Q: Our dormitories come pre-wired with Ethernet connections, for which the students pay a small monthly fee. To get around the fee, some students are installing Wi-Fi access points and sharing their Internet connection with their roommates and other friends - for free. How can I stop this? Thanks.
- Dwight Smith
This has serious implications for your network. In a situation I came across recently at a smaller private college, a majority of the access points I found were just unpacked, plugged in and turned on. No security settings at all, allowing someone to drive by and hop on the network.
You will need to attack this from several perspectives. The first is a matter of policy. You and your department head should draft a policy indicating that the access points can only be installed with the approval of your department and that they must meet certain criteria. This will give you some teeth to enforce the removal of access points from your network.
Next, consider implementing something Netreg. This is an open-source IP management solution that is specifically targeted at educational institutions. It sets up a DHCP/DNS server that will prohibit "unregistered" devices to go anywhere on your network. It gives them an IP address that won't travel outside of your network or be able to access any of your servers. You configure how the users can authenticate - against a POP, FTP or using Microsoft's Active Directory or LDAP. You will want to configure your firewall so it blocks any outgoing requests from any IP address on your network other than the range given out by Netreg to authenticated users.
Find rogues with wireless tools
There are several tools in the open-source community that can help you find the rogue access points on your network.
The first is NetStumbler. It is available on either a PC or Window CE PDA platform, and gives you a sneak peek at the wireless activity on your network. This will show you the access points that have been left at default settings.
If some students have disabled SSID broadcasting or turned up additional security, you may need to attack this from a different angle. Nessus is an open-source vulnerability scanner than runs on Linux. There are several how-to documents available that show you how to use Nessus to look for access points on your net.
If you look closely on Sourceforge.net, you should find several bootable CD Linux distros that have even more wireless tools available that can help you identify and find access points.