Rogue access points: Preventing, detecting

and handling best practices

28 May 2009 | SearchNetworking.com

Digg This! StumbleUpon Del.icio.us

Rogue access points pose security threats to your business wireless network. To learn how
to prevent, detect and eliminate unauthorized network devices, we asked our Wi-Fi expert,
Lisa Phifer, and enterprise security expert Michael Gregg to answer the question "How do
you deal with rogue APs?" From their answers you'll learn best practices for handling rogue
wireless access points, in this technical advice.

Question: What are the best practices for dealing with and monitoring for rogue access
points (APs) in a business network? Can you suggest how to prevent, detect, and
eliminate a found rogue access point or other unauthorized wireless device?

Answer from enterprise security expert Michael Gregg: There are several
potential problems with allowing end users to add wireless or other devices to
the company network without approval. One big one is they may not employ the
proper security measures. There is also the issue of maintaining control of the
organizations' infrastructure.

For the smaller organization there are several layers of control that can be built
in to reduce the rogue wireless threat. The first place to start is with policy. All
employees should know the rules regarding wireless and what can and cannot be plugged into
the network.

Policy enforcement will be easier if you have managed switches. You can disable unused
ports and start restricting down active ones by MAC address filtering.

Next, find some tools that will let you scan for rogue access points. There are commercial
tools that will do this such as AirMagnet and AirDefense, and if your budget is tight you
might want to try an open source tools such as RogueScanner.

Finally, don't be shy about using tools like NetStumbler and other site survey tools to identify
access points and verify their legitimacy.

Answer from Wi-Fi expert Lisa Phifer: Any unknown AP operating in or

close to your facility is a potential rogue -- but few turn out to be real threats.
The trick is to reliably tell the difference -- and fast.

In urban areas, most unknown APs will end up belonging to neighboring

businesses, hotels, stores, or metro-area wireless local area networks (WLANs).
These neighboring APs are not connected to your wired network, but still pose
risk if employees connect to them (accidentally or intentionally), bypassing your
network's security. Thus, you may want to monitor your wireless clients to detect employee
associations to unknown-but-unconnected APs. This can be done by using a network Wireless
Intrusion Prevention System (WIPS) to watch the air or by using a host-resident Wireless IPS
to monitor client activity. Large enterprises should deploy network WIPS solutions for full-
time air surveillance. Smaller businesses on more limited budgets may prefer to install stand-
alone host WIPS programs like Sana Security Primary Response Air Cover. Note that AP
discovery tools, e.g. NetStumbler, cannot provide client surveillance.

Of course, some unknown APs in or near your office may be physically connected to your
wired network – these "true rogues" pose immediate business threat because they create an
unsecured backdoor into your network, accessible to anyone within wireless range. The vast
majority of unknown-but-connected APs are installed by naïve employees for the sake of
convenience, usually without Wi-Fi authentication or encryption. However, you never know
whether one might turn out to be a malicious AP installed by
a criminal. For example, a bank in Haifa Israel was robbed Protection against rogue
by criminals who planted a rogue AP inside the building so APs
that they could connect to the bank network from outside to
initiate fraudulent money transfers. -- Eliminate rogue wireless
access points in five steps
Here again, large enterprises should really mitigate "true
rogues" by deploying sophisticated network WIPS solutions -- Should you be regularly
that can not only spot those APs, but trace their network checking for rogue APs?
connectivity, estimate their physical location, and examine
visible Wi-Fi parameters to focus attention and automated -- Does WEP and MAC
response on real threats. For example, a WIPS may send a address filtering protect
command to an upstream switch to disable the Ethernet port WLANs from hackers?
connected to a rogue AP, thereby cutting off communication
with your network. WIPS-estimated location and a portable
tool like a WLAN analyzer can then be used to find the AP,
determine who installed it, and decide how it should be dealt with.

