Tool to monitor/analyze access points

From: John Aldrich 
------------------------------------------------------
On another list one of the people is asking for a tool to help 
locate/identify "rogue" access points. He says he's got a number of Cisco 
1240AG units so anything that could use those to help triangulate or 
otherwise locate rogue access points would be helpful and Free/cheap would 
be even better. :-)

I figured I"d ask in here if there are any FLOSS products that will do this?

=============================================================== From: Christopher Rimondi ------------------------------------------------------ Two options come to mind: 1. Kismet running on OpenWRT - http://www.sans.org/reading

=============================================================== From: John Aldrich ------------------------------------------------------

=============================================================== From: Rod-Lists ------------------------------------------------------ would this help? http://www.linuxscrew.com/2011/02/23/install-nfdump-and-nfsen-netflow-tools-in-linux/ ----- Original Message ----- From: "John Aldrich" To: "CHUGALUG" Sent: Tuesday, March 1, 2011 8:37:38 AM GMT -05:00 US/Canada Eastern Subject: [Chugalug] Tool to monitor/analyze access points On another list one of the people is asking for a tool to help locate/identify "rogue" access points. He says he's got a number of Cisco 1240AG units so anything that could use those to help triangulate or otherwise locate rogue access points would be helpful and Free/cheap would be even better. :-) I figured I"d ask in here if there are any FLOSS products that will do this?

=============================================================== From: Bret McHone ------------------------------------------------------ How large of an area does he want to monitor for rogue APs? would one "listener" be able to cover his entire area or does he need a system that has to be distributed across a larger area? -Bret

=============================================================== From: John Aldrich ------------------------------------------------------ Well, from what he said, it sounds like it's a large area... I mean he said he's got 15 of the Cisco units and that he's got some tools loaded on his phone, etc, but he doesn't have the time to go around and manually search for the rogue APs. :-)

=============================================================== From: John Aldrich ------------------------------------------------------ Here's what the OP said on the other list: It's a medium sized office space consisting of three separate suites with about 220 employees - most with fairly large cubes. Two of the suites are situated on different floors directly above/below each other, and the other suite is on the second floor above both our HR/training area and another company's offices. I haven't taken the time to calculate actual square footage, but the fellow from consulting firm that did the wireless survey several years ago spent a couple of days shuffling around the office and clicking his AirMagnet tablet PC in a most boring fashion...

=============================================================== From: Bret McHone ------------------------------------------------------ Unless he wants to spend a bloody fortune for cisco's centralized management system he may want to look at AirDefense by Motorola. http://www.airdefense.net/ I've not looked at it in real depth but I attended a local presentation on it's capabilities a couple years ago. It looked nice, but I'm not sure on the price point so it may be just as expensive as Cisco. Chances are unless he has a lot of time to try and bundle a lot of little linux systems/applications together and correlating the data, he'll need a centralized management system for his APs. Especially since he doesn't want to periodically walk around looking for rogues with kismet... We use Aruba for our wireless network and rogue AP detection/mitigation is one of the base features of the system. You just put an AP in "Air Monitor" mode and have at least one on each subnet. It will correlate air traffic with wired traffic and give you the option to mitigate rogue APs. I currently do not allow for mitigation due to so many wireless networks around me.... I would hate to think that my wireless network would just outright deauth attack another neighbor without my knowledge. -B

=============================================================== From: Stephen Kraus ------------------------------------------------------ If he is looking for rogues, why doesn't he just start doing mac filtering and lock down access to the network?

=============================================================== From: John Aldrich ------------------------------------------------------ Good question... there are a number of answers, but the one that springs to mind is that sounds like a lot of work, and he may be an overworked sysadmin trying to mitigate rogue APs with minimal effort. :-) I mean if you're the ONLY sysadmin/network admin for a company like that it stands to reason you probably don't have a lot of extra time. :-)

=============================================================== From: John Aldrich ------------------------------------------------------ One thing -- he did say he works with a large number of highly technical folks who could bypass some of the filtering by adding a second nic to their machine and plugging the rogue access point into the second NIC.

=============================================================== From: Aaron Welch ------------------------------------------------------ My experience with rogue APs had less to do with access issues and more to d= o with spectrum/bandwidth issues. The campus install I did required each AP= to be tweaked so that good clients could connect with stepping on other ten= ants in the same airspace. (Corporate campus in Silicon Vally). We used all= Cisco with the WLCs and WCS for management. Just the management piece of t= he install was almost $100k. -AW and lock down access to the network?

=============================================================== From: Aaron Welch ------------------------------------------------------ This has now become an HR problem, not a technical one. He is wasting alot o= f cycles to secure against things that are probably against the corporate ac= ceptable use policy. -AW ir=20

=============================================================== From: Bret McHone ------------------------------------------------------ Do you mean mac filtering at the switch or wireless? A mac is very easy to spoof and just as easy to get a valid one. To track down rogue APs he would need a system that could either correlate wired/wireless traffic to locate a rogue AP or triangulate the locations within his campus. Plainly put, there's no simple answer for his question/problem. Because if he relies on triangulation then a channel knocking rogue APs would prevent detection. The correlation is harder to get past, but generally the systems are more expensive. Locking down networks with strong authentication & encryption are all easy to say, but not always easy to implement depending on the resources available to the tech and what is compatible with existing equipment. It all also costs money to the company either by time to implement or for new equipment. Best of luck to him, hope he finds a good solution. Just remind him of the Holy Trinity of Security.. no... not CIA (Confidentiality, Integrity, Availability)... CYA.. Cover Your Ass. :) -B

=============================================================== From: Rod-Lists ------------------------------------------------------ What does he mean by rogue access point? Is looking for folk who should not be using his PS's? Or an AP that has been hijacked in some way? ----- Original Message ----- From: "Stephen Kraus" To: "CHUGALUG" Sent: Tuesday, March 1, 2011 1:40:04 PM GMT -05:00 US/Canada Eastern Subject: Re: [Chugalug] Tool to monitor/analyze access points If he is looking for rogues, why doesn't he just start doing mac filtering and lock down access to the network?

