An Idea for Hunting Down Rogue WAPs

By Michael Hall | Jun 4, 2004 | Print this Page
http://www.enterprisenetworkingplanet.com/netsysm/article.php/3364001/An-Idea-for-Hunting-Down-Rogue-WAPs.htm
Main     Elsewhere     The Week in CrossNodes     The Week in Network News

Last Friday we noted an AP report about the problems with security on wireless networks. The report concentrated on the booming consumer/home user demand for Wi-Fi networking, and provoked a strong sense of deja vu: It seems home users are repeating many of the mistakes businesses were making just a few years ago, leaving access points open to the world and contenting themselves with "just getting ping" before calling it a day.

The problems with that for enterprise networkers, as we noted last week, are these: Consumer-grade Wi-Fi hardware makes security tough, but it's becoming so cheap and simple to drop a wireless access point onto a network that formerly secure networks face a threat from within the perimeter now. It's a tough problem to solve. So we were pleased to get a letter this week describing how network engineers at Intel dealt with the problem. It comes from Michael Burton, an Intel employee in its IT Automated Network Management Services.

Michael writes:

Just read your wireless security news break...

Wireless hunting solutions geared to capture rogue APs are generally difficult to deploy, requiring, for example, an actual person to walk around with a wireless Palm looking for rogue ESSIDs and locating by signal strength. And imagine in a sea of cubes how easy it would be to hide.

To be useful, each wireless AP still needs to plug into a wired layer 2 device. Some smart IT Engineers devised an old school solution to this next-generation problem - MAC address tracking.

Using a combination of Ciscoworks and VitalNet, we are able to associate every MAC address in our network to a specific switched port. Each wireless AP company uses a subset of their Vendor allocated space (Or the Organizationally Unique Identifier OUI). The engineers wrote some Perl programs that maintain an "unauthorized," "cleared," and "unknown" database. The unknown database has the OUIs of invalid vendors. The cleared database has a list of the non-standard but registered full MAC addresses, and the unknown database is a final catchall.

Once a night, the program (called Rogueseeker) looks at the full table, ignores cleared entries, and reports port location for unauthorized entries. If something is not found, it is stored in the unauthorized database and spat out in a weekly report.

It's a bit of a kludge solution, but it gets the job done automated - and uses a hell of a lot fewer resources than the "IT Police" using wireless handhelds.

The script itself is Intel property, so we can't share it with our readers, but the idea behind it isn't beyond the capabilities of reasonably experienced Perl programmer. Perhaps a reader can take the idea and run with it.

Elsewhere:

» Speaking of WiFi security, Linksys has announced a new product: Linksys Wireless Guard, Wi-Fi Planet reports it "provides a hosted RADIUS server so end users can utilize RADIUS-based (define) 802.1X authentication to get secure access to their network -- no extra RADIUS server is needed on site."

» If you're "the network dude" (or dudette) for a small business, EmergeCore's IT-500 might look interesting: It handles filesharing, CRM, firewalling, VPN, anti-spam/virus, wireless LAN, Web serving, and several other functions in a single box for $2,300.

The reviewer says "the IT-500 packs a lot of value for the price, and offers small business owners networking capabilities that are generally reserved for big companies with big budgets not to mention a big IT department. If the lack of IT support has kept you from expanding your network capabilities, the IT-500 might just be what you're looking for."

The Week in Network News

» Tuesday: Network News Break: No WLAN On Your Nets? Wi-Fi Security's Still a Concern

Even if you don't even have a WLAN operating on your nets, the combination of cheap, consumer-friendly Wi-Fi gear and lousy security interfaces can cause problems. Also: AT&T says it can see DDoS attacks from a mile off, Intel releases Centrino drivers for Linux, and anti-virus vendors report there are still viruses in the world.

» Wednesday: Security Drives Cisco's Self-Defending Bottom Line

The razor business is about razor blades, and the router business, apparently, is now about services: Cisco's unveiled a new price structure for the previously no-cost Firewall Services Module. Also: A popular piece of wireless gear from Linksys is sporting a moderately severe security hole, Google's updating its search appliance, and Nortel says VoIP and 3G are driving sales higher than expected.

» Thursday: WiMax: How Far Ahead of the Curve is Too Far?

Alvarion's pushing a WiMax implementation out the door to a lot of fanfare, but the standard's not soup, and that raises some questions. Also: There's a keylogging worm to look out for, is Microsoft's patch policy to blame? And Sun pushes ahead on identity management, despite gloomy early predictions.

The Week in CrossNodes

» Simple Configuration Tips Put Squid on the Menu

If you need to get a handle on your bandwidth with Web caching, but several thousand lines of configuration files make you queasy, here's a step-by-step guide to making Squid more appetizing.

» Three LDAP Browsers for the Asking

Getting your information in a directory is just half the battle: The other half is finding it. Here are three LDAP browsers, free of charge and up to the task of digging through your data.

» FaceTime Makes IM as Safe as Talking Face-to-Face

With IM use at critical mass and growing, security and privacy challenges abound. FaceTime's enterprise-grade server suite monitors, archives, and analyzes IM traffic for thousands of users without requiring thousands of admin hours.

» Scripting Clinic: Dissecting a Live Python... Script

By examining a working script line by line, this edition of the Scripting Clinic shows you how to put your own scripts together and exposes a few Python quirks along the way.
» Pack-Rats by Law: A Message Archiving Primer
With the Sarbanes-Oxley Act, messaging archives have gone from a voluntary tic among pack-rat users to a regulatory necessity. Here's how to crate up the correspondence without overloading your LAN.

Network News Break is CrossNodes' daily summary of networking news and opinion, served up fresh daily. Please send your comments and suggestions to the editor.