Can my network administrator know that I am using a virtual router to access the internet on my unauthorised devices?

Question

I am a university student, and my university's network administrator uses MAC addresses (1 MAC address / student) to authorise access to the internet. The students regularly use virtual routing softwares to create a hotspot to connect to their other devices (MAC spooofing is one possible workaround, but spoofing on a handheld device, for example, an android device, requires root access, which itself is a pain to gain).

Recently, the administrator redirected all the students to refrain from using hotspots, otherwise he will punish those who don't comply (by removing the student's MAC address from the authorised MACs database, I suppose). I have a strong feeling that he is just plain bluffing.

My query is, is it at all possible for the administrator to know that a device is using virtual routing to connect to other unauthorised devices?

Note: I tried searching for resources online, for example, how do exactly the virtual routers network, but I couldn't find any substantial information. I would appreciate even if someone could point me to some resources which would be of use to me.

Answer 1

Yes, your use of a wireless hotspot can be identified using a wireless intrusion prevention system.

The primary purpose of a WIPS is to prevent unauthorized network access to local area networks and other information assets by wireless devices. These systems are typically implemented as an overlay to an existing Wireless LAN infrastructure, although they may be deployed standalone to enforce no-wireless policies within an organization. Some advanced wireless infrastructures have integrated WIPS capabilities.

Answer 2

Besides physically running around and detecting hotspots via WLAN traffic ("warwalking"?), or maybe using the existing router to detect then, traffic patterns can also be a giveaway - your hotspot has a different signature than your device.

Instead of working against your sysadmin (which is a PITA for both sides), talk to him. I don't know why they have the "one MAC per student rule", maybe they can relax it a bit? Say, "two or three MACs per student". Not much more trouble to administrate.

I don't know how the political side of the student representation works at your uni, but often students can voice their interests in some way. Yes, this is slower than just setting up a hotspot, but also more effective.

Answer 3

I used to work as a network administrator's assistant for a college. It sounds like a generational difference issue or the school's network can't handle more than 1 device for each student, staff member, etc. Probably every student has more devices than the policy allows.

The short answer is YES they can detect unauthorized access. NO, don't do it. I routinely revoked access for network violations (file sharing, illegal software, viruses, porn in the computer labs, etc). Many of those students had to leave school, because college is quite difficult without computer access. The students are exposing the network to risk. What if someone's unauthorized device passed a virus that wiped your doctoral research and thesis? If you think it's a joke now, try it at a job and see what happens.

Work with the network administrator, student government, administration, etc. to get additional wireless access for "your other devices" that don't NEED to be on the school's network and/or in common areas (like the free wifi in most coffee shops). This prevents load on the "actual" school network, and still gives you the internet access you want.

Answer 4

I can think of a handful of ways to detect this kind of behaviour in a network. The restriction is not a great one when really what they should do is limit connections by port rather than mac, but it's their network and their rules even if it does create a easy (targeted) denial of service attack if you were to spoof someone else's MAC address.

Taking https://networkengineering.stackexchange.com/questions/123/how-do-you-prevent-rogue-wireless-access-points-on-a-network as a starting point it seems pretty clear that any decent wireless infrastructure would be able to detect rogue hotspots (even a dd-wrt box can do a wireless survey to see what else is around.)

Since the admins control the traffic, IDS tools like Snort can also be brought to bear and would give you away pretty quickly if the admins were keen to find people who weren't compliant. Some protocols don't even hide that they're operating through NAT (RFC7239 has http headers like X-Forwarded-For specifically for use by web proxies.) RFC2821 advises SMTP clients to send an optional identifier though it's not mandatory.

The only way you could really hide something like that is to have the device which connects to their network send everything out to a VPN or system like TOR, which in itself would raise some attention in your direction.

While not exactly the same situation as they don't seem to have the same restrictions, the University of Cambridge's security team do frown upon the use of NAT in their network as seen in Firewalls and Network Address Translation policy and provide some background on their reasoning.

TL;DR - If you want to use more devices then you need to go through the system and student representation to address the issues you're facing, because if your admins want to catch you then they will.

Answer 5

My network utilizes a system that has detectors spaced throughout the buildings, and if a rogue SSID shows up it will actually triangulate the location of the device. The system isn't cheap, but good Lord, it's probably more cost effective in the long run if you add up time spent manually managing MAC addresses; that has to be an administrative nightmare. Of all the ways to lock down a system, I really can't think of a worse way of doing it.

As others have said, work with the admins, don't try to beat them. With available technology these days, you don't even need a good network admin to catch you. Try to change policies, see if exceptions are allowed, etc. You'll be better off in the end.

Answer 6

As others have said, it's possible for the admins to detect rogue wireless hotspots. But it's also possible to detect unauthorized devices through deep packet inspection. Mobile phone companies can use deep packet inspection to detect unauthorized tethering. You can read about it at https://android.stackexchange.com/questions/47819/how-can-phone-companies-detect-tethering-incl-wifi-hotspot. If Windows-generated packets and Linux-generated packets are both coming from your MAC address at the same time, it's likely you have more than one device attached.

On the other hand, deep packet inspection is expensive, and the admins might not have the budget to implement it. Or they might simply be unwilling to go to that level of effort to catch cheaters. But you don't know that for sure. It's probably best to talk to the admins and see if you can work out something.

Answer 7

As mentioned above the answer is yes. A WiFi hotspot (an AP) is very visible. For example a hotspot sends a periodic beacon with the MAC address. Packet inspection (TCP headers, TTL), inspection of timing/latency, how the node responses to packets loss, what sites it visits (Windows update or PlayStore), HTTP headers generated by the browsers can point to use a routing software and multiple devices. The systems are not cheap, but they exist.

Your options are:

• Use non-wireless solutions and pray that Deep packet inspection is not available for your admin and she is not running a simple script which checks the visited software update sites.
• Reduce the transmission power on all devices to absolute minimum
• Make sure that you are not using device specific browsers/software packages. For example, the same MAC will not use IE and Android WebBrowser.