon, 26 Mar 2007 15:52:21 To:<focus-ids () securityfocus com> Subject: RE: Wired detection of rogue access points First off is it even possible to buy a laptop that does not have wifi
built
in? I have set up an automated scan looking for MACs. If the MAC does not
appear
on my list I drop its packets in the IPTabes FW. It's rather simple to do. The main thing I do that seems to work the best is the APs are un-trusted and therefore stuck out in the DMZ. Before one can get to network
resources
they need to open the VPN client after connecting to the AP. A simple way to handle MACs with IPTables (NOTE: simple rule if you need more instruction I can send it to you or just the complete iptable
script):
Let's create 2 text files:
/tmp/whiteist
/tmp/blackist
Insert into whiteist 00:06:25:2E:56:A0
Insert into blackist 00:06:25:2E:56:E1
Add following to your IPTabes script
TABLES = "filter nat mangle"
iptables = /sbin/iptables
touch /tmp/whiteist
touch /tmp/blackist
WHITELIST = `cat /tmp/whiteist | awk '{print $1}'
BLACKLIST = `cat /tmp/blackist | awk '{print $1}'
# Forward good MACs
$iptables -t filter -I FORWARD 1 -m mark --mark 0x42 -j ACCEPT
# mark all packets from the good macs
for MAC in $WHITELIST ; do
$iptables -t mangle -I PREROUTING -m mac --mac-source $MAC -j MARK
--set-mark 0x42
done
# drop all packets from the good macs
for MAC in $BLACKLIST ; do
$iptables -t mangle -I PREROUTING -m mac --mac-source $MAC -j DROP
done
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in tr
o_sfw to learn more. ------------------------------------------------------------------------
-- Adam Powers Chief Technology Officer Lancope, Inc. c. 678.725.1028 e. adam () lancope com __________ NOD32 2148 (20070327) Information __________ This message was checked by NOD32 antivirus system. http://www.eset.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Wired detection of rogue access points, (continued)
- Re: Wired detection of rogue access points krymson (Mar 19)
- Re: Wired detection of rogue access points Chris Waters (Mar 21)
- Re: Wired detection of rogue access points Hari Sekhon (Mar 22)
- RE: Wired detection of rogue access points Waters, Chris (Mar 22)
- Re: Wired detection of rogue access points Hari Sekhon (Mar 22)
- Re: Wired detection of rogue access points krymson (Mar 26)
- Re: Wired detection of rogue access points Chad Mano (Mar 26)
- Re: Wired detection of rogue access points Eric Hacker (Mar 26)
- Re: Wired detection of rogue access points Chad Mano (Mar 26)
- Re: Wired detection of rogue access points jay.tomas (Mar 27)
- Re: Wired detection of rogue access points Adam Powers (Mar 29)
- Re: Wired detection of rogue access points tim_holman (Mar 29)
- RE: Wired detection of rogue access points Adam Graham (Mar 29)
- Re: Wired detection of rogue access points Eric Hacker (Mar 30)
- RE: Wired detection of rogue access points Adam Graham (Mar 30)