Re: Detection of Rogue Access Points

[Jonathan Lassoff <jof () thejof com>]

On Sun, Oct 14, 2012 at 1:59 PM, Jonathan Rogers <quantumfoam () gmail com> wrote:
> Gentlemen,
>
> An issue has come up in my organization recently with rogue access points.
> So far it has manifested itself two ways:
>
> 1. A WAP that was set up specifically to be transparent and provided
> unprotected wireless access to our network.

This is actually a really tough problem to solve without either total
dictatorial control of your switchports or lots of telemetry and
monitoring.

At $DAYJOB, we detect the transparent bridge case by having a subset
of AP hardware setup as "monitors" that listen to 802.11 frames on the
various channels, keeping a log of the client MAC addresses and the
BSSID that they're associated with.
Then, by selecting out only those client MAC addresses that are not
associated to a known BSSID that we control, we compare that set of
"unknown" client MAC addresses to the Ethernet L2 FIBs on our switches
and look for matches.

If we see entries, than there is some 802.11 device bridging clients
onto our network and we hunt it down from there.


I've yet to see a solid methodology for detecting NATing devices,
short of requiring 802.1x authentication using expiring keys and
one-time passwords. :p

Cheers,
jof