Rogue wireless access points

Rogue wireless access points had been one of the big security concerns since the advent of WiFi. Security groups were concerned that employees were plugging a cheap (sorry, low cost) wireless access point into the corporate network LAN. With this, anyone could easily access the sensitive LAN using a WiFi connection, including people outside the building.

Security groups started looking for rogue access points using tools like AP-Finder, kismet and NetStumbler. Sure enough, they started finding rogue access points… lots of them.
Why were these access points being installed? In interviews with corporate security groups, I discovered two main reasons for people setting up rogue access points:

  1. Provide network coverage to places that did not have a network jack, such as a conference room or lobby. Employees felt that this would make them more productive.
  2. Contractors would need to share files among themselves, so they would set up an access point for the group. Sometimes, the access was not connected to any wired network, but other times it was connected to the corporate LAN.

The most effective strategy in the past for controlling rogue access points has been to search for them using the above mentioned tools. Other control methods that were attempted but did not work very well were;

  1. Installing software on the laptop to prevent the laptop from connecting to an unapproved wireless access point. This didn’t work if the user needed to connect to a wireless network while outside the office, and this solution only prevented laptops running the restriction software from connecting to the rogue AP. It did nothing to stop the deployment of the rogue APs.
  2. Searching the wired LAN for devices that appeared to be wireless APs. This technique was tried using MAC address identification and nmapping the IP addresses found while scanning the local network. While in principal this technique should help to identify rogue APs, it turned out that in practice, it was difficult. For one, MAC address identification is not effective across an internal router. Routers only relay IP traffic, not Ethernet traffic. This same issue made the nmap identification of APs difficult. Ultimately, this solution has not proven to be very effective.

So, in order to effectively control the use or misuse of wireless within your premises, you will need to deploy sensors that monitor the wireless air space constantly. These sensors should report access points that are active, as well as which access points are being used in the area. No other methods seem to be as effective.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s