Detection of Rogue Access Points

[mysidia at gmail.com (Jimmy Hess)]

On 10/14/12, Jonathan Lassoff <jof at thejof.com> wrote:
> I've yet to see a solid methodology for detecting NATing devices,
> short of requiring 802.1x authentication using expiring keys and
> one-time passwords. :p

Or implement  network access protection,   w IPsec between the hosts
and the resources on the LAN;  the systems behind the rogue NAT device
won't be able to prove their identity, pass system health checks for
antimalware, and get the x509 certificates required to communicate
with hosts on the LAN...

Packet sniffer, and look for   packets sourced from hosts on the LAN
with  a TTL not matching the default TTL of OS'es in use on the network.


Monitor ARP traffic.  Start with the assumption that all devices are
NAT devices,
or malicious/unauthorized devices.  Use TCP probes,  to detect devices
listening on common ports which can be identified as OSes  (eg
Windows,  Printers, etc), which are known hosts on the network  with a
known user, or known purpose, and  known to not be NAT devices.

Delete known devices from the list of assumed rogue IP addresses.

All the remaining IPs have to be investigated,  and get their MAC
address, hostname,
and purpose documented.


Once MAC addresses of all _known_  hosts are  documented and manually verified,
by process of elimination,  you can detect any unknown  IP
addresses/MAC addresses,
which might be any kind of unauthorized device.

A NAT device is one example.....
another example of an unauthorized device could be an unauthorized
hardware keylogger/
network backdoor,  with unauthorized connectivity to the LAN,  and
possible  covert
channels/backdoors/firewall bypasses.


> Cheers,
> jof
--
-JH