Identifying Rogue Access Points

One of the most critical security concerns of IT managers today is the possibility
that rogue wireless access points may be present on the corporate network. A rogue access
point is one that the company does not authorize for operation. The trouble
is that a rogue access points often don’t conform to wireless LAN (WLAN) security
, which enables an open, insecure interface to the corporate network
from outside the physically controlled facility.

Within a properly secured WLAN, rogue access points are more damaging than
rogue users. Unauthorized users trying to access a WLAN likely will not be successful
at reaching valuable corporate resources if effective authentication mechanisms
are in place. Major issues arise, however, when an employee or hacker plugs
in a rogue access point. The rogue allows just about anyone with an 802.11-equipped
device on the corporate network, which puts them very close to mission-critical

The Usual Suspects

Employees have relatively free access to a company’s
facility, which makes it possible for them to inadvertently (or mischievously)
install a rogue access point. An employee, for example, may purchase an access
point at an office supply store and install it without coordinating with their
IT organization in order to support wireless printing or access to the network
from a conference room. Developers working on wireless applications may connect
an access point to the corporate network for testing purposes.

In most cases, employees installing these types
of access points don’t understand the security issues involved. These scenarios
often lead to access points that don’t conform to adequate security practices.
As a result, the corporate network is left wide open for a casual snooper or
criminal hacker to attack.

In order to avoid this situation, implement security
policies that mandate conformance with effective security controls and coordination
with the IT organization before installing access points. This can only be effective,
nonetheless, if you clearly inform employees of the policies. After performing
several security audits, I’ve found that employees often install rogue access
points without knowing the company security polices or the consequences of violating
the guidelines.

A hacker can install a rogue access point to provide
an open, non-secure interface to a corporate network. In order to do this, the
hacker must directly connect the access point to an active network port within
the facility. This requires the hacker to pass through physical security; however,
that’s easy to do in most companies. Thankfully, it’s unlikely that someone
would go to the trouble unless the company has resources worth the trouble and

There’s really no effective way to eliminate the possibility of a rogue access
point from cropping up on your network. As a result, you must implement processes
and mechanisms to constantly monitor for rogue access points as part of your
ongoing security assessments.

Find Rogues

One method of detecting rogues involves the use of wireless sniffing tools
(e.g., AirMagnet
or NetStumber) that capture information
regarding access points that are within range of where you’re using the tool.
This requires you to walk through the facilities to capture the data. With this
method, you can scan the entire facility, but this can be very time consuming
for larger companies with many buildings or that span a large geographical area.

Capturing data in this fashion is only valid at the time of capture. Someone
could activate a rogue seconds after you turn of the sniffing device, and you
won’t have any idea that it’s present. Still, it’s often the most common and
least expensive method of finding rogues. It just takes a lot of time and effort.

When using wireless sniffing tools, look for access points that have authorized
Medium Access Control (MAC) addresses, vendor name, or security configurations.
Create a list of MAC addresses of the authorized access points on the LAN and
check whether or not each you find is on the list. An access point with a vendor
name different than your authorized access points is the first alert to a possible
rogue. Improper security settings (e.g., WEP disabled)
could indicate a rogue, but it may also be authorized but wrongly configured.

If you find an access point that looks suspicious, consider it to be a rogue,
and then try locating it through homing techniques. To do this, walk in directions
that cause the signal strength of the access point’s beacons to increase. Eventually,
you’ll narrow the location down to a particular room, which often requires you
to do some looking. In some cases, the "rogue" will simply be an active
access point that it not connected to the corporate network — this doesn’t
cause any security harm. When you find one that actually interfaces to the corporate
network, immediately shut it off.

Centralized Detection

The ideal method of detecting rogue access points is to use a central console
attached to the wired side of the network for monitoring. This eliminates the
need to walk through the facilities.

Several vendors offer specialized products that provide centralized monitoring.
AirWave, for example, makes use of a company’s
existing access points installed throughout the facility. These authorized access
points listen for rogues and send results to a centralized console that can
alert security personnel if a rogue appears.

This is effective at spotting rogues, but those not within range of an installed
access point go undetected. Such systems can be relatively expensive, and they
don’t work unless you either have or plan to install a WLAN. (Yes, rogue access
points can be a problem even if the company doesn’t have a WLAN.) If funding
is limited or you don’t have a WLAN, then using a wireless sniffing tool to
manually search the facility periodically likely your best alternative.

Poor Man’s Approach

As an alternative, a fairly crude (but effective and inexpensive) method for
finding potential rogues from the wired side of the network is to use a free
Transmission Control Protocol (TCP) port scanner, such as SuperScan
, that identifies enabled TCP ports from various devices connected to
the network. Run the software from a laptop or desktop PC connected to the corporate
network, and the tool uncovers all Port 80 (HTTP) interfaces on the network,
which includes all Web servers, some printers, and nearly all access points.
Even if an access point’s Port 80 interface is disabled or protected by a username
and password, the access point will generally respond to the port scanner’s
ping with the vendor name and its corresponding Internet Protocol (IP) address.

You can scroll through the list of found Port 80 interfaces and discover potential
rogues if their vendor names are different from those authorized in your WLAN.
With the IP address of a suspected access point, attempt to open its administration
screen. You’ll quickly notice if an access point is a legitimate one or not.
The difficult chore will be to determine the physical location of the rogue;
router table entries may help.

Jim Geier provides independent consulting services to companies developing
and deploying wireless network solutions. He is the author of the book,
and offers computer-based
training (CBT) courses
on WLANs.

Join Jim for discussions as he answers questions in the 802.11 Planet Forums.

News Around the Web