RE: MORE: Tools for Detecting Wireless APs - from the wire side.

From: Andrews, Ryan (RAndrew@alleghenyenergy.com)
Date: Fri Jun 14 2002 - 09:03:59 EDT


In addition to the following information, Cisco has an excellent white paper
on securing wireless...

>From http://www.funk.com/radius/wlan/ody_ds.asp:
 
Multiple Security Types
The level of security on a WLAN is determined by the "EAP authentication
type" in use. EAP (Extensible Authentication Protocol) authentication types
provide credential security, data security, or both. Odyssey supports the
following EAP authentication types:
* · EAP-TTLS is an IETF draft jointly authored by Funk Software and
Certicom, and is a working document of the PPP Extensions group. EAP-TTLS
provides strong security, while supporting legacy password protocols,
enabling easy deployment across the enterprise. EAP-TTLS is supported on
both Odyssey Client and Server.
* · EAP-TLS is a follow-on to Secure Socket Layer (SSL). It provides
strong security, but relies on client certificates for user authentication.
EAP-TLS is supported on both Odyssey Client and Server.
* · EAP-Cisco Wireless (LEAP) - this authentication method is used
primarily for WLAN clients connecting to Cisco WLAN access points such as
the Cisco Aironet Series. It provides security during credential exchange,
encrypts data transmission using dynamically generated WEP keys, and
supports mutual authentication and reauthentication. EAP-Cisco Wireless
(LEAP) is supported on Odyssey Server.
* · EAP-MD5 - this authentication method essentially duplicates CHAP
password protection on a WLAN. EAP-MD5 represents a kind of base-level EAP
support among 802.1x devices. EAP-MD5 is supported on Odyssey Client.

 -----Original Message-----
From: Jon [mailto:vandivee@midsouth.rr.com]
Sent: Wednesday, June 12, 2002 12:18 AM
To: 'Pen-Test'
Subject: RE: MORE: Tools for Detecting Wireless APs - from the wire
side.

Come come....
The cheap appliances can well indeed change their MAC...

I can clone my 3Com NIC, publish it to the wire and run my AP virtually
undetected.
(I forgot this or else I would have included it when I proposed the MAC
OUI polling from the switch, course most "users" won't know this)

The only way I can see to secure your LAN from having rouge APs attached
is something I have only heard of and never seen.

EAP based authentication for port security....

And with that.... I can honestly say I have NO IDEA how to do it right
now.....

If anyone has a whitepaper for implementation EAP for port security,
please post it or send it to me...

Thanks,
Jon

-----Original Message-----
From: Weaver, Woody [mailto:woody.weaver@callisma.com]
Sent: Monday, June 10, 2002 9:12 PM
To: R. DuFresne; Isherwood Jeff C Contr AFRL/IFOSS
Cc: 'Pen-Test'
Subject: RE: MORE: Tools for Detecting Wireless APs - from the wire
side.

On Monday, June 10, 2002 3:45 PM, R. DuFresne wrote:
[..]
>MAC addresses can not only be spoofed and changed, but, looking at just
>3Com, one gets an idea of the large number of MACs one has to keep
track
>of.

Ron, I'm not sure of your point here. If we are assuming a non-compliant
employee (user or administrator) then they have probably deployed a
commercial access point. These are typically on appliance devices, and
can't
change their MAC. (Remember, the point is to find the AP, not find who
is
connecting on the wireless side.)

Keeping track of MAC OUIs is not difficult, since
http://standards.ieee.org/regauth/oui/oui.txt takes care of that for
you.

Essentially, the task comes down to looking at each MAC, and asking
"what is
this device?" This is a useful exercise, irrespective of the problem of
wireless access.

Once the APs have been identified, the next step is to determine the
consequences of the AP -- which is where the rest of the content in your
note applies.

In an environment with a black hat, things are much more difficult. The
AP
is likely to be part of a general purpose operating system, where nmap
et
alia will be useless. A really stealthy box won't respond to a port
scan,
but can pass traffic. The advantage of the ARP cache (or better CAM
tables)
approach is that the box *has* to populate a cache at layer 2 to
communicate. It might be spoofed, or fraudulent, but *something* has to
show
up. This is the same problem as a stray modem or T1 -- how do you find a
modem if its on a ringback?

--woody

------------------------------------------------------------------------

----
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please
see:
https://alerts.securityfocus.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:22 EDT