=============================================================== From: Bret McHone ------------------------------------------------------ A rogue AP is one that is placed on your network without your knowledge. It can be anything from someone bringing in a cusomized access point and plugging directly into a switch to someone enabling wireless on their laptop while plugged into the network. Basically an unauthorized point of access for your network. -B

=============================================================== From: Rod-Lists ------------------------------------------------------ As someone pointed it out that is exactly what he is facing. Would cisco net flow tools help in this situation . http://www.linuxscrew.com/2011/02/23/install-nfdump-and-nfsen-netflow-tools-in-linux/ ----- Original Message ----- From: "Bret McHone" To: "CHUGALUG" Sent: Tuesday, March 1, 2011 2:14:25 PM GMT -05:00 US/Canada Eastern Subject: Re: [Chugalug] Tool to monitor/analyze access points A rogue AP is one that is placed on your network without your knowledge. It can be anything from someone bringing in a cusomized access point and plugging directly into a switch to someone enabling wireless on their laptop while plugged into the network. Basically an unauthorized point of access for your network. -B What does he mean by rogue access point? Is looking for folk who should not be using his PS's? Or an AP that has been hijacked in some way? ----- Original Message ----- From: "Stephen Kraus" To: "CHUGALUG" Sent: Tuesday, March 1, 2011 1:40:04 PM GMT -05:00 US/Canada Eastern Subject: Re: [Chugalug] Tool to monitor/analyze access points If he is looking for rogues, why doesn't he just start doing mac filtering and lock down access to the network?

=============================================================== From: John Aldrich ------------------------------------------------------ Exactly. I think he's mainly worried about someone bringing in a Linksys router or some other SOHO piece of wireless equipment.

=============================================================== From: Rod-Lists ------------------------------------------------------ And to stevens point MAC spoofing isn't that difficult, just harder under widows. ;) I'm amazed that certain parties think that is all security needed at my work place. ----- Original Message ----- From: "John Aldrich" To: "CHUGALUG" Sent: Tuesday, March 1, 2011 2:21:57 PM GMT -05:00 US/Canada Eastern Subject: Re: [Chugalug] Tool to monitor/analyze access points Exactly. I think he's mainly worried about someone bringing in a Linksys router or some other SOHO piece of wireless equipment.

=============================================================== From: Bret McHone ------------------------------------------------------ that just gives you statistics which would be more for management than security. I use the equivalent of netflow on my brocade network to monitor data trends, but I use snort, server agents, log correlation, etc... to track for security threats. I'm working in implementing an active response system to help me automate a lot of problems that I see. Ie... when I see a port scan from a curious user I get an email and they get a popup to quit being a bad monkey and get back to work. (not that scenario exactly, but not far from it) -B

=============================================================== From: Erik Hanson ------------------------------------------------------ He/She could try Nessus. http://blog.tenablesecurity.com/2009/08/using-nessus-to-discover-rogue-acce= ss-points.html r e a not ls-in-linux/ It top g

=============================================================== From: John Aldrich ------------------------------------------------------ Thanks. I'll pass that along.

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Because 802.11 isn't a shared access medium (think hub). It would be impossible to actually sniff a MAC on the wire(less) hub. And definitely would be totally impossible to make my machine say it has one of those MAC addresses that I can't sniff off the wire(less)... And I totally, no effing way could ever possibly make my rogue AP (or more likely, NAT+Router) say it has one of those MAC addresses, especially on the WAN interface if it's a router.... And if walking around with a laptop and kismet is too much effort, I promise keeping up with 16+ APs for manual MAC authorization will be way, way too much effort.... Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1tf04ACgkQABP1RO+tr2RnOACgqxn1aGzJXFC77/QkJt7DDjDf Js8An37AxP+0gp3QOm4obZHBj8AmBn4w =M9zx -----END PGP SIGNATURE-----

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It's only a few button clicks :) If your card is built into your MLB, you can probably do it in the BIOS as well. Prove them wrong or just tuck it away in your bag of tricks, whichever suits your needs best.... Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1tgHwACgkQABP1RO+tr2RAbwCghgtXUMB0uMe373Kh/Ap1ZetO g8oAoKyZ8Aw98X2FNoGnVU6gZ+8mQuq9 =PB2T -----END PGP SIGNATURE-----

=============================================================== From: Rod-Lists ------------------------------------------------------ ----- Original Message ----- From: "Dave Brockman" To: "CHUGALUG" Sent: Tuesday, March 1, 2011 6:25:48 PM GMT -05:00 US/Canada Eastern Subject: Re: [Chugalug] Tool to monitor/analyze access points -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It's only a few button clicks :) If your card is built into your MLB, you can probably do it in the BIOS as well. Prove them wrong or just tuck it away in your bag of tricks, whichever suits your needs best.... Regards, ------------------------------------------ Ifconfig just spoils me. And I've tried to get thru to them. They just don't think it is a threat. Rod

=============================================================== From: Bret McHone ------------------------------------------------------ Just make sure you have it in writing somewhere that you make a proposal and it gets shot down. Show your due diligence. If not it can be your neck on the line if there is a breach. always always always CYA... -B