04-30-2015
08:32 PM
- last edited on
07-05-2021
03:07 AM
by
cc_security_lab
Has anyone successfully detected a wired rogue access point in a corporate network? I try to prevent and locate a unauthorized wireless router, Linksys or D-Link, in production network.
Thanks,
04-30-2015 10:04 PM
It's possible and will work, but is very unlikely with the traditional D-Link/Linksys or "SOHO" type device that you will properly detect. The reason being is that these devices typically NAT so from your corporate "wired" network, you will not be able to correlate any WLC detected rogue client MAC addresses to that of a MAC on the wire from the rogue detector AP; they're hidden behind NAT boundary.
http://www.cisco.com/c/en/us/td/docs/wireless/technology/roguedetection_deploy/Rogue_Detection.html
"A rogue detector AP aims to correlate rogue information heard over the air with ARP information obtained from the wired network. A positive match is based on the wired and wireless MAC address with difference of +1/-1. If a MAC address is heard over the air as a rogue AP or client and is also heard on the wired network, then the rogue is determined to be on the wired network. If the rogue is detected to be on the wired network, then the alarm severity for that rogue AP is raised to "Critical". It should be noted that a rogue detector AP is not successful at identifying rogue clients behind a device using NAT."
05-01-2015 03:35 PM
A Rogue AP is an access point that has been installed on a secure network without explicit authorization from a system administrator. Rogue access points pose a security threat because anyone with access to the premises can ignorantly or maliciously install an inexpensive wireless AP that can potentially allow unauthorized parties to access the network.
Several Rogue AP types are undetectable by wire side only
scanning, examples:
• Bridging APs on a subnet inconsistent with their wired IP
address (default configuration)
• Soft APs
• Router (NAT) APs with cloned wire side MAC address
Please check the below links for more information on Rogue AP.
http://www.cisco.com/assets/sol/sb/AP541N_Emulators/AP541N_Emulator_v1.9.2/help_Rogue_AP_Detection.htm
http://www.cisco.com/c/en/us/td/docs/wireless/technology/roguedetection_deploy/Rogue_Detection.html#wp44450
Attached is the PDF file for more information.
05-13-2015 11:44 AM
Any device that shares your spectrum and is not managed by you can be considered a rogue. A rogue becomes dangerous in the following scenarios:
•When the Rogue AP uses the same SSID as your network (honeypot).
•When the Rougue AP device is detected on wired network also.
•Ad-hoc rogues are also a big threat.
•Setup by an outsider with malicious intent.
There are three main phases of rogue device management in Cisco Unified Wireless Network (UWN) solution:
•Detection - Radio Resource Management (RRM) scanning is used to detect the presence of rogue devices.
•Classification - Rogue Location Discovery Protocol (RLDP), Rogue Detectors and switch port tracing are used to identify if the rogue device is connected to the wired network. Rogue classification rules also assist in filtering rogues into specific categories based on their characteristics.
•Mitigation - Switch port Trace and shutting down, rogue location, and rogue containment are used to track down physical location and nullify the threat of rogue devices.
http://www.cisco.com/c/en/us/td/docs/wireless/technology/roguedetection_deploy/Rogue_Detection.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide