Businesses have long been plagued by unauthorized rogue access points that open wireless backdoors into wired networks. Many midmarket businesses conduct periodic manual rogue scans, but detection is just the first step -- how you respond is far more important. Here, we outline a start-to-finish mitigation process that can be implemented by even the smallest company.
Large enterprises often invest in wireless intrusion prevention systems (WIPS) that use distributed sensors to keep a full-time eye on wireless traffic. Without a doubt, 24/7 WIPS is the most effective way to mitigate rogue threats. But if your business can't afford WIPS, here are five steps you can take to fight rogue access points using free or existing tools.
- Detect rouge access points using your WLAN controller: Most admins are familiar with war driving tools such as NetStumbler, Wellenreiter and Kismet, used to periodically scan for unknown APs. But manual scans detect only persistent rogues, long after they appear. For example, a monthly "stumble" might spot a rogue installed in your lobby as a guest courtesy. Who knows who might have been using that AP for weeks, and for what purpose?
If this describes your current practice, consider using your WLAN to automate rogue scans. Most business APs that report to a controller or manager can listen for rogue AP beacons. Those background scans may occur when the AP isn't busy or at regular intervals. Either way, APs can detect rogues inside your WLAN footprint faster than a periodic walkabout. But rogue scans steal cycles otherwise devoted to traffic, so you may not want to use them on APs deployed for VoIP. And you'll still need periodic "stumbles" to spot rogues using unsupported channels or in spots without AP coverage.
- Assess threats posed by rogue access points: Once you spot a potential rogue, assess the threat that it poses. Each must be classified rapidly and accurately to differentiate between distant-and-harmless, close-but-disconnected, connected-but-trusted, and "true rogue" APs. Your ability to classify APs will of course depend upon the tools used to detect them. First, establish a signal strength threshold and ignore APs that are just too weak to impact your WLAN. Next, fingerprint your APs using observable metrics. But don't just compare easily spoofed service set identifiers (SSIDs) and MAC addresses to your AP inventory. For example, try to assess whether each "known" AP was spotted in the right building, on the right subnet/VLAN, using its assigned security and band/channel. For each unknown AP above your threshold, use diagnostic tools (e.g., ping, traceroute, snmp) to determine whether it is connected to your network. For example, query Ethernet switch port tables, looking for the rogue's MAC address. If the AP is local, try to connect and ping a node inside your WLAN. Assessing connectivity can be difficult and time-sensitive. For example, if you cannot ping, could the rogue be hiding behind NAT or temporarily unplugged? Manual assessment can't classify APs as thoroughly or fast as a WIPS; just establish a workable process with residual risk that you can live with.
- Contain true rogue access points: Once you have filtered out weak and trusted APs, it's time to contain the rest. Start with unknown-but-connected APs -- those "true rogues" that pose immediate danger. If you can reliably determine a rogue's point of attachment, use SNMP to disable the closest switch port. Be careful not to disable a port so far upstream that you disconnect other devices. Next, consider those close-but-disconnected APs. For example, look out for malicious APs using hotspot or "Free Public WiFi" SSIDs to lure phishing victims. You may not be able to analyze and/or break risky wireless associations remotely without a WIPS. But if the rogue is local, use a WLAN analyzer (e.g., Wireshark) to spot-check AP-client interaction. If you find a strong neighbor or metro AP associating with your clients, you may want to configure WLAN client policies to hide or deny the affected SSIDs.
- Locate rogue access points manually or with automation: Containment avoids further damage while you permanently remediate the rogue -- a potentially lengthy process that starts with tracking down physical location. Wireless locating systems quickly derive accurate estimates from thousands of signal readings, using sophisticated analysis techniques. If you don't have those tools, you'll need to rely on manual legwork. Use rogue detection outputs to decide where to start -- for example, search within 3,000 square feet of the AP reporting the strongest rogue signal. Use a mobile tool to continuously monitor signal strength, trying to move towards the rogue. Keep in mind that the rogue could be on a different floor or inside/behind an RF barrier that causes the signal to be weaker in some directions. Manual AP searches can be performed using any Wi-Fi capable notebook or PDA with a signal strength meter, but tools can make this chore easier. For example, use an AP discovery tool with a real-time "radar" signal strength display, like Xirrus Wi-Fi Monitor or WiFiFoFum. Better yet, try Ekahau HeatMapper, a free survey tool that takes multiple readings and uses them to approximate locations on a drawing.
- Eliminate via policy definition and enforcement: Once you locate the AP in question, you must decide what to do about it. Unfortunately, tools cannot help you implement this step -- elimination requires policy definition and enforcement. For worker-installed rogues, establish a process for notifying the employee, evaluating the situation, and determining a course of action such as extending WLAN coverage (to replace the rogue) or disciplinary measures (for violating policy). A documented process can be helpful when the employee happens to be a C-level type used to getting his or her own way without question. For malicious rogues, define a process for collecting forensics, investigating rogue usage and its impact on your network, physical removal, etc. The rogue may be gone by the time someone looks for the device on-site, but you should still investigate the incident and close loopholes that enabled the intrusion.
Clearly, managing rogue threats isn't a simple task, but there's little point in detecting rogues without follow-up. If your risk tolerance is high and budget is tight, implementing these five steps with free or existing tools just might do the trick. But if you find your business cannot afford to react manually, consider stepping up to an entry-level WIPS or a managed WIPS service.
Lisa Phifer is vice president of Core Competence Inc. She has been involved in the design, implementation and evaluation of networking, security and management products for more than 25 years, and has advised companies large and small regarding security needs, product assessment, and the use of emerging technologies and best practices.
This was first published in May 2009