Hello again folks. I'm trying to see if its possible to find Rogue MAC IP addresses somehow, search them in UDT, and see if they are connected to our network- and to whom. Is there any way of going about this or is this not possible? Thank ya.
NPM should be able to tell you which AP's are yours, and which are rogue. Start by making sure all your AP's are in NPM, then build heat maps showing their coverage, and then build a report to show AP's present that aren't yours.
You won't have the right info until you get some good filtering in place, because every smartphone that has its internal hot spot enable will show up as a rogue or unknown AP in your WLAN.
You'll need to filter out known APs that have physical connections into your switches, and then find all AP's that are "unknown" AND that have physical connections into your switches. Those are the bad guys.
Also, no private AP's should be able to connect directly to your WLAN, as if your corporate AP's were in repeater mode. But if you have a public Guest SSID, that pretty much eliminates that filtering ability, since any AP or Smartphone with local hotspot enabled will connect to it.
You might be able to do more filtering and identify neighborhood homes or neighboring businesses with AP's whose WLAN overlaps with yours. A good heat map will show those "rogues" and you may be able to visit the business owners and discuss how you can be good WLAN neighbors with each other. Maybe you can agree on how you'll shut off all 2.4 Ghz services and leave them for your neighbor (aren't I sweet?). Or maybe you both want to use 5 Ghz services, and you can agree on who will use which radio channels. Then you each set up the overlapping AP's to only use your agreed-on channels.
It'll be hard to get this same kind of efficiency with private/personal/neighborhood/home AP's, though. And it'll be impossible to get that cooperation from everyone with a smart phone that has its WiFi hotspot feature enabled. Unless you wanted to be aggressive and target every unauthorized hotspot with floods of de-authentication packets. And that's not going to go over well with many people.
What is a Rogue AP? Most people refer to ii as a wireless device hosting some sort of wireless network within your airspace. While this can cause interference and potential user issues it isn't really a security issue unless it is trying to mascaraed as one of your access points OR ...
My definition of a rogue AP: A wireless device hosting a wireless network that is SIMULTANEOUSLY connected to your internal network thus allowing connected wireless users to access your internal network resources.
I kept trying to figure this out. How do I tell if there is a wireless device that is setting up an SSID, allowing users to connect wireless, and is directly connected to the internal network. I found the trick. It was hard, but I got to thinking MAC addresses.
Each wireless network interface has a unique MAC address. Wireless APs have a wireless radio MAC and also has a cabled network interface MAC. Think of your laptop. You have (2) NICs. One wireless and one Ethernet. They both have MAC addresses. If you look at the MAC addresses on your laptop they are probably very different from each other. the components in your laptop are made from different manufactures and lot runs. So your wireless adapter MAC is vastly different from your ethernet adapter MAC. BUT manufacturers of APs generally have their MAC address of the wireless radio very similar to the Ethernet adapter MAC. For Example: Radio = 1111.1111.11AC Ethernet = 1111.1111.AD
Once you install UDT, your Orion server will start tracking wireless information. It also creates several new tables on your Orion SQL server. So i got to fiddling around and (working with my friendly neighborhood SQL admin) was able to setup a script to compare MAC addresses from Wireless devices, and MAC addresses of devices on the internal network. We wrote a query to look for MAC addresses in both tables that were very similar (first 10 characters of the MAC are identical) My SQL dude setup a job to run this script weekly and email me a report. What we got was the following:
What I found out is if the MAC on the left column is the same as on the right, then this is a device only wireless, and we are cool, no worries. If you see the Parainfluenza SSID, the left and right don't match but are very very close. Meaning these 2 MACs are from the same device. Therefore this is a wireless AP hosting an SSID and is also connected to the internal network. (This example is actually an exempted AP that we manage). Also, Mr. BUBS is a rogue AP. Tracked it down to a Dr.'s office and yanked it off the network
The Samsung Galaxy looks close, but the MACs are too far off to be from the same device. But it is suspiciously close. The maker of the wireless adapter in the galaxy phone also made another device connected internally. Needs further investigation.
There are a couple of printers listed. One is wireless only and is OK, but the other is putting out an SSID and is connected to the internal network. Turns out the printer plugs into our network with a cable, but also puts out a little wireless network. Turned that off, but it stayed on. Found out we had to do a firmware update to get it to actually turn off the wireless capabilities. User was upset, because she wanted to print stuff from her phone. I said, "Ok, but if you want to print from your phone, let me just shutdown this little network jack in the wall, but you won't be able to print from your PC anymore. Your choice. "
How do you find out if a MAC is connected to the internal network. Go to UDT home page and put in the search bar. It will pop up and show you the switch and port it is plugged into, or it will show nothing.
