2002-06-11-16:07:18 Pierre Vandevenne: > WW> commercial access point. These are typically on appliance devices, and can't > WW> change their MAC. > > Ahem. Have you ever physically opened these devices ? > [...] > Now, is there any doubt that the MAC adresses of those PCMCIA can be > changed ? I can provide a few pictures of the internal of some devices > if you like.
Certainly, all APs undoubtedly use the same chipsets, and some of 'em actually have PCMCIA carriers inside. But that's not the point. APs are sold as appliances. They run embedded OSes. I've found VxWorks in one, identified because they forgot to turn off the WDB debugger port when they shipped image, and I nmapped it. Sure, a sufficiently clever and determined hacker could write a custom OS for an AP, with support for changing the MAC addr, burn it in a prom, open the thing up, and replace the embedded OS with their own hack. Easier though, if you're that determined, to just use a laptop as your access point --- even if you can't find drivers capable of making it a real AP in infrastructure mode, you can still do unofficial wireless just fine in adhoc mode. That's my home net of choice. For such hacks (as well as this hypothetical embedded OS hacker) your choices are pretty much limited to physical walkabout with kismet or whatever, despite the limitations of that approach. But APs are inexpensive, plug-n-go appliances. Folks with less technical saavy, folks who aren't up to writing custom embedded OSes to allow them to change the MAC addr, buy these things and hook 'em in, generally in ignorance of the risk they're exposing the company to. For this sort of casual error, the wired-side audits are the way to go. And the exercise of setting up that MAC addr catalogueing system has additional benefits. If you're gonna do it on an enterprise scale, you've gotta automate it; manually collecting arp tables from hundreds or thousands of routers is too painful. Once you've automated it, there's no reason not to schedule daily, or even hourly, or even every 10 minutes polls gathering this data --- and then you're set to generate a ticket to the helpdesk any time a new MAC addr appears; they've got to find the monkey that installed the box to close the ticket. Make their lives easier, have the system also collect all your switches' CAM tables and include the exact switch port in the ticket you generate. Now you're not only stomping out rogue APs, you're also showing up and breaking down the door when vendors plug their laptops into your network, etc. And _This_ in turn has benefits far beyond the direct tangible getting a grip on your net; when you create the perception that you know what's going on, people are more inclined to behave themselves. -Bennett
msg00588/pgp00000.pgp
Description: PGP signature
