Deny DHCP and Network access to rogue wireless routers

pts.
Tags:
DHCP
Routers
We are running a MS DHCP network and home wireless routers are finding their way in. I scan the DHCP scopes daily and thought I was denying their ability to connect by creating a reservation for the MAC address and modifying the configuration options for the device. I set the following options to 127.0.0.1: 003-Router, 005-Name Servers, 006-DNS Servers and 044-Wins/NBNS Servers. I also changed option 015-Domain Name to "blank". This work on rogue laptops that use wired ethernet, but the wireless routers still seem to ba able to give network access to any computer connecting to them. How can I configure DHCP to deny rogue devices from obtaining IP's and passing that access to their clients? Thanks in advance

Answer Wiki

Thanks. We'll let you know when a new response is added.

Disable SSID Broadcast, and enable Pre-shared WPA keys instead of WEP to avoid unwanted access from unknown sources.

You can also map the MAC addresses in the wireless routers and not as a reservation in DHCP. Mapping the mac’s in DHCP only reserves an IP for a specific card but does not limit leases from being handed out to normal requests.

Discuss This Question: 6  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Astronomer
    I am not aware of any reasonable way to limit DHCP clients unless you make the handing out of addresses a part of the login/authentication process. You may want to investigate using 802.1x to limit access to authenticated hosts. The other unpleasant option would be to restrict the scopes to the size of the installed base and reserve each IP to a specific MAC. Depending on the installed base this can get unmanageable fast. Another possibility I just thought of would be if the switches can block MACs. If they can include wild cards in the MAC specification, you could block specific manufacturers by specifying just the first three bytes. The manual for our hp switches includes MAC lockout and MAC lockdown but only discusses specific MACs. I will check what they say. Regardless of this, it seems you should have some sort of wireless scanning to troll for rogue wireless devices. If you can't limit MACs on the switches you may want to create an invalid scope with each IP reserved to a MAC of a rogue device you have discovered. Don't let this scope have any spare IPs to give out. If you do this, these devices won't be able to talk to anyone else except other rogue devices. I haven't tried this but it may help for a while. rt
    15 pointsBadges:
    report
  • Twhite
    Thanks for the info. I'll persue the "invalid scope" option and will look at trying to deny MACs in the various switches. our DHCP scopes are geographically segregated w/ several VLANs, so the switch option would be a bit harder and more maintenance intensive. I should be able to create a scope that spans the site and hands out invalid DHCP based on MAC addy reservations.
    0 pointsBadges:
    report
  • FlyNavy
    This sounds like a corporate LAN. We handled this through policy. We confiscate and do not return any rogue computing devices via policy. After a few employees lost the 50 or so dollars for the access point, they quit trying to add them to the network. We made them sign a corporate IT user's agreement that had this as a clause.
    0 pointsBadges:
    report
  • Twhite
    It's actually a Public School network and we do have policy in place prohibiting unauthorized devices. I would enjoy nothing better than to do just that, but I'm only the Network Admin, not the Director. Oh well, back to cat-and-mouse. Thanks to everyone for the suggestions!
    0 pointsBadges:
    report
  • Sonyfreek
    Blocking DHCP to the Rogue WAPs isn't going to help out in your situation. The reason why is that knowing the IP range of your network is as simple as ipconfig away. The type of people that are going to go through the trouble of installing a rogue WAP on your network aren't going to let the absense of getting an IP stop them. They're going to go to a PC, run IPconfig and learn what range the network runs in. They'll then simply ping a few addresses until they find an unused IP and set the WAP to that address. You really need to get at the root of the problem. That means both policy and action. Policy has already been discussed, so I'll talk about what you can do to prevent it from happening. I'd focus my efforts on locking down port security on your switches. This can be automated or can be done manually. Obviously, automated means are better, but more expensive as it requires software, like Cisco's Access Control Server (ACS) and Network Access Control (NAC). Manually locking down port security can be found at this link (for Cisco switches): http://articles.techrepublic.com.com/5100-1035-6123047-1.html You should also shut down any unused ports on your network, but without port security turned on, it does no good. They'll simply unplug a PC and use that port for the rogue WAP. You should also check out a wireless sniffer like Airmagnet: http://www.airmagnet.com/products/laptop.htm, netstumbler: http://www.netstumbler.com/, or kismet: http://www.kismetwireless.net/. It'll help you seek out rogue APs. SF
    0 pointsBadges:
    report
  • JennyMack
    You might want to check out this article on our sister site, SearchMobileComputing.com: Detecting rogue mobile devices on your network Not only does it outline methods of both periodic scanning and continuous monitoring, but it also addresses some future challenges of network security and mobile devices.
    4,280 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following