Small businesses may prefer to use less sophisticated alternatives for continuous rogue AP
detection. For example, many Small Office Home Office (SOHO) or Small to medium
business (SMB) APs can scan the airwaves periodically, looking for nearby APs they don't
recognize. These APs can be configured with MAC lists of authorized and neighbor APs so
that only unknown APs end up triggering rogue alerts. Traditional diagnostic tools like tracert
can then be used to manually assess whether each potential rogue is connected to your
network -- but keep in mind that rogues can hide behind NAT and other parts of your network
that tracert won't reach. Rogues can also spoof MAC addresses used by legitimate APs or try
to mimic your own WLAN's SSID. In short, reliable rogue AP classification is difficult and
time-consuming – but a periodic scan and manual investigation may find employee-installed
rogues that are not really trying to evade detection.

However, many small businesses today rely upon scheduled rogue AP surveys, where admins
walk the premises using an ordinary wireless client, WLAN discovery tool, or WLAN
analyzer, looking for potential rogues. This methodology is arguably the most labor-intensive
and least reliable. For example, a visitor could easily install a rogue AP, use it for a week, and
then leave before your next survey. However, scheduled rogue surveys can be useful as a
complement to continuous rogue detection -- for example, to check a radio band not scannable
by your own APs.
Finally, businesses that are too risk-averse for background AP scans and manual rogue
mitigation, but not rich enough for (or ready to invest in) enterprise WIPS, should consider
managed WIPS services. Many SMBs already pay providers to install and operate a wired
network firewall/IPS on their behalf; some providers now offer Wireless IPS as a managed
service. For example, see AirTight SpectraGuard Online.

http://searchnetworking.techtarget.com/generic/0,295582,sid7_gci1357421,00.html

Why are TCP/IP networks not considered secure?

>
It's not as if designers work to build insecurities into protocols or operating systems. It is
really more an issue of priorities. TCP/IP was designed with usability in mind.

In example, consider ARP; it is a two-step process that consists of a request and a response.
Little thought was given at the time of the development of ARP that someone may actually
send unsolicited ARP responses for the purpose of ARP poisoning. Other protocols and
applications of TCP/IP also have security issues, such as ICMP, RIP, FTP, SNMP and Telnet.

Protocols like IPSec were not originally envisioned, and it is actually an add-on to IPv4.

For more information, view this tutorial on understanding TCP/IP from FreeSkills.com.

Why do we need IP security at the network layer?

>
Cryptographic functions must be ready at every layer to use the most appropriate type.
However IPsec or other security solutions should only be layered where needed. For some
situations, IPsec might be the best solution; for others, it could be Secure Sockets Layer (SSL).
When IPSec or any other security solutions are layered, services will slow. Users won't be
happy and you may even have issues or vulnerabilities you weren't expecting.

03 May 2007 | SearchNetworking.com

Digg This! StumbleUpon Del.icio.us

Secure your network with this OSI model reference. Below, you'll find links to all the tips in
our "OSI -- securing the stack" series by security expert and author Michael Gregg, based on
his book, Hack the Stack.
 The mythical Layer 8: People
Layer 8 -- Social engineering and security policy

Layer 7: The application layer

Layer 7 -- Applications

Layer 6: The presentation layer

Layer 6 -- Encryption

Layer 5: The session layer

Layer 5 -- Session hijacking

Layer 4: The transport layer

Layer 4 -- Fingerprinting

Layer 3: The network layer

Layer 3 -- Understanding the role of ICMP

Layer 2: The data-link layer

Layer 2 -- Understanding the role of ARP

Layer 1: The physical layer

Layer 1 -- Physical security threats

OSI Reference Model illustrated

Open Systems Interconnection ( OSI ) is a standard reference model for communication
between two end users in a network. The model is used in developing products and
understanding networks. Also see the notes below the figure.
Illustration republished with permission from The manual Page .

