Search

Recent Posts

Posts by Topic

see all
free-on-demand-webinars.png

Ugly, Bad and Good of Wireless Rogue Access Point Detection

by Hemant Chaskar on Sep 20, 2009

One critical requirement from wireless intrusion prevention system (WIPS) is that it should offer robust protection against rogue wireless access points. The protection should entail instant detection followed by automatic blocking (prevention). Rogue AP detection should be free from false alarms – both on positive and negative sides.

Rogue AP means unauthorized AP wired to (connected to) monitored enterprise network. In other words, rogue AP satisfies two conditions: i) It is not on the authorized AP list, AND ii) it is wired to the monitored enterprise network.

Classification

The first of the above two conditions is easy to test, just compare BSSID of detected AP with your managed AP BSSID list. The second condition is where things start to become interesting. Accurately and reliably detecting if every AP seen in air is wired or not wired to the monitored enterprise network requires technological sophistication. Based on the level of sophistication, three types of rogue AP detection workflows are prevalent in wireless intrusion prevention system (WIPS) solutions available in the market.

Type 1: Any AP Other than Mine Is Rogue!

Any AP other than authorized AP is rogue. Network connectivity of AP to enterprise network is not a criterion for rogue detection. Administrator will have to painstakingly manually separate out friendly neighbor APs. The manual inspection needs to be done on ongoing basis as new neighborhood APs pop up and old ones are reconfigured. If manual inspection is not promptly and regularly done, it creates security hole. Needless to say that automatic prevention of rogue APs cannot be turned on as administrator will have to first decide if a newly detected AP is on the network or just a friendly neighborhood AP.

Warning: Showing network connectivity field in AP details is not the same as using network connectivity in classification. Rather the fact that the system is shy of using network connectivity in automatic classification is indicator that system is incapable of robust connectivity detection.

Type 2: AP Other Than Mine Is Rogue, Unless It Matches Pre-configured Wireless Side Properties For Friendly Neighbor APs.

AP’s connectivity to monitored enterprise network is still not a criterion for rogue detection, but filtering of friendly neighbor APs is possible based on preconfigured wireless only properties of neighborhood APs – such as SSID, MAC Vendor OUI and RSSI. Well, this logic only appears better than the first one. As a matter of fact however, it only gives false sense of sophistication for the reasons described below.

Security hole: There is nothing that necessitates the wireless only properties to be different between wired rogue AP and friendly neighbor AP. One could easily bring in AP whose SSID and vendor match one of your neighboring APs, put it on low transmit power so that it appears distant and connect it to your enterprise network. This situation can even occur in non-malicious case, if the employee brings in low power commodity AP with default SSID. The system will incorrectly classify it as friendly neighbor as its SSID and vendor match your preconfigured template for friendly neighbor and its RSSI is low enough.

Manual inspection: If legitimate neighbor APs change their wireless side settings or if new friendly neighbor APs are deployed, they will not fit the pre-configured template for friendly neighbors. So turning on automatic prevention is a risk as well as frequent manual inspection will be required.

Warning: Showing network connectivity field in AP details is not the same as using network connectivity in classification. Rather the fact that the system is shy of using network connectivity in automatic classification is indicator that system is incapable of robust connectivity detection.

Type 3: AP Other than Mine Is Rogue, If It Is Connected To My Network.

AP’s connectivity to monitored enterprise network is essential criterion in AP classification as the rogue AP threat definition mandates; of course in addition to that the AP is not on the authorized AP list. Wired network connectivity of every AP visible in air is instantly, automatically and accurately determined by the system. If it is not on the authorized AP list and connected to the monitored network, it is rogue access point. If it is not on the authorized AP list and not connected to the monitored enterprise network, it is external (friendly neighbor) AP.

Automatic prevention can be safely turned on and there is no security lapse. No manual effort is required either at the beginning to configure any neighborhood AP properties templates or on ongoing basis as new APs come up and old ones change their properties.

Topics: Wireless security