matching macs to detect rogue wireless devices

It wasn’t too long ago that I was musing about EthicalHacker.net’s latest challenge dealing with some wireless hijinks.

A similar topic just came up on the SecurityFocus IDS mailing list in regards to PCI 11.1 about wireless IDS. It was mentioned that an option would be to use something like RogueScanner on the wired side to detect wireless devices. I don’t know why I hadn’t thought of that right away, but yes, you can poll your wired network, gather MAC addresses, and compare them against what they should be. If you see any that are obvious wireless products, you go over and yank it out.

Now, that’s great, but keep in mind not a foolproof detection. MACs can be changed even on some home consumer wireless routers, firewalls may prevent the polling up front (although a switch MAC table may give more away), extra unmanaged hops can get in the way, and a laptop acting as a router with a second wireless interface may only show up as a regular laptop. But you do get the obvious low-hanging fruit covered.

I have wondered if it could be possible to push traffic from the wired network out through the wireless side. A silent AP can stay relatively hidden, but if you can force it to throw something out now and then, it can be picked up.