How to detect rogue WIFI routers on a network?

security networking wifi

Solution 1:

If they're just now implementing that policy then my gut says that their threat of a scan is just scare tactics. But that's just me being cynical...

A few methods would be

  • If the device is a router and not just an access point then they'll be able to see it in the routing paths
  • Network infrastructure device manufacturers have mass blocks of MAC addresses assigned to them to use for their products making it fairly reliable to determine a manufacturer by the MAC address of the device. If, all of a sudden, a few LinkSys or D-Links start popping up and the admins know they don't use those devices....
  • They can look in DHCP. This is especially easy if the network is using reserved DHCP addresses for clients. Anything not in the reserved pool is suspect.

Solution 2:

Many professional accesspoints like the ones Cisco provide can not only detect rogue accesspoints through the management engines they're connected to - they can actually prevent anyone from using them by attacking them with disassociation packets and whatnot. And of course, report found rogue access points immediately and depending on the number of valid access points in the area - do a somewhat useful location detection as well.

If they're already using a supported wireless solution, which by your mention of the amount of offices, I'd guess they do - it would just be a matter of turning the option on.


The radio monitoring feature uses the radio measurement capabilities on Cisco IOS APs and Cisco Client Adapters to discover any new 802.11 APs that are transmitting beacons. Both clients and APs periodically scan for other 802.11 beacon frames on all channels. Reports of detected beacons are returned to the Radio Manager, which validates these beacons against a list of APs known to be authorized to provide wireless access. A newly discovered AP that cannot be identified as a known authorized AP generates an administrator alert.

source

Solution 3:

My guess is that they're checking the MAC addresses associated with wireless access points as described in this guys's blog post.

http://barnson.org/node/611

Solution 4:

They could check ARP tables and look at the vendors, or enable 1x on all their switch ports.

Doesn't necessarily stop the access point from being there but it would stop people from using the wireless.

Cisco also has rogue access point detection built into their latest wireless solutions. (I'd assume Aruba does as well).

Solution 5:

At your router/firewall look for outgoing packets with a lower TTL than normal. The router part of the WiFi router will lower the TTL value of a packet when if flows through it.

Related

Installing Mozilla extension from command line
Locate, Find, Which - How do I launch an index/scan command for these utilities?
What is the recommended size for a server 2008 system partition?
Contract Sys Admin [closed]
Can RHEL 4 have two instances of apache httpd running using two different config files?
how can I find the default gateway of an ubuntu box
Good backup solution?
What's the best way to check if an SMTP server is SSL-enabled or not?
How does Windows 2008 R2 run 32-bit applications?
Are there any disadvantages of using UTF8 in an oracle database?
What is your approach to draw a representation of your network?
How to Break Up Large tcpdump Files