Sunday, August 29, 2010

How to defend from rogue access point

There are a couple of ways of detecting Rogue APs. One of the more popular and cost-effective techniques is to have a technician perform manual checks with a laptop or PDA running NetStumbler. NetStumbler is a tool for detecting all wireless networks within a broadcast area. There are actually two different versions of NetStumbler, and both are downloadable for free at the company's Web site. One version is designed for use with laptops, while the other version (Mini Stumbler) is for use with a Pocket PC. Both versions also support the use of a GPS card. This allows NetStumbler to create a map showing the locations of all the wireless APs within a specified area.

The simplest way to hunt down a Rouge AP is to take a laptop that's running NetStumbler and walk in the direction that produces the greatest signal strength from the questionable access point. You'll soon know if the signal is coming from within your building or from somewhere else. If the signal is coming from your building, you can probably use the signal strength to narrow down your search to a single room. After that, you'll just have to hunt around the room until you find the access point.

One thing you should keep in mind when using NetStumbler is that if you are using an 802.11b Wi-Fi card in your laptop, you can expect to find 802.11b and 802.11g access points. However, if you are a running 802.11a network, then an 802.11b NIC will not detect it. That's because 802.11b uses a 2.4GHz signal, while 802.11a operates in the 5GHz range.

Figuring out which access points are, in fact, rogue may sometimes be difficult. To avoid confusion, it's best that you judiciously document all of the access points in use in your business. If not, you might think you have a rouge AP on your network when one doesn't exist. For example, if your office has one AP and you suddenly detect two, you'd probably assume that one of the access points is rogue. This isn't always the case, though. For instance, one time I was attempting to set up a new AP in a small office and while trying to establish a connection between my laptop and the new AP a DHCP server in an adjoining office had automatically assigned an IP address to my system. Now, was this a rogue access point? No. Instead my wireless NIC was receiving a signal from a completely legitimate source that posed no danger to my network. Knowing how to identify the difference between a neighboring AP and a serious threat will save you plenty of headaches.

These techniques should work well enough in a small office, but for larger environments, you should really consider investing in something a bit more specialized. There are a number of proprietary solutions available from a variety of creditable vendors. These vendors will deploy an advanced RF monitoring system into your network that can monitor the air and detect access points. Some have even gone as far as being able to classify if a unauthorized AP is actually plugged into the network and is causing an immediate threat or if it's just the local Starbucks across the street. Many of these systems can be deployed for pennies per square foot.

If you have such an environment, I'd recommend visiting the Aruba Networks Web site. Though not as economical as NetStumbler, (the cost varies according to the size of your network), wireless products from Aruba can help you gain far greater control over your wireless network environment. Products from AirMagnet and AirDefense are also popular choices for wirelessnetwork security. These products allow you to track down the rogues based on channel, MAC address, radio band, SSID (define) or vendor. On top of that they can monitor the air 24/7 and send alerts if a rogue is detected. They can also alert you to repeated authentication failures that might signal the presences of a hacker.

Every enterprise class wireless network should have a wireless IDS/IPS system in place. A wireless IDS/IPS is an Intrusion Detection/Intrusion Prevention System. A full featured IDS/IPS will detect and "kill" Rogue APs, detect and stop denial of service attacks, man in the middle attacks and report on suspicious activity

Wednesday, August 18, 2010

rogue access point

gue access point is a wireless access point that has either been installed on a secure company network without explicit authorization from a local network administrator,[1] or has been created to allow a hacker to conduct a man-in-the-middle attack. Rogue access points of the first kind can pose a security threat to large organizations with many employees, because anyone with access to the premises can ignorantly or maliciously install an inexpensive wireless router that can potentially allow access to a secure network to unauthorized parties. Rogue access points of the second kind target networks that do not employ mutual authentication (client-server server-client) and may be used in conjunction with a rogue RADIUS server, depending on security configuration of the target network.

To prevent the installation of rogue access points, organizations can install wireless intrusion prevention systems to monitor the radio spectrum for unauthorized access points.

Presence of large number of wireless access points can be sensed in airspace of typical enterprise facility. These include managed access points in the secure network plus access points in the neighborhood. Wireless intrusion prevention system facilitates the job of auditing these access points on a continuous basis to find out if there are any rogue access points among them.

In order to detect rogue access points, two conditions need to be tested: i) whether or not the access point is in the managed access point list, and ii) whether or not it is connected to the secure network. The first of the above two conditions is easy to test - compare wireless MAC address (also called as BSSID) of the access point against the managed access point BSSID list. However, automated testing of the second condition can become challenging in the light of following factors: a) Need to cover different types of access point devices such as bridging, NAT (router), unencrypted wireless links, encrypted wireless links, different types of relations between wired and wireless MAC addresses of access points, and soft access points, b) necessity to determine access point connectivity with acceptable response time in large networks, and c) requirement to avoid both false positives and negatives which are described below.

False positive (crying wolf) occurs when the wireless intrusion prevention system detects an access point not actually connected to the secure network as wired rogue. Frequent false positives result in wastage of administrative bandwidth spent in chasing them. Possibility of false positives also creates hindrance to enabling automated blocking of wired rogues due to the fear of blocking friendly neighborhood access point.

False negative occurs when the wireless intrusion prevention system fails to detect an access point actually connected to the secure network as wired rogue. False negatives result in security holes.

If an unauthorized access point is found connected to the secure network, it is the rogue access point of the first kind (also called as “wired rogue”). On the other hand, if the unauthorized access point is found not connected to the secure network, it is an external access points. Among the external access points, if any is found to be mischievous or potential risk (e.g., whose settings can attract or have already attracted secure network wireless clients), it is tagged as rogue access point of the second kind (also called as “honeypot”).