There are a couple of ways of detecting Rogue APs. One of the more popular and cost-effective techniques is to have a technician perform manual checks with a laptop or PDA running NetStumbler. NetStumbler is a tool for detecting all wireless networks within a broadcast area. There are actually two different versions of NetStumbler, and both are downloadable for free at the company's Web site. One version is designed for use with laptops, while the other version (Mini Stumbler) is for use with a Pocket PC. Both versions also support the use of a GPS card. This allows NetStumbler to create a map showing the locations of all the wireless APs within a specified area.
The simplest way to hunt down a Rouge AP is to take a laptop that's running NetStumbler and walk in the direction that produces the greatest signal strength from the questionable access point. You'll soon know if the signal is coming from within your building or from somewhere else. If the signal is coming from your building, you can probably use the signal strength to narrow down your search to a single room. After that, you'll just have to hunt around the room until you find the access point.
One thing you should keep in mind when using NetStumbler is that if you are using an 802.11b Wi-Fi card in your laptop, you can expect to find 802.11b and 802.11g access points. However, if you are a running 802.11a network, then an 802.11b NIC will not detect it. That's because 802.11b uses a 2.4GHz signal, while 802.11a operates in the 5GHz range.
Figuring out which access points are, in fact, rogue may sometimes be difficult. To avoid confusion, it's best that you judiciously document all of the access points in use in your business. If not, you might think you have a rouge AP on your network when one doesn't exist. For example, if your office has one AP and you suddenly detect two, you'd probably assume that one of the access points is rogue. This isn't always the case, though. For instance, one time I was attempting to set up a new AP in a small office and while trying to establish a connection between my laptop and the new AP a DHCP server in an adjoining office had automatically assigned an IP address to my system. Now, was this a rogue access point? No. Instead my wireless NIC was receiving a signal from a completely legitimate source that posed no danger to my network. Knowing how to identify the difference between a neighboring AP and a serious threat will save you plenty of headaches.
These techniques should work well enough in a small office, but for larger environments, you should really consider investing in something a bit more specialized. There are a number of proprietary solutions available from a variety of creditable vendors. These vendors will deploy an advanced RF monitoring system into your network that can monitor the air and detect access points. Some have even gone as far as being able to classify if a unauthorized AP is actually plugged into the network and is causing an immediate threat or if it's just the local Starbucks across the street. Many of these systems can be deployed for pennies per square foot.
If you have such an environment, I'd recommend visiting the Aruba Networks Web site. Though not as economical as NetStumbler, (the cost varies according to the size of your network), wireless products from Aruba can help you gain far greater control over your wireless network environment. Products from AirMagnet and AirDefense are also popular choices for wirelessnetwork security. These products allow you to track down the rogues based on channel, MAC address, radio band, SSID (define) or vendor. On top of that they can monitor the air 24/7 and send alerts if a rogue is detected. They can also alert you to repeated authentication failures that might signal the presences of a hacker.
Every enterprise class wireless network should have a wireless IDS/IPS system in place. A wireless IDS/IPS is an Intrusion Detection/Intrusion Prevention System. A full featured IDS/IPS will detect and "kill" Rogue APs, detect and stop denial of service attacks, man in the middle attacks and report on suspicious activity
No comments:
Post a Comment