Recipe for rogue hunting

Detecting rogues is fairly easy, but eliminating them can be surprisingly tough. This tip describes a methodical rogue hunting process and tools that can help.

Wireless Security
Lunchtime Learning
   By Lisa Phifer

Wireless Security Lunchtime Learning

Return to Lesson 1: How to counter wireless threats and vulnerabilities
Take the Lesson 1 quiz
Return to Wireless Security Lunchtime Learning
Whether your company runs or bans Wi-Fi, your offices have probably been visited by unauthorized "rogue" access points or stations. Most WLAN owners cite rogue elimination as a top priority. Detecting rogues is fairly easy, but eliminating them can be surprisingly tough. This tip describes a methodical rogue hunting process and tools that can help.

Managing rogue risk
The discovery of unauthorized access points (APs) or stations is very common. These so-called rogues may belong to neighbors, vendors, customers, employees or malicious attackers. Managing rogue risk requires recognizing trusted devices so that you can mitigate threats posed by others. Since wireless attackers can do damage quickly and move on, it is essential to detect and react promptly to all new devices.

However, it's also important to manage rogue risk efficiently in large WLANs. Spot-checking offices with a discovery tool like NetStumbler takes far too long and does nothing to evaluate, much less contain, each rogue's potential impact.

Efficient rogue management requires 24x7 radio monitoring with a wireless intrusion detection system (WIDS). This can be done with a WLAN switch that scans part-time (e.g., Airespace, Trapeze) or with a dedicated WIDS that watches the air full-time (e.g., AirDefense, AirMagnet, AirTight, Highwall, Network Chemistry). A good rogue toolkit should do more that generate alerts – it should give you the power to investigate the rogue's actions, isolate the rogue's physical location and (when appropriate) interfere with the rogue's communication.

To assist with on-site rogue elimination, your toolkit should also include a Mobile WLAN analyzer. These analyzers are available from most WIDS vendors, third parties like WildPackets, TamoSoft and BVS, and in open source tools like Kismet and Ethereal. To reduce on-site effort, look for import/export capabilities that let these tools share data with your WIDS.

Game plan for rogue elimination
Once you've gathered the right tools, it's time to develop a methodical plan for dealing with rogues. Here is a list of steps that you might include in your plan:

1. Create a baseline inventory of wireless devices

Survey existing 802.11 devices -- APs, stations and ad hoc nodes -- by walking your site with a mobile WLAN analyzer. Record samples at regular intervals (e.g., every 200 feet, at building corners). Merge samples, documenting each device's MAC address, extended service set identifier (ESSID), average/peak signal-to-noise Ratio (SNR), channel, security state and IP address. Stations may use many ESSIDs and channels, depending upon associated AP(s). Establish a threshold for distant neighbors, and then use a mobile analyzer to track down devices with a strong enough signal to be inside or very near your office. Try to determine probable owner and location with sufficient accuracy to enable classification...
2. Classify all discovered devices and configure your tools
Filter your inventory into several categories so that you can focus on real threats by treating some devices differently in access control lists and security alert policies. You may have your WIDS ignore distant neighbors but alert you to associations between your devices and close neighbors. Eliminate unauthorized devices inside your office, either by removing them or making them part of your official WLAN, then create an authorized AP and station list to enforce policies for those devices. For example, watch for AP settings that could indicate accidental reset or MAC spoofing. Accurate classification now will save investigation time down the road.
3. Monitor your wireless and wired network for new devices
Install a WIDS positioned to monitor slightly beyond your WLAN's footprint to spot rogues next door or outside. Small or remote offices not monitored by WIDS can be randomly spot-checked with mobile analyzers. If you have a wired IDS/IPS or network management system, also configure it to spot rogues -- for example, prevent unauthorized MACs from using your Ethernet switches, or spot unexpected broadcasts on your AP VLAN. Finally, configure WIDS and mobile analyzer alerts so that you won't be deluged with false positives. For example, have WIDS automatically trace wired switch connectivity so that you can focus on network-connected rogues.
4. Stem potential damage during your investigation
Consider using WIDS "containment" features automatically upon rogue detection or manually after investigation. Although capabilities vary, an AP or station can often be temporarily kicked off your WLAN by aiming a deauthenticate flood at the rogue's MAC address. An AP connected to your network can often be impaired by disabling the nearest Ethernet switch port. Containment can stem damage while you track a rogue down, but it can also be destructive. Be sure that you know what these features do before using them -- especially auto-containment. For example, you may be comfortable blocking your own stations when connected to rogue APs, but avoid blocking rogues that could turn out to belong to a neighbor.
5. Investigate new devices to determine threat
Figure out whether that rogue belongs to a neighbor, visitor, employee or attacker by gathering evidence. Even basic properties like SNR and ESSID can be helpful. If that new AP seems to belong to the cafÉ next door, give them a call to confirm. In addition to connectivity tracing, capture traffic using sensors or a mobile analyzer to determine which systems and applications the rogue is using. Use location maps to predict the rogue's physical location. Capabilities vary, but many WIDSes can highlight a region on your floorplan, reducing the search area to 20 feet or less.
6. Decide upon and execute a permanent course of action
Use the fruits of your investigation to decide how to permanently deal with the rogue. This involves politics, policies and procedures, but it's pointless to get this far and not have a plan for what to do next. For example, how do you eliminate rogues installed without permission by naÏve employees? If a malicious rogue has left the building, how do you protect yourself from a repeat performance? If the rogue is an employee-owned PDA, do you have a program for teaching safe wireless use?
7. Update your device inventory to reflect the outcome
After you've taken permanent action to mitigate a rogue threat, update inventory and associated policies so the device will be treated correctly in the future. If you contained the rogue during investigation, decide whether to cancel that now. If you were unable to find the rogue, use a "watch list" to speed future response or increase surveillance at that office for awhile.
Resource lists
In this tip, we mentioned several tools that can be helpful for rogue hunting. For additional suggestions and new tools, please visit these resource lists:
  • Wi-Fi Discovery Tools
  • Wi-Fi Traffic Analyzers
  • Wi-Fi Intrusion Detection and Prevention Systems
  • >> Take the Lesson 1 quiz

    This was last published in April 2006

    Dig Deeper on WLAN Security