[xsherm13x]

Hey guys,
I need to ask you a question. I need to know of any possible ways there are to stop a user from coming into my computer with his/her laptop and connecting wirelessly to a Rogue AP (other company's wireless AP) and then physically plugging into my network and compromising it. I thought of some how with the MAC addresses of all the machines I have hard wired on the network I could input that info somewhere and then if someone brings in their personal laptop and tries to connect it will not allow them but couldn't someone just make the appropriate changes in the Reg Files and now they have a spoofed MAC address? Thanks for any help guys I really appreciate it.

-Steve

[Advertisements]

the best method is physical security...like..asking that guy you don't know to leave...

another option depends on how your physical network is set up....if you've got the proper documentation of which ethernet jack on your wall connects to which port in your switches you can either unplug the unused ports...or turn them off in the switch itself....

if you've got a full cisco network they've got certain products that "sniff" the network and only allow access based on certain criteria....such as domain name (if the pc doesn't match your domain then they don't get connected etc...)

if you're not on a full cisco network there's a product called packetfence that's open source....i've not used it but some people in my corporation do and have had success...you're required to have the ability to set up multiple vlans on your network to use it though

[dsenette]

the best method is physical security...like..asking that guy you don't know to leave...

another option depends on how your physical network is set up....if you've got the proper documentation of which ethernet jack on your wall connects to which port in your switches you can either unplug the unused ports...or turn them off in the switch itself....

if you've got a full cisco network they've got certain products that "sniff" the network and only allow access based on certain criteria....such as domain name (if the pc doesn't match your domain then they don't get connected etc...)

if you're not on a full cisco network there's a product called packetfence that's open source....i've not used it but some people in my corporation do and have had success...you're required to have the ability to set up multiple vlans on your network to use it though

[xsherm13x]

I am sorry I kind of fumbled with my 1st sentence. What I meant was I want to stop a person from my company from coming with his or her laptop and connecting to a wireless signal then connecting to my network via cable and either meshing the networks or compromising information and sending it across to the wireless side in some way. I need to stop that type of an attack. We have a few Cisco devices so let me know if you think anything like a MAC address rule would work. Thanks again for the help.

[dsenette]

AHA! well....the only way to do that would be to encase your building in lead maybe? there's not much you can do to stop someone from connecting to a wireless network while they're in your building


if memory serves correctly....the cisco ASA code that i was mentioning MIGHT have the ability to use that as a criteria (i.e. if any other network connections are present don't allow lan connection)

[xsherm13x]

We have a Cisco PIX Firewall and a IDS iSensor and another Cisco Internet Router but that is managed by AT&T. Is there anything on either of those devices that would allow to either put in that if anoter connection is detected do not allow on the LAN connection? Or is there a way I can input all the computers MAC addresses into one of the devices and say only a computer with this MAC is allowed to access the LAN? Thanks again.

[Gravity Gripp]

The problem with MAC locking or MAC filtering on an enterprise level is the fact that a MAC can be spoofed so easily it's not even funny. What I've done in the past is set up our network to authenticate our users with 802.1x before they connect. Once they authenticate, then they can have access. This will keep unwanted people off your network. However, it will not keep people from joining two networks at the same time. To accomplish this, you would have to have some sort of software presence on their machine. I've used the Cisco Secure Services Client in the past as an 802.1x supplicant and to make sure the machine does not have two connections. Also, keep in mind that 802.1x will work with wireless and wired, but your switches and AP's have to support it, I believe.

Edited by Gravity Gripp, 18 April 2008 - 11:24 AM.

[TheQuickBrownFox]

I need to know of any possible ways there are to stop a user from coming into my computer with his/her laptop and connecting wirelessly to a Rogue AP (other company's wireless AP) and then physically plugging into my network and compromising it.

What I meant was I want to stop a person from my company from coming with his or her laptop and connecting to a wireless signal then connecting to my network via cable and either meshing the networks or compromising information and sending it across to the wireless side in some way.

Oh, so basically, you can access the wireless network of the other company from your building?

Well, I dunno, but shouldn't that be a concern for the other company as well? Are they aware of it? I doubt they'd want that either.

[xsherm13x]

Yes we can pick up other folks wireless in our building and not all, if any are signals from a business, they are more than likely wireless from an apartment house in the very local area.

[TheQuickBrownFox]

Ah, so it isn't necessarily another company's AP. I'm not as good as the other forum members here on GtG so I don't think I can offer much help with regards to that situation aside from the ones already mentioned above.