Archived from groups: alt.internet.wireless (
More info?)
On Fri, 26 Nov 2004 09:24:06 -0500, William P.N. Smith wrote:
>Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
>>1. When one "clones" the MAC address in the routers configuration,
>>it's the WAN side MAC address that gets tweaked
>I suspect we're in violent agreement.
I just hate it what happens (when I agree with someone).
>My scenario was to plug the WAN port of the router into the corporate
>LAN, clone the authorized MAC address from the workstation into the
>WAN MAC address on the router, and plug in my own devices to the LAN
>ports on the router.
OK. I concede. Y'er right. If you do it that way, cloning the MAC
address of the workstation will only show the MAC address of the
workstation. However, there will be plenty of packets spewing from
behind this router that have the MAC addresses of other devices that
are attached. If one only uses the existing authorized corporate
workstation via wireless, then such an arrangement is undetectable.
However, hang additional devices on the LAN side, and they can usually
be detected.
Many years ago, one of the cable companies was trying to extort extra
revenue from users that hid multiple computers behind an NAT firewall.
Their forward thinking Terms of Servitude insisted on one machine per
cable modem and prohibited private networks. So, they turned over the
job to a telemarketting pool, who used some analysis tools to look at
sequence numbers and traffic patterns to determine how many machines
were hidden behind NAT. It turned out to be trivally easy and fairly
accurate. I don't have access to the tools, but I know the people
that wrote them. It's exactly the same problem as sniffing (or log
grovelling) the LAN for extra machines hiddent behind wireless.
Drivel: I have some weird stories about the history of "counting
eyeballs" as it was called in the movie industry, where the equivalent
of service providers were historically charging by the number of
people watching. I personally participated in a useless exercise to
restrict the number of viewers and views of early VCR's.
>From the corporate LAN, you can't tell by {scanning, watching,
>capturing} MAC addresses that I've got my own private LAN hiding
>behind the one true authorized MAC address, though you may be able to
>do traffic analysis to guess that there's something going on.
Well the usual method is signature analysis (Nessus and Nmap):
http://www.tenablesecurity.com/white_papers/wap-id-nessus.pdf
There was quite a bit of discussion on detecting computers behind NAT
firewalls in various mailing lists in about 1999. I'll do some
digging and see if I can find some specifics. I'm not too good on the
protocols and will probably screw something up if I core dump from
memory.
>[OTOH, if I'm doing that, your IT department hasn't satisfied an IT
>need, and if your IT department is clever enough to do traffic
>analysis, why can't they satisfy my IT need? 8*]
I don't know any IT department that has the time to look at log files
in depth or do proactive monitoring. They hire "security experts" to
do it for them. It's kinda like home termite exterminators. Every
time there's evidence of a problem, they call in the exterminators,
clean up the mess, repair the damage, and leave. A short time later,
it's back, so they call the exterminators again.
Incidentally, I've only been involved in about 5 "sweeps" for rogue
access points and wireless routers on corporate LAN's. In *ALL* 5
cases, the biggest offenders were found around mohogany row, where IT
doth tread lightly. I was hired by IT because I was essentially
fire-proof and have no fear of (or respect for) the corporate
hierarchy. However, only 1 of these 5 companies have asked me to
return or do other work, so I suspect my non-diplomatic style of
playing "security expert" is not a viable continuing business model.
Incidentally, one clown decided to use my method of getting what he
wanted from IT. If the problem is invisible, make it obvious. If the
problem isn't a crisis, create one. He installed a 300ft roll of CAT5
in his office on a plastic garden hose spool. Whenever he went into
the cube farm (office partition forest), he would drag the length of
wire behind his laptop. Needless to say, IT eventually delivered a
properly secured access point immediately after everyone, exept this
clown, complained about tripping over the cable and management
complained about the disruption it was causing.
--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D
http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558