Re: Good rogue ap finder? or...going down the wrong path?
- From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
- Date: Tue, 10 Jan 2006 19:50:21 -0600
On Tue, 10 Jan 2006, in the Usenet newsgroup alt.internet.wireless, in article
<8SPwf.30455$qw4.21320@xxxxxxxxxxxxxxxxxxxxxx>, Rico wrote:
>Is there no way within your LAN to tell if someone has added a 'new' router
>to your network regardless of being wireless? I'm relatively new to the *ix
>world so please bear with what may seem a stupid question.
Generally speaking, LANs are (or act as it they were) Ethernet, with
packets flying about using RFC0894. Briefly, this is a 14 byte header
(6 bytes destination MAC, 6 bytes source MAC, 2 byte type) and 4 byte
CRC wrapped around an IP packet. The packets are actually steered using
the MAC address which you can see on your system using the '/sbin/ifconfig
-a' command. In the old days of coax (10Base5 or 10Base2), everyone was
on the same wire, so you could hear all systems. This was also true of
the original twisted pair (10BaseT) setup using hubs. Later implementations
of twisted pair, (10BaseT and the faster 100BaseT and 1000BaseT) use
switches to isolate sections, and now all you'd hear is broadcasts such
are ARP requests and those packets destined to "you". (Yes, switches
can be set to monitor all ports.)
[compton ~]$ whatis arpwatch
arpwatch (8) - keep track of ethernet/ip address pairings
[compton ~]$
That's a handy tool. But we simply monitor all of the switches and the ARP
caches on routers and servers. When something appears that isn't on our
list, a message is sent to Network Operations and the Security Desk. This
brings the thundering herd along with the "People Who Do Not Smile"(tm).
We are helped by having an exact list of where every port on every switch
goes. There are about 1500 offices in this building, but someone will
arrive within 4 minutes and be asking questions. For the other building
on the facility, add a minute or so for running between the buildings.
>I would think the logs on the server(s) would show a new IP on the net.
Yup - and we log all the details when the systems first arrive. (We're
an R&D facility, so we're a bit more paranoid than others might be, but
the whole company uses the same po;icies.)
>Also in normal support for the network wouldn't such a device as it were
>turn up in what ever cube as you were say in the given room working on
>the printer or someone's blurry monitor?
If you don't control access to your facility, yes this is a common
giveaway - all the company hardware has property tags prominently
displayed, and as a courtesy to the users (and to allow support to
figure out which of these identical systems is named $FOO), we also
put Dymo labels (embossed tape) with the system name on the monitor
and CPU.
>I just from my limited experience (small business back ground -fewer the 50
>people) can't imagine such going undiscovered for any length of time at
>all. But again I'm asking because of an admitted ignorance here.
You're basically right. Also, there is written policy (signed by each
employee) explaining that non-company hardware is a major no-no, and there
are signs at all building entrances, yada, yada, yada.
Old guy
.
- References:
- Prev by Date: Re: Good rogue ap finder? or...going down the wrong path?
- Next by Date: Re: Good rogue ap finder? or...going down the wrong path?
- Previous by thread: Re: Good rogue ap finder? or...going down the wrong path?
- Next by thread: Re: Good rogue ap finder? or...going down the wrong path?
- Index(es):
Relevant Pages
|
