Constant Vigilance

By Adam Stone

March 10, 2004

Ongoing radio frequency monitoring may be the only way to consistently protect your wireless and wired LANs from intruders.

When it comes to deploying wireless LAN, the old maxim holds true: Forewarned really is forearmed. It stands to reason that the best way to keep out intruders is to first take a lay of the land.

As some users have found, a creative use of radio frequency (RF) monitoring can help to do just that.

Take for instance John Greiner, chief technical officer at the non-profit Legal Services for New York City . Before setting up a Wi-Fi network in the group's Broadway offices, he figured he had better take stock of what was already in the air. Using an RF air monitor from Aruba Networks , Greiner swept the airwaves and was shocked by what he found.

"We didn't find any access points that were plugged into our wired network, but there were certainly were a lot of APs around," he said. "We are in a 12-story building surrounded by other office buildings, and we saw that there are a lot of different ways that people could gain access to our APs."

This kind of pre-installation inventory is an essential step in building a secure Wi-Fi network, argued David Callisch, a spokesman for Aruba. In order to secure one's own access points, it is vital to identify APs that may already be in operation.

"They may just be employees who have installed their own access points, or it may be employees who are doing peer-to-peer ad hoc network, or it may actually be corporate espionage where someone has slipped the janitor some money to plug in an AP in a closet. That is less likely, but it does happen," Callisch says. "In any case, you don't know you have a problem if you don't know you have a problem."

Of course, the mere presence of an access point is not in and of itself a crisis, not until that AP creates an unwanted avenue into a company's network. Thus, Callisch suggested, ongoing RF monitoring is a logical next step once a network has been established, not just as a means of tracking activity but as a way to automatically shut down potential security breaches.

While not the only such solution, Aruba's products offer a good example of how such a system might work. The Aruba 52 AP can be configured either in traditional mode or as an air monitor. In monitor mode the unit can track legitimate usage, while also scanning on all channels in search of unauthorized activity.

A classification catalogue identifies all legitimate APs on the system. In the case of an unauthorized AP the system can either notify the system administrator of the activity, or else it can she down the rogue AP automatically, by launching its own denial of service attack. "We take the exact same attack that people use to disable networks, and we turn it around and use it for good," said Callisch.

Depending on the user settings, security responses can be configured in a number of ways. Greiner for example does not want to be notified every time a stray Wi-Fi signals appears: His office is surrounded by RF noise, and he would end up chasing down phantom access points all day. He therefore has configured his system to take action only when that apparent rogue signal succeeds in making contact with his own wired network.

"At that point we know it's not just a neighbor on another floor that is close enough for us to be picking up their signal," he says.

This ongoing RF monitoring also has lightened Greiner's administrative load. Of the numerous APs situated around his offices, most exist for use by visiting students, and thus lay dormant most of the time. Without constant monitoring, he would want to shut these down when not in use, as a security precaution. But with ongoing RF monitoring, "I feel more comfortable leaving everything live," he said.

In spite of all the potential benefits, however, RF monitoring does come with a caveat. Ongoing reports on the state of the airwaves will be a new thing for many network administrators, "and you need to make sure you have the knowledge to understand what you are seeing," said Callisch. "Why is this a rogue? What did we see out there that classed it as a rogue? You need to be able to make sense of that."

Comment and Contribute
(Maximum characters: 1200). You have
characters left.