Identifying Rogue Access Points
January 06, 2003
The presence of rogue access points is a major threat to corporate information systems. Here's what characterizes the problem, how to detect rogues and what you can do to increase the security of your network.
One of the most critical security concerns of IT managers today is the possibility that rogue wireless access points may be present on the corporate network. A rogue access point is one that the company does not authorize for operation. The trouble is that a rogue access points often don't conform to wireless LAN (WLAN) security policies, which enables an open, insecure interface to the corporate network from outside the physically controlled facility.
Within a properly secured WLAN, rogue access points are more damaging than rogue users. Unauthorized users trying to access a WLAN likely will not be successful at reaching valuable corporate resources if effective authentication mechanisms are in place. Major issues arise, however, when an employee or hacker plugs in a rogue access point. The rogue allows just about anyone with an 802.11-equipped device on the corporate network, which puts them very close to mission-critical resources.
The Usual Suspects
Employees have relatively free access to a company's facility, which makes it possible for them to inadvertently (or mischievously) install a rogue access point. An employee, for example, may purchase an access point at an office supply store and install it without coordinating with their IT organization in order to support wireless printing or access to the network from a conference room. Developers working on wireless applications may connect an access point to the corporate network for testing purposes.
In most cases, employees installing these types of access points don't understand the security issues involved. These scenarios often lead to access points that don't conform to adequate security practices. As a result, the corporate network is left wide open for a casual snooper or criminal hacker to attack.
In order to avoid this situation, implement security policies that mandate conformance with effective security controls and coordination with the IT organization before installing access points. This can only be effective, nonetheless, if you clearly inform employees of the policies. After performing several security audits, I've found that employees often install rogue access points without knowing the company security polices or the consequences of violating the guidelines.
A hacker can install a rogue access point to provide an open, non-secure interface to a corporate network. In order to do this, the hacker must directly connect the access point to an active network port within the facility. This requires the hacker to pass through physical security; however, that's easy to do in most companies. Thankfully, it's unlikely that someone would go to the trouble unless the company has resources worth the trouble and risk.
There's really no effective way to eliminate the possibility of a rogue access point from cropping up on your network. As a result, you must implement processes and mechanisms to constantly monitor for rogue access points as part of your ongoing security assessments.
One method of detecting rogues involves the use of wireless sniffing tools (e.g., AirMagnet or NetStumber) that capture information regarding access points that are within range of where you're using the tool. This requires you to walk through the facilities to capture the data. With this method, you can scan the entire facility, but this can be very time consuming for larger companies with many buildings or that span a large geographical area.
Capturing data in this fashion is only valid at the time of capture. Someone could activate a rogue seconds after you turn of the sniffing device, and you won't have any idea that it's present. Still, it's often the most common and least expensive method of finding rogues. It just takes a lot of time and effort.
When using wireless sniffing tools, look for access points that have authorized Medium Access Control (MAC) addresses, vendor name, or security configurations. Create a list of MAC addresses of the authorized access points on the LAN and check whether or not each you find is on the list. An access point with a vendor name different than your authorized access points is the first alert to a possible rogue. Improper security settings (e.g., WEP disabled) could indicate a rogue, but it may also be authorized but wrongly configured.
If you find an access point that looks suspicious, consider it to be a rogue, and then try locating it through homing techniques. To do this, walk in directions that cause the signal strength of the access point's beacons to increase. Eventually, you'll narrow the location down to a particular room, which often requires you to do some looking. In some cases, the "rogue" will simply be an active access point that it not connected to the corporate network -- this doesn't cause any security harm. When you find one that actually interfaces to the corporate network, immediately shut it off.
Centralized DetectionThe ideal method of detecting rogue access points is to use a central console attached to the wired side of the network for monitoring. This eliminates the need to walk through the facilities.
Several vendors offer specialized products that provide centralized monitoring. AirWave, for example, makes use of a company's existing access points installed throughout the facility. These authorized access points listen for rogues and send results to a centralized console that can alert security personnel if a rogue appears.
This is effective at spotting rogues, but those not within range of an installed access point go undetected. Such systems can be relatively expensive, and they don't work unless you either have or plan to install a WLAN. (Yes, rogue access points can be a problem even if the company doesn't have a WLAN.) If funding is limited or you don't have a WLAN, then using a wireless sniffing tool to manually search the facility periodically likely your best alternative.
Poor Man's Approach
As an alternative, a fairly crude (but effective and inexpensive) method for finding potential rogues from the wired side of the network is to use a free Transmission Control Protocol (TCP) port scanner, such as SuperScan 3.0, that identifies enabled TCP ports from various devices connected to the network. Run the software from a laptop or desktop PC connected to the corporate network, and the tool uncovers all Port 80 (HTTP) interfaces on the network, which includes all Web servers, some printers, and nearly all access points. Even if an access point's Port 80 interface is disabled or protected by a username and password, the access point will generally respond to the port scanner's ping with the vendor name and its corresponding Internet Protocol (IP) address.
You can scroll through the list of found Port 80 interfaces and discover potential rogues if their vendor names are different from those authorized in your WLAN. With the IP address of a suspected access point, attempt to open its administration screen. You'll quickly notice if an access point is a legitimate one or not. The difficult chore will be to determine the physical location of the rogue; router table entries may help.
Jim Geier provides independent consulting services to companies developing and deploying wireless network solutions. He is the author of the book, Wireless LANs and offers computer-based training (CBT) courses on WLANs.
Join Jim for discussions as he answers questions in the 802.11 Planet Forums.