From: Bennett Todd (bet@rahul.net)
Date: Wed Jun 12 2002 - 09:20:03 EDT
2002-06-11-16:07:18 Pierre Vandevenne:
> WW> commercial access point. These are typically on appliance devices, and can't
> WW> change their MAC.
>
> Ahem. Have you ever physically opened these devices ?
> [...]
> Now, is there any doubt that the MAC adresses of those PCMCIA can be
> changed ? I can provide a few pictures of the internal of some devices
> if you like.
Certainly, all APs undoubtedly use the same chipsets, and some of
'em actually have PCMCIA carriers inside.
But that's not the point.
APs are sold as appliances. They run embedded OSes. I've found
VxWorks in one, identified because they forgot to turn off the WDB
debugger port when they shipped image, and I nmapped it.
Sure, a sufficiently clever and determined hacker could write a
custom OS for an AP, with support for changing the MAC addr, burn
it in a prom, open the thing up, and replace the embedded OS with
their own hack. Easier though, if you're that determined, to just
use a laptop as your access point --- even if you can't find drivers
capable of making it a real AP in infrastructure mode, you can still
do unofficial wireless just fine in adhoc mode. That's my home net
of choice.
For such hacks (as well as this hypothetical embedded OS hacker)
your choices are pretty much limited to physical walkabout with
kismet or whatever, despite the limitations of that approach.
But APs are inexpensive, plug-n-go appliances. Folks with less
technical saavy, folks who aren't up to writing custom embedded OSes
to allow them to change the MAC addr, buy these things and hook 'em
in, generally in ignorance of the risk they're exposing the company
to. For this sort of casual error, the wired-side audits are the
way to go.
And the exercise of setting up that MAC addr catalogueing system
has additional benefits. If you're gonna do it on an enterprise
scale, you've gotta automate it; manually collecting arp tables from
hundreds or thousands of routers is too painful. Once you've
automated it, there's no reason not to schedule daily, or even
hourly, or even every 10 minutes polls gathering this data --- and
then you're set to generate a ticket to the helpdesk any time a new
MAC addr appears; they've got to find the monkey that installed the
box to close the ticket. Make their lives easier, have the system
also collect all your switches' CAM tables and include the exact
switch port in the ticket you generate.
Now you're not only stomping out rogue APs, you're also showing up
and breaking down the door when vendors plug their laptops into your
network, etc.
And _This_ in turn has benefits far beyond the direct tangible
getting a grip on your net; when you create the perception that you
know what's going on, people are more inclined to behave themselves.
-Bennett
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:22 EDT