Rogue access points pose security threats to your business wireless network. To learn how to prevent, detect and eliminate unauthorized network devices, we asked our Wi-Fi expert, Lisa Phifer, and enterprise security expert Michael Gregg to answer the question "How do you deal with rogue APs?" From their answers you'll learn best practices for handling rogue wireless access points, in this technical advice.
Question: What are the best practices for dealing with and monitoring for rogue access points (APs) in a business network? Can you suggest how to prevent, detect, and eliminate a found rogue access point or other unauthorized wireless device?
Answer from enterprise security expert Michael Gregg: There are several potential problems with allowing end users to add wireless or other devices to the company network without approval. One big one is they may not employ the proper security measures. There is also the issue of maintaining control of the organizations' infrastructure.
For the smaller organization there are several layers of control that can be built in to reduce the rogue wireless threat. The first place to start is...
Policy enforcement will be easier if you have managed switches. You can disable unused ports and start restricting down active ones by MAC address filtering.
Next, find some tools that will let you scan for rogue access points. There are commercial tools that will do this such as AirMagnet and AirDefense, and if your budget is tight you might want to try an open source tools such as RogueScanner.
Finally, don't be shy about using tools like NetStumbler and other site survey tools to identify access points and verify their legitimacy.
Answer from Wi-Fi expert Lisa Phifer: Any unknown AP operating in or close to your facility is a potential rogue -- but few turn out to be real threats. The trick is to reliably tell the difference -- and fast.
In urban areas, most unknown APs will end up belonging to neighboring businesses, hotels, stores, or metro-area wireless local area networks (WLANs). These neighboring APs are not connected to your wired network, but still pose risk if employees connect to them (accidentally or intentionally), bypassing your network's security. Thus, you may want to monitor your wireless clients to detect employee associations to unknown-but-unconnected APs. This can be done by using a network Wireless Intrusion Prevention System (WIPS) to watch the air or by using a host-resident Wireless IPS to monitor client activity. Large enterprises should deploy network WIPS solutions for full-time air surveillance. Smaller businesses on more limited budgets may prefer to install stand-alone host WIPS programs like Sana Security Primary Response Air Cover. Note that AP discovery tools, e.g. NetStumbler, cannot provide client surveillance.
Of course, some unknown APs in or near your office may be physically connected to your wired network – these "true rogues" pose immediate business threat because they create an unsecured backdoor into your network, accessible to anyone within wireless range. The vast majority of unknown-but-connected APs are installed by naïve employees for the sake of convenience, usually without Wi-Fi authentication or encryption. However, you never know whether one might turn out to be a malicious AP installed by a criminal. For example, a bank in Haifa Israel was robbed by criminals who planted a rogue AP inside the building so that they could connect to the bank network from outside to initiate fraudulent money transfers.
Here again, large enterprises should really mitigate "true rogues" by deploying sophisticated network WIPS solutions that can not only spot those APs, but trace their network connectivity, estimate their physical location, and examine visible Wi-Fi parameters to focus attention and automated response on real threats. For example, a WIPS may send a command to an upstream switch to disable the Ethernet port connected to a rogue AP, thereby cutting off communication with your network. WIPS-estimated location and a portable tool like a WLAN analyzer can then be used to find the AP, determine who installed it, and decide how it should be dealt with.
Small businesses may prefer to use less sophisticated alternatives for continuous rogue AP detection. For example, many Small Office Home Office (SOHO) or Small to medium business (SMB) APs can scan the airwaves periodically, looking for nearby APs they don't recognize. These APs can be configured with MAC lists of authorized and neighbor APs so that only unknown APs end up triggering rogue alerts. Traditional diagnostic tools like tracert can then be used to manually assess whether each potential rogue is connected to your network -- but keep in mind that rogues can hide behind NAT and other parts of your network that tracert won't reach. Rogues can also spoof MAC addresses used by legitimate APs or try to mimic your own WLAN's SSID. In short, reliable rogue AP classification is difficult and time-consuming – but a periodic scan and manual investigation may find employee-installed rogues that are not really trying to evade detection.
However, many small businesses today rely upon scheduled rogue AP surveys, where admins walk the premises using an ordinary wireless client, WLAN discovery tool, or WLAN analyzer, looking for potential rogues. This methodology is arguably the most labor-intensive and least reliable. For example, a visitor could easily install a rogue AP, use it for a week, and then leave before your next survey. However, scheduled rogue surveys can be useful as a complement to continuous rogue detection -- for example, to check a radio band not scannable by your own APs.
Finally, businesses that are too risk-averse for background AP scans and manual rogue mitigation, but not rich enough for (or ready to invest in) enterprise WIPS, should consider managed WIPS services. Many SMBs already pay providers to install and operate a wired network firewall/IPS on their behalf; some providers now offer Wireless IPS as a managed service. For example, see AirTight SpectraGuard Online.
This was first published in May 2009