Problem solve Get help with specific problems with your technologies, process and projects.

Monitoring your network to detect rogue access points (APs)

Rogue access points (APs) put data security at risk. Network admins can identify and monitor unknown APs using wireless LAN security software. Lisa Phifer explains in this expert response.

What are the best methods for handling rogue access points ( APs)? Can you suggest a small-scale business network solution for dealing with rogue access points?
Any unknown access point (AP) operating in or close to your facility is a potential rogue -- but few turn out to be real threats. The trick is to reliably tell the difference -- and fast.

In urban areas, most unknown APs will end up belonging to neighboring businesses, hotels, stores, or metro-area...

wireless local area networks (WLANs). These neighboring APs are not connected to your wired network, but still pose risk if employees connect to them (accidentally or intentionally), bypassing your network's security. Thus, you may want to monitor your wireless clients to detect employee associations to unknown-but-unconnected APs. This can be done by using a network wireless intrusion prevention system (WIPS) to watch the air or by using a host-resident WIPS to monitor client activity. Large enterprises should deploy network WIPS solutions for full-time air surveillance. Smaller businesses on more limited budgets may prefer to install stand-alone host WIPS programs like Sana Security Primary Response Air Cover. Note that AP discovery tools, like NetStumbler, cannot provide client surveillance.

Of course, some unknown APs in or near your office may be physically connected to your wired network. These "true rogues" pose immediate business threat because they create an unsecured backdoor into your network, accessible to anyone within wireless range. The vast majority of unknown-but-connected APs are installed by naïve employees for the sake of convenience, usually without Wi-Fi authentication or encryption. However, you never know whether one might turn out to be a malicious AP installed by a criminal. For example, a bank in Haifa Israel was robbed by criminals who planted a rogue AP inside the building so that they could connect to the bank network from outside to initiate fraudulent money transfers.

Wireless security school
For more information, view these wireless security learning lessons from Wi-Fi instructor Lisa Phifer.

Small businesses may prefer to use less sophisticated alternatives for continuous rogue AP detection. For example, many Small Office Home Office (SOHO) or Server Message Block (SMB) APs can scan the airwaves periodically, looking for nearby APs they don't recognize. These APs can be configured with MAC lists of authorized and neighbor APs so that only unknown APs end up triggering rogue alerts. Traditional diagnostic tools like traceroute can then be used to manually assess whether each potential rogue is connected to your network -- but keep in mind that rogues can hide behind NAT and other parts of your network that traceroute won't reach. Rogues can also spoof MAC addresses used by legitimate APs or try to mimic your own WLAN's SSID. In short, reliable rogue AP classification is difficult and time-consuming -- but a periodic scan and manual investigation may find employee-installed rogues that are not really trying to evade detection.

However, many small businesses today rely upon scheduled rogue AP surveys, where admins walk the premises using an ordinary wireless client, WLAN discovery tool, or WLAN analyzer, looking for potential rogues. This methodology is arguably the most labor-intensive and least reliable. For example, a visitor could easily install a rogue AP, use it for a week, and then leave before your next survey. However, scheduled rogue surveys can be useful as a complement to continuous rogue detection -- for example, to check a radio band not scannable by your own APs.

Finally, businesses that are too risk-averse for background AP scans and manual rogue mitigation, but not rich enough for (or ready to invest in) enterprise WIPS, should consider managed WIPS services. Many small and medium-sized businesses (SMBs) already pay providers to install and operate a wired network firewall/IPS on their behalf; some providers now offer WIPS as a managed service. For example, see AirTight SpectraGuard Online.

This question was also answered by our network security expert, Michael Gregg. Read his response to the question: What are the best methods for handling rogue access points?

Here again, large enterprises should really mitigate "true rogues" by deploying sophisticated network WIPS solutions that can not only spot those APs, but trace their network connectivity, estimate their physical location, and examine visible Wi-Fi parameters to focus attention and automated response on real threats. For example, a WIPS may send a command to an upstream switch to disable the Ethernet port connected to a rogue AP, thereby cutting off communication with your network. WIPS-estimated location and a portable tool like a WLAN analyzer can then be used to find the AP, determine who installed it, and decide how it should be dealt with.
This was last published in April 2009

Dig Deeper on Network management and monitoring