While attending COMDEX in Las Vegas a while back, I sat in on a speech regarding wireless networking. While I can’t seem to recall the speaker’s name or company, I can still hear his words ringing in my ears. He told the crowd that the companies that are the most vulnerable to attacks against their wireless networks are companies that don’t have wireless networks. Although this statement seems contradictory at first, it is absolutely true.
The speaker explained that the reason companies who don’t have wireless networks are vulnerable is due to rogue access points. For instance, there are a lot of users who have wireless networks at home and would love to be able to use their laptops or PDAs on a similar wireless network at the office. Often though, when such technically savvy people ask the IT department about getting wireless access, they are told it isn’t in the budget, it’s a huge security risk, or some other excuse. The user, however, can get a decent wireless access point from any computer store for under a hundred dollars. Since these access points are so inexpensive and easy to set up, there is nothing to prevent a user from installing his or her own wireless network. While I firmly believe that wireless networks can be made secure, if end users take it upon themselves to deploy their own wireless network, it’s a good bet that they won’t implement the necessary security measures. Below are some things you can do to prevent a rogue access point from appearing on your network.
Give them what they want
You can see how having a user installing rogue access points can be a huge security problem. Therefore, it’s important to figure out ways of preventing this from happening. My first recommendation is to have your IT administrator install a wireless network and make it available to your users. I know that a lot of you are probably cringing right now because you feel that wireless networks are a security risk. Whatever your feelings are about wireless networks though, I’m sure that we can agree on one thing: It’s better for you to install a wireless network than to have your users do it behind your back.
Of course, installing your own wireless access points greatly reduces the chances that users will install their own access points, but it doesn’t completely eliminate all of the risks. You must take steps to minimize the damage if someone were to slip a rogue access point past you.
One technique is to run the IPSec protocol on your network. Assuming that all of your computers are running Windows 2000 or higher, you can create a group policy that requires all systems to use IPSec encryption. This tends to eat up some bandwidth and slow down network traffic a bit, but it means that if anyone attempts to access information off of a server through an insecure rogue access point, that the information will have been encrypted by IPSec prior to transmission over the air waves.
Detecting rogue access points
There are a couple of ways of detecting rogue access points within a company. The most cost-effective technique uses NetStumbler. NetStumbler is a tool for detecting wireless networks. By running NetStumbler on a laptop within your organization, you can tell if anyone has implemented a wireless network.
There are actually two different versions of NetStumbler, and both are downloadable for free at the company's Web site. One version is designed for use with laptops, while the other version (Mini Stumbler) is for use with a Pocket PC. Both versions also support the use of a GPS card, which allows NetStumbler to create a map showing the locations of wireless access points.
A few months ago, while writing another TechRepublic article on wireless security, I decided to try an experiment. I loaded a copy of NetStumbler onto my laptop to go war walking (a term for sniffing wireless networks). I got in the car with my laptop and had my wife to drive me around for about an hour to see what I could find. I was surprised by the results. The area where I live is a resort community in South Carolina that is mostly home to retirees. The area outside of the community is very rural, so I didn’t expect to detect any wireless networks at all. However, not counting my own network, I detected four wireless networks. If I can use NetStumbler to detect wireless access points while driving around my neighborhood, I shouldn’t have any trouble detecting rogue access points within the confines of an office.
Know your access points
Figuring out which access points are rogue may sometimes be difficult. For example, if your office has one access point and you suddenly detect two, you’d probably assume that one of the access points is rogue. This isn’t always the case though. For example, a friend of mine recently decided to set up a wireless network in his office. He enabled WEP encryption on the access point, but before he could enable WEP on his NIC, a DHCP server had already assigned him an IP address. Was a rogue access point to blame? No, instead my friend’s NIC was receiving a signal from the company across the street.
In situations like this, it is necessary to do a little searching. Take your laptop that’s running NetStumbler and walk in the direction that produces the greatest signal strength from the questionable access point. You’ll soon know if the signal is coming from within your building or from somewhere else. If the signal is coming from your building, you can probably use the signal strength to narrow down your search to a single room. After that, you’ll just have to hunt around the room until you find the access point.
Keep in mind that NetStumbler won’t find all access points. If you are using an 802.11B Wi-Fi card in your laptop, you can expect to find 802.11B and 802.11G access points. However, if you are a running 802.11A network, then an 802.11B NIC will not detect it. 802.11B uses a 2.4-GHz signal, while 802.11A uses a 5.8-GHz signal.
Of course, it’s easy to track down a rogue access point if your company only has one and a second one shows up, but how do you tell if there’s a rogue access point if your company has 150 access points in place? You could wander around your corporate campus trying to detect access points, but using that method against an extremely large wireless network wastes more time than it yields results. In such environments, I recommend visiting the AirWave Web site. Though not as economical as NetStumbler, (the cost varies according to the size of your network), you can expect greater control over your wireless network environment. AirWave offers a solution that allows you to use your existing access points to detect rogue access points.