On Mon, Oct 15, 2012 at 4:06 PM, Sean Harlow <sean@seanharlow.info> wrote:
You are correct that deploying to a number of sites isn't cheap, but the actual relevant question is how does this cost compare to the cost of the original request to detect these things. In this case almost all forms of detection/prevention except possibly looking at TTL will require new equipment to be deployed at the site(s) anyways based on the information we have, negating much of the extra cost. Any active detection on the RF side of things is generally done using WAPs in a managed network or standalone devices that are pretty much repurposed WAP hardware anyways, but cost a lot more.
I think it would be cheaper to have a script written that would grab the ARP table of each site and then compare to what is known. Kind of an ARP tripwire. Sure you'll have to take the time with early runs to hunt down non-company owned MACs but that is going to be a lot cheaper than managing a 130 site roll-out. Even if you did put RF monitoring equipment in each site you would still have to monitor and manage it. Either way, you'll be getting a current inventory of devices. From what I read, he wants to detect non-company equipment on his network. It's just WiFi that is the main problem. Even just watching the DHCP leases, which I assume the little Cisco router is providing, will catch most of the rouge devices. Get someone that knows networking and perl on the task for a month. If they don't have the local talent there are a lot of people that would love to take the contract, considering most of it could be done remotely. Jonathan stated that they have health data on the network and only company issued devices are allowed. I would suggest to him that he inventory the equipment via MAC address (I'm guessing that it's mostly standard issue stuff that would be easy to recognize) and then lock down unused ports and setup up monitoring. If a new MAC appears on the network, then it better have been sent there by IT. -- Joe Hamelin, W7COM, Tulalip, WA, 360-474-7474