On Mon, Oct 15, 2012 at 12:00 PM, Joe Hamelin <joe@nethead.com> wrote:
Maybe because he has 130 sites and 130 truck rolls is not cheap. Also company policy says no.
You are correct that deploying to a number of sites isn't cheap, but the actual relevant question is how does this cost compare to the cost of the original request to detect these things. In this case almost all forms of detection/prevention except possibly looking at TTL will require new equipment to be deployed at the site(s) anyways based on the information we have, negating much of the extra cost. Any active detection on the RF side of things is generally done using WAPs in a managed network or standalone devices that are pretty much repurposed WAP hardware anyways, but cost a lot more. Both of those costs must then be compared to the cost of doing nothing. What happens if a user takes things in to their own hands and either leaves the AP open or uses some useless form of security (MAC filtering, WEP, WPA2 w/ WDS, WPA2 w/ weak password and a common SSID, etc.) allowing an attacker in to the network? If company policy says no, maybe company policy should be re-evaluated if enforcing said policy would cost more than the other options. Policy isn't supposed to be written in stone, it should adapt to the realities of the world as they change. Obviously this depends on the situation. Small business that uses mostly "cloud" services and doesn't have much if any local content to secure? Probably not worth doing anything. Three-letter agency? Worth every penny to detect and lock out unauthorized devices. Most will be somewhere in between, you have to evaluate the actual choices and decide the best path.