My client recently changed their network policy so now all WIFI routers are disallowed from the network. They said they would be running some scans and that they would be able to find "rogue" WIFI routers on the network.
How would they be able to detect these WIFI routers and access points? They are located remotely to the 100+ branches/corporate offices, so it's definitely a network tool and they're not walking around with WIFI detectors or anything like that.
Just curious, as I thought it was interesting.
Many professional accesspoints like the ones Cisco provide can not only detect rogue accesspoints through the management engines they're connected to - they can actually prevent anyone from using them by attacking them with disassociation packets and whatnot. And of course, report found rogue access points immediately and depending on the number of valid access points in the area - do a somewhat useful location detection as well.
If they're already using a supported wireless solution, which by your mention of the amount of offices, I'd guess they do - it would just be a matter of turning the option on.
The radio monitoring feature uses the radio measurement capabilities on Cisco IOS APs and Cisco Client Adapters to discover any new 802.11 APs that are transmitting beacons. Both clients and APs periodically scan for other 802.11 beacon frames on all channels. Reports of detected beacons are returned to the Radio Manager, which validates these beacons against a list of APs known to be authorized to provide wireless access. A newly discovered AP that cannot be identified as a known authorized AP generates an administrator alert.
source
If they're just now implementing that policy then my gut says that their threat of a scan is just scare tactics. But that's just me being cynical...
A few methods would be
My guess is that they're checking the MAC addresses associated with wireless access points as described in this guys's blog post.
http://barnson.org/node/611
They could check ARP tables and look at the vendors, or enable 1x on all their switch ports.
Doesn't necessarily stop the access point from being there but it would stop people from using the wireless.
Cisco also has rogue access point detection built into their latest wireless solutions. (I'd assume Aruba does as well).
At your router/firewall look for outgoing packets with a lower TTL than normal. The router part of the WiFi router will lower the TTL value of a packet when if flows through it.
I'd just look for any internal ip address that has more http connections that can easily be explained by a single human. Automated mirroring of a website should be easy to filter out since it'll be lots of traffic to a single domain. That should find any flagrant external access to the company network.
I'd use NMAP in Intense Mode, which will do a good job of identifying devices attached the LAN. In fact, I've recently done this, just to figure out where our existing APs connected in, since it wasn't properly documented.
If I wasn't using NMAP, I'd log in and check the edge switches MAC address tables to identify edge ports with more than 1 MAC address, and then find out what is going on.