Posts by Topic

see all

Making the right choice for rogue access point detection technology

by Hemant Chaskar on Oct 7, 2009

At every turning point big or small, mankind has faced the challenge of making choices between available technologies. May it be “DC vs AC” debate which laid foundation for our electrical distribution systems, or “mainframe vs workstation” debate which created platform for the modern Internet. At this turning point today when WiFi is poised to become mainstream enterprise networking technology, the network security administrator faces challenge of making right technology choice for WiFi security.

Among other things, one important technological choice the administrator will have to make is between wireless intrusion prevention systems (WIPS) which use “active” vs “passive” network connectivity detection methods.

Robust detection of wireless access points' connectivity (or non-connectivity) to the enterprise network being protected lies at the heart of security and manageability aspects of the WIPS. A false negative, i.e., network connected AP called as not connected, results in security hole as it can cause rogue access point (AP) to go unnoticed. A false positive, i.e., network unconnected AP called as connected, results in nuisance and also creates hindrance to initiating to automated blocking.

There are two competing methods available to detect wireless access point’s network connectivity, namely “active” and “passive”. Active technique use packet injection to determine AP’s network connectivity. Passive techniques mainly rely of MAC correlation.

Active Methods: They work by injecting small signatures packets in the wired and wireless network, and detecting which APs forward the signature packets between their wired and wireless interfaces.

Passive Methods: They work by compiling all MAC addresses seen on wired network (switch CAM table lookup is a dominant method) and compiling all MAC addresses seen on wireless network. Network connectivity APs is determined based on match between wired and wireless MAC addresses.

The efficacy of active and passive methods is quite different. Passive methods require extensive interaction with switching infrastructure, entail high latency of connectivity detection and have difficulty scaling to large networks. Active techniques on the other hand operate in a localized, distributed manner without any interaction with switches. They can thus gracefully scale to large networks. Due to these factors, active techniques provide assured connectivity and non-connectivity detection, while passive techniques provide only best effort connectivity and non-connectivity detection.

For more information on the above methods of rogue access point detection including their operation, comparative analysis and testing methodology, you can view my webinar here.

Topics: Wireless security