What You Don't Know Can Hurt You
March 06, 2007
Your wired network can let rogue devices connect, but with the right tools, it can also help distinguish threats.
Unauthorized wireless devices can expose your organizations confidential data and critical assets to the outside world. Left connected, these devices create a dangerous vulnerability at best, and at worst, a company disaster. Despite the widespread understanding that rogue devices are a leading security threat facing enterprises today, organizations continue to look for viable solutions and best practices for scouring the entire network to ensure that only approved devices are connected.
There are solutions available to root out unauthorized access points and other devices acting as access points, known as rogue peers. However, enterprises and government organizations should look for solutions that find and eliminate rogue devices while also being easy to deploy and manage and cost-effective. A new approach that should be considered is wired side scanning using a security appliance, which can be a highly effective, lower cost solution to protect the entire network.
Rogue wireless devices can be broken down into two broad categories: access point (AP) based threats and computer based threats.
A rogue access point is an AP which is connected to the LAN without the blessing of a network administrator. Most commonly, rogue APs are added to the network by employees or contractors who want to improve their own productivity by being able to work wirelessly.
A rogue peer is an end-user computerusually a laptopthat has both bridging and wireless enabled. Since the basic functions of an access point are bridging and wireless access, any laptop that has these capabilities presents a similar vulnerability or worse. In fact, the vulnerability with a rogue peer can be much more severe than with a rogue AP, because laptops provide almost no security features to prevent connections from other unauthorized users.
In addition to the problems of network access provided by rogue APs or rogue peers, there are also security concerns about other unauthorized networked devices. For example, a Web camera connected to the LAN could be used by an attacker to eavesdrop on confidential meetings. It may have been installed by a well-meaning employee, but it's actually sharing your trade secrets.
Depending on your organizations security policy, different devices may be considered security risks. In some organizations, even the act of connecting an unauthorized printer to the network is considered a serious vulnerability.
Discovering Everything on the LAN
The first step to being able to find unauthorized devices on the LAN is to find everything. The second step is to quickly hone in on the devices which meet the criteria of being a threat. With the network appliance scanning approach, a combination of passive and active techniques are used for discovering devices, because both techniques are needed to discover all of the devices. Passive techniques place the least load on the network and also help the system discover the network topology, but some devices may not communicate very frequently. Active techniques work quickly and are less dependent on the network topology.
Accurate classification is critical for any system responsible for discovering and identifying network infrastructure. Determining what a networked device is, based upon only what can be observed from the network, is very much like recognizing your friends from their silhouettesthe one with the long nose or protruding forehead is easy to recognize, but the others all look very similar. Solutions using the new wired side scanning approach collect as much information about each device as possible using the discovery techniques already mentioned. Once the basic device mapping is complete, additional probing is used for classification. The system then combines the information and matches the data against known device signatures to determine which one matches the best.
With over 300 different manufacturers of access points and tens of thousands of different models of network equipment, the major challenge for device classification has been in creating a database of fingerprints for all of these devices. Typically, the approach has been to acquire one of each device that needs to be fingerprinted and probe it in a laboratory. This technique simply cant scale beyond hundreds of devices. Furthermore, it is limited to devices which can be easily purchased and acquired, which ignores devices that are no longer on the market, are only sold in foreign markets, or are relatively rare.
New collaborative classification techniques are now leveraged for building the classification database. This process leverages the collaboration of network administrators and networks.
The new wired side solution approach mitigates rogue wireless devices through the technique of Ethernet port disabling. Enterprises can leverage configuration capabilities for auto-blocking a particular device type. Whether automatic or manual, the product will block the switch port for the rogue wireless device.
Unauthorized wireless devices connected to the network continue to be the number one wireless security risk that network administrators need to address. With new wired side scanning solutions that can find, classify and remove rogue devices, it is now possible to scan an entire network to accurately find and remediate these threats. This protects organizations from wireless threats, whether they have implemented a wireless infrastructure or need to enforce a no wireless policy. And while the bane of classification systems has been their inability to properly identify devices and differentiate actual threats from authorized devices, the use of new classification techniques can finally solve this problem.
Author Dr. Christopher Waters is the CTO at Network Chemistry.