1. we arent worried about the client behind the ap, just the ap. kill the ap and you remove the clients behind it.
2. per the cisco block of mac addreses and disparate devices, if you have any rogue cisco devices, ap or not, wouldnt you want to know about it? and isnt most cisco equipment static? most routers and switches arent dhcp, right? 3. if you disagree with the premise of using mac addresses, then how else do you differentiate devices on a wire without signatures? what do you propose? 4. and if you take into account an earlier post about spoofing the mac address, i think that would be the first modification i would make on a rogue ap. i would probably find an old 3com nic, unused, and use that mac address. what do you do then? >From: "John Adams" <[EMAIL PROTECTED]> >To: ed d <[EMAIL PROTECTED]> >CC: [EMAIL PROTECTED], <[EMAIL PROTECTED]> >Subject: RE: MORE: Tools for Detecting Wireless APs - from the wire side. >Date: Tue, 11 Jun 2002 16:18:00 -0700 (PDT) > >On Tue, 11 Jun 2002, ed d wrote: > > > depending on how the clients in your network get their ip addresses, you > > might be able to search through your dhcp logs and pull all of the ap >mac > > addresses. > > > > this discounts rogue aps with statics, but if i was to drop a rogue ap >into > > a network, i would probably turn on dhcp, then let it go. > >Ahh, but this is useless if the AP DHCPs an address and then NATs everyone >on wireless. > > > a good site for mac address/vendor coorelation is: > > http://standards.ieee.org/regauth/oui/oui.txt > >I disagree with the entire "find them by Vendor MAC prefix to find APs" >approach. Many vendors are assigned blocks of MAC prefixes (look at Cisco, >for example) and share these blocks between disparate devices, both wired >and wireless. > >--john > >-- >John Adams . Sr. Security Engineer . Inktomi Corporation > > > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus Security Intelligence Alert >(SIA) >Service. For more information on SecurityFocus' SIA service which >automatically alerts you to the latest security vulnerabilities please see: >https://alerts.securityfocus.com/ _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
