How to detect rogue WIFI routers on a network?
Solution 1:
If they're just now implementing that policy then my gut says that their threat of a scan is just scare tactics. But that's just me being cynical...
A few methods would be
- If the device is a router and not just an access point then they'll be able to see it in the routing paths
- Network infrastructure device manufacturers have mass blocks of MAC addresses assigned to them to use for their products making it fairly reliable to determine a manufacturer by the MAC address of the device. If, all of a sudden, a few LinkSys or D-Links start popping up and the admins know they don't use those devices....
- They can look in DHCP. This is especially easy if the network is using reserved DHCP addresses for clients. Anything not in the reserved pool is suspect.
Solution 2:
Many professional accesspoints like the ones Cisco provide can not only detect rogue accesspoints through the management engines they're connected to - they can actually prevent anyone from using them by attacking them with disassociation packets and whatnot. And of course, report found rogue access points immediately and depending on the number of valid access points in the area - do a somewhat useful location detection as well.
If they're already using a supported wireless solution, which by your mention of the amount of offices, I'd guess they do - it would just be a matter of turning the option on.
The radio monitoring feature uses the radio measurement capabilities on Cisco IOS APs and Cisco Client Adapters to discover any new 802.11 APs that are transmitting beacons. Both clients and APs periodically scan for other 802.11 beacon frames on all channels. Reports of detected beacons are returned to the Radio Manager, which validates these beacons against a list of APs known to be authorized to provide wireless access. A newly discovered AP that cannot be identified as a known authorized AP generates an administrator alert.
source
Solution 3:
My guess is that they're checking the MAC addresses associated with wireless access points as described in this guys's blog post.
http://barnson.org/node/611
Solution 4:
They could check ARP tables and look at the vendors, or enable 1x on all their switch ports.
Doesn't necessarily stop the access point from being there but it would stop people from using the wireless.
Cisco also has rogue access point detection built into their latest wireless solutions. (I'd assume Aruba does as well).
Solution 5:
At your router/firewall look for outgoing packets with a lower TTL than normal. The router part of the WiFi router will lower the TTL value of a packet when if flows through it.