How to Track Down Rogue Wireless Access Points


Rogue access points are the silent killer of wireless network security. However, there are numerous steps you can take to minimize the threat.


Of all of the threats faced by your network security, few are as potentially dangerous as the rogue Access Point (AP). A rogue AP is a WiFi Access Point that is set up by an attacker for the purpose of sniffing wireless network traffic in an effort to gain unauthorized access to your network environment. Ironically, though, this breach in security typically isn’t implemented by a malicious hacker or other malcontent. Instead, it’s usually installed by someone who is simply looking for the same convenience and flexibility at work that they’ve grown accustomed to using on their own home wireless network.

Regrettably, though, many people don’t understand the intricacies involved with wireless networking and end up deploying them without activating the proper security measures needed to ensure secure communications with the office network. As a result, the existence of this unauthorized AP leaves your network susceptible to attack by anyone who has a wireless connection and is within close enough proximity to see it.

In order to successfully defend against these types of threats not only will you need to build new safeguards into your network environment, but you’re also going to have to make sure that anyone who uses your network is educated in proper security practices.

Think we’re making too much out of this? Take a look at the security breach realized by Lowes Hardware due to an unsecured wireless network connection.

The first logical question is “what can you do to stop someone from bringing in a wireless AP and plugging it into an Ethernet port at their desk or at some other location in the office?” Well, the short answer is simple — nothing. Nothing you can do can completely prevent it. A knowledgeable and savvy user can and will always find ways to circumvent all but the most advanced security measures. Yet, in spite of this, there are numerous steps you can take that should help minimize this threat.

The first thing that I would recommend is that you consider actually installing your own wireless network and make it available to everyone in the office. It’s better for you to install a wireless network that you have control over as opposed to having people do it behind your back. By providing it for them, you defuse a lot of potential threats right off the bat.

However, should you not decided to go this route, there are other alternatives. Let’s take a look at some of these methods. Before you can enforce any type of security solution, everyone needs to understand the consequences of introducing something onto the network that could compromise its integrity. To that end, you need a network security policy that clearly states the consequence for connecting an unauthorized AP to the network.

So now that you have a policy, how do you enforce it? One method you could employ is to use managed switches on your network. These switches would allow you to use port-based security as part of the solution. This means that you could configure a particular Ethernet port to allow a network device only with a specific MAC address access to the network. This allows you to prevent users from connecting their own devices to the networks. You should also disable unused ports. This will minimize the potential areas where a Rogue AP could hideout.

You might also consider using static IP address on your network instead of having them assigned by a DHCP server. This would mean that the user who installed the Rogue AP would need to manually assign an IP address to the AP before it could gain access to the network. This method is far from foolproof, but it should dissuade the causal PC user.

Detecting the Device
There are a couple of ways of detecting Rogue APs. One of the more popular and cost-effective techniques is to have a technician perform manual checks with a laptop or PDA running NetStumbler. NetStumbler is a tool for detecting all wireless networks within a broadcast area. There are actually two different versions of NetStumbler, and both are downloadable for free at the company’s Web site. One version is designed for use with laptops, while the other version (Mini Stumbler) is for use with a Pocket PC. Both versions also support the use of a GPS card. This allows NetStumbler to create a map showing the locations of all the wireless APs within a specified area.

The simplest way to hunt down a Rogue AP is to take a laptop that’s running NetStumbler and walk in the direction that produces the greatest signal strength from the questionable access point. You’ll soon know if the signal is coming from within your building or from somewhere else. If the signal is coming from your building, you can probably use the signal strength to narrow down your search to a single room. After that, you’ll just have to hunt around the room until you find the access point.

One thing you should keep in mind when using NetStumbler is that if you are using an 802.11b Wi-Fi card in your laptop, you can expect to find 802.11b and 802.11g access points. However, if you are a running 802.11a network, then an 802.11b NIC will not detect it. That’s because 802.11b uses a 2.4GHz signal, while 802.11a operates in the 5GHz range.

Figuring out which access points are, in fact, rogue may sometimes be difficult. To avoid confusion, it’s best that you judiciously document all of the access points in use in your business. If not, you might think you have a Rogue AP on your network when one doesn’t exist. For example, if your office has one AP and you suddenly detect two, you’d probably assume that one of the access points is rogue. This isn’t always the case, though. For instance, one time I was attempting to set up a new AP in a small office and while trying to establish a connection between my laptop and the new AP a DHCP server in an adjoining office had automatically assigned an IP address to my system. Now, was this a rogue access point? No. Instead my wireless NIC was receiving a signal from a completely legitimate source that posed no danger to my network. Knowing how to identify the difference between a neighboring AP and a serious threat will save you plenty of headaches.

These techniques should work well enough in a small office, but for larger environments, you should really consider investing in something a bit more specialized. There are a number of proprietary solutions available from a variety of creditable vendors. These vendors will deploy an advanced RF monitoring system into your network that can monitor the air and detect access points. Some have even gone as far as being able to classify if a unauthorized AP is actually plugged into the network and is causing an immediate threat or if it’s just the local Starbucks across the street. Many of these systems can be deployed for pennies per square foot.

If you have such an environment, I’d recommend visiting the Aruba Networks Web site. Though not as economical as NetStumbler, (the cost varies according to the size of your network), wireless products from Aruba can help you gain far greater control over your wireless network environment. Products from AirMagnet and AirDefense are also popular choices for wireless network security. These products allow you to track down the rogues based on channel, MAC address, radio band, SSID or vendor. On top of that they can monitor the air 24/7 and send alerts if a rogue is detected. They can also alert you to repeated authentication failures that might signal the presences of a hacker.

Every enterprise class wireless network should have a wireless IDS/IPS system in place. A wireless IDS/IPS is an Intrusion Detection/Intrusion Prevention System. A full featured IDS/IPS will detect and “kill” Rogue APs, detect and stop denial of service attacks, man in the middle attacks and report on suspicious activity.

While some of these solutions can get a bit expensive, it’s only through the use of these techniques and the proprietary hardware solutions available from dedicated wireless vendors like those mentioned, that will make it possible to shield your network from that $50 threat from the computer store.

— Ron Pacchiano