Specifically, my concern started with the question of finding rogue access points on my network. But to generalize it, I now wonder if it is possible to hide a WAP on a network. In other words, have a device with a static IP in the subnet but make it unresponsive to queries and essentially invisible to monitoring software. I know for example If I went with CISCO hardware, their control software actually only allows traffic from WAPS that are registered.
Can you hide an ethernet device? Yes and no. Yes if it’s a dumb switch that just passes traffic. No, if it has any kind of network device with a network stack and would respond to ARP requests or attempt to send out DHCP requests, etc… You’d be able to see that traffic.
Now, in terms of a Wifi access points, there are two ways you find them. First, get your own WAPs that are looking for nearby wifi. If there are wifi ssids that are broadcasting fairly loud, they might be located inside your building. The second way is by looking at the number of mac addresses being learned on your switch ports. Typically devices only use a single mac address, so if there is port (that’s not a trunk) that learning multiple mac addresses, that can tip you off that something is wrong.
Cisco does have a neat tech that helps with this. For example, you can have your wireless controller attempt to join nearby SSIDs and if it can join, try to ping itself. If it’s successful, then it knows there’s a rogue AP on your network and it can contain it to make it unable.
If you have a Cisco switch you can simply just enable port-security with a max of 1 address. That will automatically kill ports that see more than one mac address.
1 Like
How big/complex is the network? I mean, are there less than 10 nodes in a single building, and all of the non-routing servers can be shut down overnight, or are we talking dozens/hundreds of machines scattered over multiple sites with promiscuous application servers that ‘must’ be up 24/7?
If you can shut off all the chatty application servers, then it becomes a lot, lot easier to ‘hear’ the sounds made by rogue devices of any sort. Imagine you are hunting submarines.
I mean Yes, but if you are monitoring traffic it would be hard to hide.
You have more to fear from your users as they are more likely to do something malicious as that device has to get there some how.
Unless the network is using 802.1x you can mitm any ethernet device. You can clone / nat and passthrough mac ethernet / ip addresses easy peasy.