Its a strong statement that doing something provides "no additional security
whatsoever, period". Any good defense includes layering a collection of
countermeasures. No one will save you, but you hope together you will be able
to weather the storm. Its like saying Im not going to lock the door, because a
determined locksmith will pick it , or a big ape will smash it open. Its about
containment and slowing the attack so that hopefully you can detect its source
and eliminate it.
Also, I thought the topic of this thread was access points. It's true that
spoofing MAC address on workstations can be done with a variety of
tools.Spoofing a MAC address of an access point through firmware etc seems a
more delicate task. (If anyone is thinking about responding about workstation
emumlating an access point bother, my comments only apply to hardware flavors
like Linksys etc.
Jay
----- Original Message -----
From: tim_holman@hotmail.com [mailto:tim_holman@hotmail.com]
To:
agraham@datastreamcowboys.net,listbounce@securityfocus.com,focus-ids@securityfocus.com
Sent: Mon, 26 Mar 2007 23:24:25 +0000
Subject: Re: Wired detection of rogue access points
Filtering by MAC gives you no additional security whatsoever, period. MAC
addresses can be easily spoofed and although your solution may assist in
spotting misconfigurations a determined intruder will get straight through....
Sent from my BlackBerry? wireless device
-----Original Message-----
From: "Adam Graham" <agraham@datastreamcowboys.net>
Date: Mon, 26 Mar 2007 15:52:21
To:<focus-ids@securityfocus.com>
Subject: RE: Wired detection of rogue access points
First off is it even possible to buy a laptop that does not have wifi built
in?
I have set up an automated scan looking for MACs. If the MAC does not appear
on my list I drop its packets in the IPTabes FW. It's rather simple to do.
The main thing I do that seems to work the best is the APs are un-trusted
and therefore stuck out in the DMZ. Before one can get to network resources
they need to open the VPN client after connecting to the AP.
A simple way to handle MACs with IPTables (NOTE: simple rule if you need
more instruction I can send it to you or just the complete iptable script):
Let's create 2 text files:
/tmp/whiteist
/tmp/blackist
Insert into whiteist 00:06:25:2E:56:A0
Insert into blackist 00:06:25:2E:56:E1
Add following to your IPTabes script
TABLES = "filter nat mangle"
iptables = /sbin/iptables
touch /tmp/whiteist
touch /tmp/blackist
WHITELIST = `cat /tmp/whiteist | awk '{print $1}'
BLACKLIST = `cat /tmp/blackist | awk '{print $1}'
# Forward good MACs
$iptables -t filter -I FORWARD 1 -m mark --mark 0x42 -j ACCEPT
# mark all packets from the good macs
for MAC in $WHITELIST ; do
$iptables -t mangle -I PREROUTING -m mac --mac-source $MAC -j MARK
--set-mark 0x42
done
# drop all packets from the good macs
for MAC in $BLACKLIST ; do
$iptables -t mangle -I PREROUTING -m mac --mac-source $MAC -j DROP
done
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