Works great !!!
If you want specifics let me know.
-B
Can you share the SQL please?
Here is out procedure. Sorry for the late reply. Hope this helps!
Through the use of SolarWinds, many different MAC address tables are built. Each of these is used for different modules within SolarWinds. These tables can be queried through SQL to identify interesting information. A SQL job that runs weekly (shown below) generates results are sent via email for review.
Requirements:
Caveat:
SQL Job :
SELECT [MACAddress],[CurrentChannel],[SignalStrength],[SSID],[FirstUpdate],[LastUpdate]
FROM [NetPerfMon2].[dbo].[Wireless_Rogues] AS NetPerfMAC
WHERE (EXISTS
(SELECT [MACAddress]
FROM [NetPerfMon2].[dbo].[UDT_Endpoint]
WHERE (LEFT([MACAddress],10) = LEFT(NetPerfMAC.[MACAddress],10) ) ))
ORDER BY [MACAddress]
SELECT TOP (100) PERCENT NetPerfMAC.MACAddress AS UDT_MACAddress, NetPerfMAC.CurrentChannel, NetPerfMAC.SignalStrength, NetPerfMAC.SSID,
NetPerfMAC.FirstUpdate, NetPerfMAC.LastUpdate, dbo.UDT_Endpoint.MACAddress AS Wireless_Mac
FROM dbo.Wireless_Rogues AS NetPerfMAC INNER JOIN
dbo.UDT_Endpoint ON LEFT(NetPerfMAC.MACAddress, 10) = LEFT(dbo.UDT_Endpoint.MACAddress, 10)
WHERE EXISTS
(SELECT MACAddress
FROM dbo.UDT_Endpoint AS UDT_Endpoint_1
WHERE (LEFT(MACAddress, 10) = LEFT(NetPerfMAC.MACAddress, 10)))
ORDER BY UDT_MACAddress
IF UDT MAC = Wireless_MAC, then the device has been seen by UDT on wireless. Therefore the device has wireless enabled and is emitting an SSID. These should be shut down as we do not permit devices to propagate their own SSID on our wireless space. Only exceptions would be devices offsite.
IF UDT MAC is very close to Wireless_MAC, then more than likely this is a true rogue access point that needs to be investigated.
Given an excel spreadsheet showing the results from above, and by making a few alterations and adding a couple of columns to calculate the difference between MAC address, you end up with the following:
The table above is just for illustration purposes. An email is sent weekly to the Network Manager and Wireless Engineer containing the latest results of the query. The results are de-duplicated and only reflect MAC addresses that are deemed to be "close". All other data is removed before the report is sent.
Next you need to determine if any of these devices are physically cabled to the internal network.
Browse to SolarWinds and go to UDT Summary page. In the top right of the page find the search field:
Enter the MAC address. Typically the "Wireless_Mac" address is the one found on the physical network, but not always.
If results are displayed, you need to determine if the MAC address is on a switchport or trunk port. If it is on a switchport, it is an official rogue access point. If it is on a trunk port, verify that the trunk port is used for public - Wi-Fi use only.
You need to run each MAC address from all columns through the search to see if any show up to plugged into the network.
Create a Service Desk ticket for the Client Services team to identify the device, inform the user, and disable the wireless capabilities (if the device is an approved device for the network such as a printer). The device needs to be removed if it is unapproved such as a wireless router. If the device is unapproved, Client Services should report it to the Security Team so that an Incident Report can be generated.
Hi. Here is a version that includes calculating the integer difference of the last two characters of each MAC address. That should eliminate the need to do the calculations externally. This works in Report Writer under 2017.3 Orion.
SELECT NetPerfMAC.MACAddress AS Wireless_Mac, NetPerfMAC.CurrentChannel, NetPerfMAC.SignalStrength, NetPerfMAC.SSID,
NetPerfMAC.FirstUpdate, NetPerfMAC.LastUpdate, UDT_Endpoint.MACAddress AS UDT_MACAddress, CONVERT(INT,CONVERT(varbinary, '0x'+RIGHT(dbo.UDT_Endpoint.MACAddress,2),1)) - CONVERT(INT,CONVERT(varbinary, '0x'+RIGHT(NetPerfMAC.MACAddress,2),1)) as Difference
FROM Wireless_Rogues AS NetPerfMAC INNER JOIN
UDT_Endpoint ON LEFT(NetPerfMAC.MACAddress, 10) = LEFT(UDT_Endpoint.MACAddress, 10)
FROM UDT_Endpoint AS UDT_Endpoint_1