OSI divides telecommunication into seven layers. The layers are in two groups. The upper
four layers are used whenever a message passes from or to a user. The lower three layers are
used when any message passes through the host computer. Messages intended for this
computer pass to the upper layers. Messages destined for some other host are not passed up to
the upper layers but are forwarded to another host. The seven layers are:

Layer 7: The application layer ...This is the layer at which communication partners are
identified, quality of service is identified, user authentication and privacy are considered, and
any constraints on data syntax are identified. (This layer is not the application itself, although
some applications may perform application layer functions.)

Layer 6: The presentation layer ...This is a layer, usually part of an operating system, that
converts incoming and outgoing data from one presentation format to another (for example,
from a text stream into a popup window with the newly arrived text). Sometimes called the
syntax layer.

Layer 5: The session layer ...This layer sets up, coordinates, and terminates conversations,
exchanges, and dialogs between the applications at each end. It deals with session and
connection coordination.
Layer 4: The transport layer ...This layer manages the end-to-end control (for example,
determining whether all packets have arrived) and error-checking. It ensures complete data
transfer.

Layer 3: The network layer ...This layer handles the routing of the data (sending it in the
right direction to the right destination on outgoing transmissions and receiving incoming
transmissions at the packet level). The network layer does routing and forwarding.

Layer 2: The data-link layer ...This layer provides synchronization for the physical level
and does bit-stuffing for strings of 1's in excess of 5. It furnishes transmission protocol
knowledge and management.

Layer 1: The physical layer ...This layer conveys the bit stream through the network at the
electrical and mechanical level. It provides the hardware means of sending and receiving data
on a carrier.

http://whatis.techtarget.com/definition/0,,sid9_gci523729,00.html

LANs vs. WLANs: Which network designs

are used for each company size?
EXPERT RESPONSE FROM: Lindi Horton
Pose a Question
Other Networking Categories
Meet all Networking Experts
Become an Expert for this site

Wireless networks news, advice and technical information

Digg This! StumbleUpon Del.icio.us

> QUESTION POSED ON: 17 November 2008

Do you consider LAN to be the best choice for small area? If so, why?
> I do consider that a Local Area Networks (LAN) is the best choice for small areas.
There are several considerations that I would make to assess this decision, but LANs are
in fact designed for small areas. With this question, I assume there's a little bit more to
the question. Typically when asked, there's some confusion about wireless versus wired
LAN environments. So I'm going to go with a massive assumption that is what you're
inferring.

In today's ubiquity of technical availability, LAN's provide the users quick, efficient
access to local resources and a route to the Internet that is also quite simple to set up and
maintain by IT staff. There are several pros and cons to my choices for wired versus
 wireless technologies used to implement the LAN.

My personal preference is wireless technologies as I am absolutely abysmal at running

and cabling. I could frighten you with stories of my feeble attempts to get all of my
cabling done correctly. I'd get the patterns correct but the ends would never line up. And
if you're as OCD as I am, this would be a massive problem. While this personal story is
a little humorous, it brings up a valid point to implementing a wired LAN environment.
In wired environments, the equipment is easy and cheap but requires cables to be run
and switches to be configured. NICs on servers and workstations need administration as
well as DHCP scopes. The overhead to managing and wiring things tends to be a little
more difficult than setting up a wireless network.

Setting up and maintaining wireless networks is a little easier. You don't have to match
pretty little blue and white striped wires to plastic ends. With wireless networks, the
initial setup is much simpler, but be sure to set up the SSID's and security properly.
Troubleshooting wireless networks tends to be the hardest thing to do in that signaling
might be weak and disconnections may run rampant. A vast array of new features in the
wireless access points (WAPs) and administration of these devices has made
provisioning WAP's a breeze. There are some new additional tools on the market that
provide great visibility into troubleshooting. It also simplifies the administration of
trying to find cables in conference rooms and roam around with laptops, providing a
mobile workspace. And did I mention you don't have to run cables? Wireless LAN
(WLAN)technologies are where I would invest in my infrastructure for end-users. I
would implement wired technologies for servers.

So yes, LANs are designed for small areas. WLANs are ideal for end-users while wired
LANs are suggested for server connectivity.
http://searchnetworking.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid7_gci133
5178_mem1,00.html