Security

A free tool that tracks down rogue access points

How Kismet can help secure your network

Security concerns have been an issue from the moment the first wireless networks hit the market. Most administrators are at least a little uncomfortable with the thought of sensitive or confidential data just floating through the air for anyone to intercept. Fortunately, there are several strategies you can use to make a wireless network relatively secure. After you apply these techniques, the biggest threat to wireless security becomes rogue wireless components.

Rogue components refer to any unauthorized wireless component. The most heavily publicized rogue threats are rogue access points, and there are basically three forms:
  • Insecure access points
  • Unauthorized access points
  • Malicious access points

Let's take a closer look at these three categories, and then I'll show you how Kismet, a free tool you can download, can help you track down rogue access points—even the ones that try to avoid detection.

Insecure access points
The first type you have to watch out for is an insecure access point on a neighbor's network. Several months ago, a friend told me that he doesn't have a wireless network in his office, but he does have one at home. One day, he brought his laptop into the office to give a presentation, but forgot to remove the wireless NIC. To his amazement, his NIC connected to an access point and was assigned an IP address. He pretended not to notice anything unusual in front of the client, but couldn't wait for his meeting to end so that he could investigate. He soon found out that the office on the floor below had a wireless network that was wide open and was handing out IP addresses.

So what harm can come from an access point that is on someone else's network? First, if your company maintains tight control over Internet usage and your neighbor doesn't, your employees might be able to get a wireless NIC and surf unauthorized Web sites without your ever knowing that it's happening. This could open your company up to a number of potential legal issues (for example, sexual harassment litigation).

Second, if your employees are assigned an IP address from a neighbor's DHCP server, this will probably result in networking conflicts on the client machines. In other words, employees will have difficulty connecting to resources on your network that they need in order to do their jobs.

Unauthorized access points
The second type of rogue access point is one that is installed by an employee who has no malicious intent. For instance, last fall while attending COMDEX, I spoke to someone who refused to allow wireless networks in the company because of potential security problems. However, an employee had a wireless network at home and wanted to have one at work also. Since the IT department refused to install a wireless network, the employee went out and spent about $100 for his own wireless access point and connected it to the network (using the Ethernet jack in his office) so that he could wirelessly use his laptop at work. The problem was that the employee knew how to install a wireless network, but he didn't know how to implement any of the necessary security procedures.

Malicious access points
The third type of rogue access point is one that's connected to your network by someone with malicious intent. Generally speaking, this technique is used when an employee wants to do packet sniffing or wants to make company resources available to an outsider who may be sitting in a car in the parking lot. To avoid getting caught, the employee will go to great lengths to cover his or her tracks, such as configuring the rogue access point to use a hidden SSID.

Combating rogue access points
Rogue wireless access points can present some serious problems for your network. In the past, I've recommended using NetStumbler to identify wireless access points. However, NetStumbler works only on Windows clients and provides a limited amount of information about the devices that it detects.

An alternative solution is to use Kismet. While NetStumbler simply detects wireless networks, Kismet is actually a wireless network sniffer. Kismet relies on a wireless NIC's ability to report raw packets. Fortunately, several of the most common NICs—including Linksys, D-Link, Cisco Aironet, and Orinoco—support this function. You can install Kismet on Linux, BSD, or, with the help of Cygwin, on Windows.

Using Kismet
Kismet has all of the features that you'd expect from a normal packet filter, but it also has many features that were specifically designed for wireless networks. For example, Kismet has a built-in mechanism designed to detect any machine that's running NetStumbler. The software is also designed to decode WEP packets on the fly as those packets are captured. Earlier, I mentioned that people who install a rogue access point with malicious intent sometimes try to hide the access point's SSID. Kismet can fight back against this technique because it supports SSID decloaking.

As you can see, Kismet is fully capable of detecting rogue access points on your network. You may be a little curious as to how it works, though. Kismet uses a laptop PC or a handheld device with a wireless NIC to scan the airwaves for wireless traffic. Kismet can detect multiple packet sources simultaneously and can even use multiple wireless NICs simultaneously to multiplex the capture process. As it scans the airwaves, it uses channel hopping to detect wireless devices operating on any available frequency. There's a limit to this detection, however. Current versions of Kismet are limited to detecting only 802.11b wireless devices. Kismet might be able to detect an 802.11g device since it's backward-compatible with 802.11b, but you can forget about using Kismet to detect the less popular 802.11a networks unless you happen to find a Kismet-compatible 802.11a NIC.

As Kismet detects devices, it plots the device's location on a map. The mapping feature is enabled by using an optional GPS card. As wireless devices are being detected, identifying information is also logged. For example, the SSID is recorded, as is the device's manufacturer. Kismet can also alert you to any device that's using weak encryption and any access point that's using a default configuration (which is obviously a huge security risk).

To complete the mapping, you must walk around your office with the wireless device that's running Kismet and let Kismet see what it can detect. While mapping the location of each detected device, Kismet can draw circles on the map to indicate each device's range. Kismet can even guess what signals will be available in unscanned areas of your building, although it's better to scan the entire building if possible.

Once you've completed a wireless scan, it's important to analyze the data that you've collected to look for any potential security problems or any wireless devices that don't belong. If the scan appears to be normal, you can use the scan results as a baseline for future scans. If you're ever unsure of a wireless device that's detected during a scan, you can compare the scan results to your baseline scan to see if the detected device is friend or foe.

Kismet is available as a free download from Kismetwireless.net. You have to pay attention to the download page, though, because the hyperlinks are the same color as the normal text, making it difficult to locate the download links. The download screen contains several versions of Kismet.

Kismet was originally designed to run under Linux. If you must run Kismet under Windows, you can do so by installing Cygwin and running Kismet in the Cygwin environment. There are also versions of Kismet available for handhelds, such as iPaqs that rely on the Intel Strong Arm processor. You can compile Kismet under Macintosh OSX, but currently only the client component is functional.

Summary
Various types of rogue access points can become a huge threat to the security of your network. Kismet can help you track down and remove any rogue wireless devices that may be causing security issues.
2 comments