From: Weaver, Woody (woody.weaver@callisma.com)
Date: Mon Jun 10 2002 - 22:12:26 EDT
On Monday, June 10, 2002 3:45 PM, R. DuFresne wrote:
[..]
>MAC addresses can not only be spoofed and changed, but, looking at just
>3Com, one gets an idea of the large number of MACs one has to keep track
>of.
Ron, I'm not sure of your point here. If we are assuming a non-compliant
employee (user or administrator) then they have probably deployed a
commercial access point. These are typically on appliance devices, and can't
change their MAC. (Remember, the point is to find the AP, not find who is
connecting on the wireless side.)
Keeping track of MAC OUIs is not difficult, since
http://standards.ieee.org/regauth/oui/oui.txt takes care of that for you.
Essentially, the task comes down to looking at each MAC, and asking "what is
this device?" This is a useful exercise, irrespective of the problem of
wireless access.
Once the APs have been identified, the next step is to determine the
consequences of the AP -- which is where the rest of the content in your
note applies.
In an environment with a black hat, things are much more difficult. The AP
is likely to be part of a general purpose operating system, where nmap et
alia will be useless. A really stealthy box won't respond to a port scan,
but can pass traffic. The advantage of the ARP cache (or better CAM tables)
approach is that the box *has* to populate a cache at layer 2 to
communicate. It might be spoofed, or fraudulent, but *something* has to show
up. This is the same problem as a stray modem or T1 -- how do you find a
modem if its on a ringback?
--woody
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:22 EDT