In urban areas, most unknown APs will end up belonging to neighboring businesses, hotels, stores, or metro-area wireless local area networks (WLANs). These neighboring APs are not connected to your wired network, but still pose risk if employees connect to them (accidentally or intentionally), bypassing your network's security. Thus, you may want to monitor your wireless clients to detect employee associations to unknown-but-unconnected APs. This can be done by using a network wireless intrusion prevention system (WIPS) to watch the air or by using a host-resident WIPS to monitor client activity. Large enterprises should deploy network WIPS solutions for full-time air surveillance. Smaller businesses on more limited budgets may prefer to install stand-alone host WIPS programs like Sana Security Primary Response Air Cover. Note that AP discovery tools, like NetStumbler, cannot provide client surveillance.
Of course, some unknown APs in or near your office may be physically connected to your wired network. These "true rogues" pose immediate business threat because they create an unsecured backdoor into your network, accessible to anyone within wireless range. The vast majority of unknown-but-connected APs are installed by naïve employees for the sake of convenience, usually without Wi-Fi authentication or encryption. However, you never know whether one might turn out to be a malicious AP installed by a criminal. For example, a bank in Haifa Israel was robbed by criminals who planted a rogue AP inside the building so that they could connect to the bank network from outside to initiate fraudulent money transfers.
Small businesses may prefer to use less sophisticated alternatives for continuous rogue AP detection. For example, many Small Office Home Office (SOHO) or Server Message Block (SMB) APs can scan the airwaves periodically, looking for nearby APs they don't recognize. These APs can be configured with MAC lists of authorized and neighbor APs so that only unknown APs end up triggering rogue alerts. Traditional diagnostic tools like traceroute can then be used to manually assess whether each potential rogue is connected to your network -- but keep in mind that rogues can hide behind NAT and other parts of your network that traceroute won't reach. Rogues can also spoof MAC addresses used by legitimate APs or try to mimic your own WLAN's SSID. In short, reliable rogue AP classification is difficult and time-consuming -- but a periodic scan and manual investigation may find employee-installed rogues that are not really trying to evade detection.
However, many small businesses today rely upon scheduled rogue AP surveys, where admins walk the premises using an ordinary wireless client, WLAN discovery tool, or WLAN analyzer, looking for potential rogues. This methodology is arguably the most labor-intensive and least reliable. For example, a visitor could easily install a rogue AP, use it for a week, and then leave before your next survey. However, scheduled rogue surveys can be useful as a complement to continuous rogue detection -- for example, to check a radio band not scannable by your own APs.
Finally, businesses that are too risk-averse for background AP scans and manual rogue mitigation, but not rich enough for (or ready to invest in) enterprise WIPS, should consider managed WIPS services. Many small and medium-sized businesses (SMBs) already pay providers to install and operate a wired network firewall/IPS on their behalf; some providers now offer WIPS as a managed service. For example, see AirTight SpectraGuard Online.
This question was also answered by our network security expert, Michael Gregg. Read his response to the question: What are the best methods for handling rogue access points?
This was first published in April 2009