• Although a rogue access point can get hackers past a company’s first line of defenses, it doesn’t automatically grant access to servers and sensitive data. More common liabilities from rogue APs include loss of network bandwidth and available IP addresses.
• All access points and client devices should undergo some form of authentication before being allowed on the network.
• A wireless controller can offer a host of benefits to an enterprise WLAN, including the ability to quickly locate rogue APs through signal triangulation.
The problem typically begins innocently enough. Some worker gets a new laptop with the latest wireless capabilities, only to find that the enterprise hasn’t updated from old but reliable 802.11g. So he grabs an extra wireless router or AP from home, plugs it into the nearest RJ-45 jack in the office, and—voila! Instant speed and productivity improvement. Of course, this unapproved device is also a gaping security hole.
Not all “rogue” devices are so innocent. Peter Newton, director of SME product marketing for Netgear (www.netgear.com), tells of a hacker who modded a power strip, replacing its innards with those of an AP. Intruders had a wireless tunnel into the building via a device that was nearly impossible to detect visually. Whether a rogue AP is accidental or malicious, it’s a liability that should be handled immediately.
The Rogue Risk
First, be aware that a rogue device doesn’t automatically broadcast an enterprise’s most prized data to anyone in reception range. If anything, it’s a bit like plugging an electrical appliance into the wall. The AP may get juice (network access), but that doesn’t mean it can automatically access servers or other systems, only that it’s potentially been given an address on the LAN.
“Most rogue APs are just something cheap, set by default to run as DHCP servers,” says Jeanette Lee, senior systems engineer with Ruckus Wireless (www.ruckuswireless.com). “So when you plug these into a wired network, you run the chance that now you’ve got [a] rogue DHCP server giving out addresses. These will probably do nothing and go nowhere, but you never want two DHCP servers on the same network handing out addresses.”
Lee points out that many enterprises have authentication measures in place that prohibit rogue devices from siphoning bandwidth from the organization. But this doesn’t apply to all networks. Some have to remain open to meet the needs of the enterprise. This yields a more common risk of having both rogue APs and clients consuming IP addresses.
“I’m dealing with a university here in southern California,” she says, “where they average around 6,000 devices on their campus connected to their DHCP server. Well, when iPhones and gaming consoles and all that came out, they saw about 16,000 addresses being consumed. They were actually running out. Further investigation showed that most of these devices weren’t doing anything—except having a negative impact on their network and resources.”
The real danger of rogue APs comes when network access protection isn’t applied to LAN jacks at the desktop level, where rogues typically plug in. Methods such as 802.1X and encryption typically authenticate any connecting device, but many organizations omit such authentication so as not to hamper employees. This freedom is what allows people to tap into networks from the parking lot. Usually, they just want a quick way onto the Web, but sometimes they could be up to something more nefarious.
Not every rogue device on the LAN is an AP. Unauthorized client devices can pose just as large a threat. For many years, organizations have used MAC filtering to keep out unwanted devices. The MAC address is the 48-bit ID address assigned to every network adapter. Admins can use MACs to create whitelists or blacklists. MAC filtering is simple and effective, but it works much better in a wired world than a wireless one.
“Even on an encrypted connection,” says Ruckus’ Lee, “the MAC address is part of the IP frame header, which is not encrypted. So I can sit there with my machine, and even though I’m not on the network, I can see every packet that everyone else is transmitting. You might have encrypted the payload, but I can easily see your MAC address and change the address on my machine to copy it.”
Some organizations will opt to use a “Web captive portal,” or login page, to control Web access. This is common at hotels and public hotspots and helps to keep people from stealing bandwidth. However, it won’t keep devices from associating with the network like encryption would.
Another option, according to Nimesh Vakharia, senior product manager at Symantec (www.symantec.com), is to use a dynamic preshared key. With this, every authorized client that connects to the network is given a unique preshared key that must be presented to the network to associate with it. Authorized devices that present a proper key will be given an IP address; other devices will be denied. This approach takes more planning than an open network, but it has advantages over conventional encryption, including not necessitating a performance hit for encryption overhead.
Vakharia also advocates a quarantine system for newly associated systems. This addresses the problem of approved devices bringing risks into the network. “When a contractor comes in,” he says, “there’s no way to control what’s on his system, but you can force him to be compliant with your policies. Does he have antivirus? Is it updated? Does he have firewall? Does he have the OS patches? Once you’ve validated all that, then you allow him on the network.”
With this method, as soon as a new device comes on the network, it gets placed in a quarantined VLAN with no network access. The device only has access to a remediation server, and not until the device passes safety checks is it allowed out of quarantine and onto the regular network. This quarantine work can either be run from an appliance or, for lower volume needs, from an app running on a server. Often, it requires an agent to be installed on the client device, but these can “dissolve” and leave no trace of themselves (save a fully patched configuration) once the device logs off.
Both Lee and Newton reiterate the importance of using a wireless controller, particularly in medium-sized and large organizations. “A wireless controller gives you a whole host of benefits,” says Newton, “including centralized management, a self-healing wireless network that makes sure all users stay connected, load balancing, transmit power adjustment, etc. One benefit of the wireless controller is that it can provide triangulation data. Because it’s receiving information from multiple APs, it can find a rogue AP out there and tell you where it is.”
This triangulation is generally accurate to within a few feet. Use it to locate the rogue device, pull it off the network, and find out who put it in action. (Without a wireless controller, IT staff can use wireless scanning software on a notebook to perform a survey for unauthorized devices.) IT may want to lecture about company policy, but often the rogue AP was placed for a valid reason.
“It’s always [better] to unplug a rogue AP and throw [it] in the trash than it is to do some kind of intangible containment,” says Ruckus’ Lee. “But find out who put it there. If you listen, workers will educate you that something needs to be addressed on the wireless network.”
by William Van Winkle
Some wireless intrusion detection systems built into wireless controllers allow organizations to use floor plans overlaid with access point locations. With these locations known, the location of unauthorized access points can be quickly identified. (Source: Netgear)