What's a simple method for conducting a manual scan for rogue ap detection?

Question

We have a PCI requirement to conduct scans for rogue/unauthorized WAPs quarterly. Below are the properties I'm looking for.

1. Simple to conduct. We have a satellite office, in addition to our main office, so we need something simple enough to be conducted by a non-tech person. I can audit the results back in the main office.

2. Suitable for a wi-fi heavy environment. Our offices are in office buildings, so we have SSIDs all over the place. The simple scan and eliminate method doesn't work well here.

3. Affordable (sub $200 would be nice). Since we'll only conduct scans quarterly, we can't justify something costly.

4. Can be run from a laptop. We operate completely in the cloud. So any solution that requires a server isn't suitable for us. We also don't have WAPs in our satellite office.

I've tried several softwares (inSIDder, Acrylic, NetSpot, Netstumber). They identify SSIDs, vendor, MAC addresses, etc, but don't provide any specific info to show which are rogue WAPs. I can output a list of devices/MACs on our network through our FW. Would matching up the MACs in the FW list and wireless list be sufficient to identify rogue APs?

Any other ideas would be greatly appreciated as well.

Thanks in advance, S

Answer 1

Actually detecting a rogue AP is complex task and it require analyse.

First of all, what data can identify AP ?

• SSID
• Channel
• MAC address
• Location
• Physical port

What data rogue AP can impersonate ?

• same as above

How i can detect this ?

It's hard to tell but SANS institute have published a PDF about this topic for helping people to understand and detect such device.

This paper also give a list of tools and technique for detecting Rogue device.

It can be automated thru script running on a laptop i guess.