The rogue access point creates many problems for IT professionals. Whether good intentioned or not, users can create a real security nightmare when they attempt to piggyback onto your network. To detect these unwanted bandwidth hogs, you have several tools at your disposal. Programs such as Netstumbler and WaveRunner survey the airwaves to feel out rogue access points. Testing with them, however, requires a human (most likely you) to seek out problems in the wireless coverage area by walking around the trouble spots looking for an anomaly. This approach, while effective during your audit, requires regular tours of the network in order to stay updated. For small offices, this may not be a big deal, but a large, dispersed operation will require much more time.
Little can be done to stop rogue access points. If a user, or worse, someone looking to steal information, is motivated enough, they will find a way to tap into your network. Your best line of defense is a strict and clearly-communicated wireless policy backed up by a rogue wireless access point detection system. AirDefense, a wireless LAN security company, has one product designed just for the busy IT professional who has better things to do than walk around testing for rogue access points. RogueWatch centrally monitors a wireless LAN for rogue access points, using distributed sensors and a server appliance tailored to monitoring this activity.
Different types of rogues
All rogues are not alike. The traditional form is the connection of a physical access point device not authorized by the IT department that has little to no security features selected. However, there are other forms of rogue access points out there that may cause havoc. For instance, laptops with built-in wireless LAN Access Cards can pose several security risks from accidental associations with neighboring networks. Overlapping networks, as these wireless networks of close proximity are called, arise when one company emits a strong enough RF signal to bleed over into another company’s airspace. With advance operating systems such as Windows XP, the associations made between overlapping networks could pose a security risk.
Soft Access Points are another problem area for the wireless LAN administrator. Products such as Segue are available to turn any PC or laptop into an access point. Users find these programs handy because they simplify the connection process to a wireless network. Unfortunately, these convertible access points can also broadcast a vulnerable (and hard to detect) link to your network if not set up properly by the user.
Remote sensors and the server appliance
The remote sensors included with the RogueWatch solution act as wireless scanners that can monitor your entire wireless network coverage area for rogue access points. They alert you whenever a rogue signal is detected or moves within the boundaries of its detection area. Each sensor has the capacity to monitor 1,000 feet in all directions for most office buildings. They also have the capability to detect soft access points and ad hoc wireless networks. For large organizations with many locations, the sensors will scale nicely as more locations are added.
Working remotely with the sensors is the centralized server system. This server can be set up to report on several suspicious types of wireless activity and report its findings using different mediums. For instance, suppose a rogue access point is installed in the Denver office, and you’re located in New Jersey. RogueWatch alerts you by e-mail that a breach has occurred and produces a report indicating the severity of the threat and a location. It will track the offending unit by MAC address, SSID, IP address, and vendor-make of the device. You can even document the number of times the access point connected, the length of connection time, and the amount of rogue data transported over the device.
Upgrade to get it all
You can upgrade the server with AirDefense’s enterprise security solution to detect and report on different types of potential vulnerabilities, including those that fall under the traditional intrusion detection realm (DoS attacks). Also, because policies are a first line of defense in preventing unwanted access, the server appliance can be configured to enforce your network policies. You can even enable health monitoring to keep an eye on how the WLAN is performing and where the packets are flowing.
Vulnerabilities with your eye in the sky
Remote wireless access point monitoring closely resembles video camera surveillance. You have a bird’s-eye view of all the activity on the network and can see at glance with the dashboard view on your monitor any trouble spots that arise. While the convenience of not having to physically monitor your network is a huge plus, there are some downsides to this approach. Sensor tampering is perhaps your biggest risk with this solution. If a remote user is savvy enough to steal wireless bandwidth, then he or she could possibly have the know-how to detect your sensor location and compromise it. Keep this in mind when choosing sensor placement, and continue to sporadically conduct physical audits at your locations whenever possible.