Re: ROGUE APs at Work - How to locate them?!

I am thinking to ask the network team to "sniff" the MAC and locate the
ports which they are attaching to. Is it a correct way to do it? Are
there other ways to locate these rouge APs?

If you have the MAC address and you have ethernet switches that are smart
enough you could lookup which ports on the switches are serving them. As
in, doing an arp table dump on the switches will tell you on which port that
address is being served. So you track it back, switch-by-switch to the end
place the device is connected. So you run netstumbler or kismet and get a
MAC address, then you lookup that MAc address on the switches until you find
the hardware port. Cross-reference that with the physical network map and
you should be able to find out where the device is connected. Now, if you
don't have smart switches that can do arp table dumps then it'll be a lot
more work. As has been suggested you could setup your DHCP server to
provide a bogus address to that MAC address, that'd at least make it stop
functioning properly, perhaps enough to have the users on it call in for
help.

So don't depend on MAC address comparisons. Most WiFi devices have a
masquerade mode that lets them take the MAc address of the computer whose
wired-link they'd used. So someone on a given port with, say, a 3com
network card in the PC could unplug the computer, plug in the wifi router
and tell the router to use the PC's MAC address. So if you looked at the
vendor id bytes in the MAC address it wouldn't help you narrow it down.
Just keep that in mind. If someone wants to put a WiFi router on your
network there's not a lot you can do to "prevent" it network-wise. You can
only be vigilant in detecting SSIDs and keeping a close watch on arp tables.
Should a previously considered valid MAc address suddenly show up related to
an SSID you'd have to be keeping track of them to notice. Few places will
expend this effort, at their peril.

Anyway, using arp tables on the switches is probably the most effective way
to track down ROGUE (proper spelling) access points.

--Bill Kearney

.

Relevant Pages

  • RE: How to find a changing IP on ethernet network
    ... called "port security". ... tell it how many MAC ... to issue an SMTP trap to your Network Management ...
    (Security-Basics)
  • Re: Networking over mains cables
    ... blocking just about every port except the basic ones needed to ... without blocking him completely it was useable. ... When entering a network key, ... allow the MAC addresses of the machines I know about. ...
    (comp.sys.acorn.networking)
  • Re: How Do I Keep Private Computers Off of Our Network?
    ... I recommend enabling port security on on all the switches; ... port to the system's MAC address and then disabling the unused ports. ... If you really need to lock it down then Network Access Control through ... are using their business computer's wired connection to connect ...
    (microsoft.public.windows.server.active_directory)
  • Re: Port 21 open on pcs not running ftp?
    ... All of the pcs are on the local network, ... firewalls in place are the windows xp firewall included in sp2. ... that the open port doesn't appear locally. ... Our network switches are Dell powerconnect gigabit switches which ...
    (microsoft.public.security)
  • Re: Scan for "outsider" Pcs on network
    ... can use is the MAC address. ... switch ports by MAC address does not secure one's Ethernet network. ... switch port set up to only accept their mac address. ... OpenBSD Box (SOB) set up as a bridge.He drops it inline with the ...
    (Focus-IDS)