How to Track Down Rogue Wireless Access Points

Of all of the network security threats your company faces, few are as potentially dangerous as the rogue Access Point (AP). A rogue AP is a Wi-Fi Access Point that is set up by an attacker for the purpose of sniffing wireless network traffic in an effort to gain unauthorized access to your network. Ironically, though, a malicious hacker or other malcontent typically doesn’t implement this breach in security. Instead, it’s usually installed by an employee looking for the same convenience and flexibility at work that he’s grown accustomed to using on his own home wireless network.

Regrettably, many people don’t understand the intricacies involved with wireless networking and end up deploying them without activating the proper security measures needed to ensure secure communications with the office network. As a result, an unauthorized AP leaves your network susceptible to attack by anyone who has a wireless connection and is close enough to see it.

In order to successfully defend against these types of threats not only will you need to build new safeguards into your network environment, but you’re also going to have to make sure that anyone who uses your network is educated in proper security practices.

Think we’re making too much out of this? Take a look at the security breach realized by Lowes Hardware due to an unsecured wireless network connection.

The first logical question is “what can you do to stop someone from bringing in a wireless AP and plugging it into an Ethernet port at their desk or at some other location in the office?” Well, the short answer is simple &#151 nothing.
A knowledgeable and savvy user can and will always find ways to circumvent all but the most advanced security measures. Yet, in spite of this, there are numerous steps you can take that should help minimize this threat.

First, consider installing your own wireless network and make it available to everyone in the office. It’s better for you to install a wireless network that you have control over as opposed to having people do it behind your back. By providing it for them, you defuse a lot of potential threats right off the bat.

However, should you not decided to go this route, there are other alternatives. But before you can enforce any type of security solution, everyone needs to understand the consequences of introducing something onto the network that could compromise its integrity. To that end, you need a network security policy that clearly states the consequences for connecting an unauthorized AP to the network.

So now that you have a policy, how do you enforce it? One method you could employ is to use managed switches on your network. These switches let you use port-based security as part of the solution. This means that you could configure a particular Ethernet port to allow a network device only with a specific MAC address access to the network. This lets you prevent users from connecting their own devices to the networks. You should also disable unused ports. This will minimize the potential areas where a rogue AP could hide.

You might also consider using static IP address on your network instead of having them assigned by a DHCP server. This would mean that whoever installed the rogue AP would need to manually assign an IP address to the AP before it could gain access to the network. This method is far from foolproof, but it adds yet another barrier to overcome.

Detecting the Device

There are a couple of ways of detecting rogue APs. One of the more popular and cost-effective techniques is to have a technician perform manual checks with a laptop or PDA running NetStumbler. NetStumbler is a tool for detecting all wireless networks within a broadcast area. There are actually two different versions of NetStumbler, and both are downloadable for free at the company’s Web site.

One version is designed for use with laptops, while the other version (Mini Stumbler) is for use with a Pocket PC. Both versions also support GPS cards. This lets NetStumbler create a map showing the locations of all the wireless APs within a specified area.

The simplest way to hunt down a rogue AP is to take a laptop that’s running
NetStumbler and walk in the direction that produces the greatest signal strength from the questionable access point. You’ll soon know if the signal is coming from within your building or from somewhere else. If the signal is coming from your building, you can use the signal strength to narrow down your search to a single room. After that, you’ll just have to hunt around the room until you find the access point.

One thing to keep in mind when using NetStumbler: if you are using an 802.11b Wi-Fi card in your laptop, you can expect to find 802.11b and 802.11g access points. However, if you are a running 802.11a network, then an 802.11b card will not detect it. That’s because 802.11b uses a 2.4GHz signal, while 802.11a operates in the 5GHz range.

Figuring out which access points are, in fact, rogue may sometimes be difficult. To avoid confusion, it’s best that you judiciously document all of the access points in use in your business. If not, you might think you have a rogue AP on your network when one doesn’t exist.

For example, if your office has one AP and you suddenly detect two, you’d probably assume that one of the access points is rogue. This isn’t always the case, though. For instance, one time we were setting up a new AP in a small office. While trying to establish a connection between our laptop and the new AP, a DHCP server in an adjoining office had automatically assigned an IP address to our system. Now, was this a rogue access point? No. Instead our wireless card was receiving a signal from a completely legitimate source that posed no danger to my network. Knowing how to identify the difference between a neighboring AP and a serious threat will save you plenty of headaches.

These techniques should work well enough in a small office, but for larger environments, you should really consider investing in something a bit more specialized. There are a number of proprietary solutions available from a variety of creditable vendors. These vendors will deploy an advanced RF monitoring system into your network that can monitor the air and detect access points. Some have even gone as far as being able to classify whether a unauthorized AP is actually plugged into the network and causing an immediate threat or if it’s just the local Starbucks across the street. Many of these systems can be deployed for pennies per square foot.

If you have such an environment, we recommend visiting the Aruba Networks Web site. Though not as economical as NetStumbler, (the cost varies according to the size of your network), wireless products from Aruba can help you gain far greater control over your wireless network environment. Products from AirMagnet and AirDefense are also popular choices for wireless network security. These products let you track down the rogues based on channel, MAC address, radio band, SSID] or vendor. On top of that they can monitor the air 24/7 and send alerts if a rogue is detected. They can also alert you to repeated authentication failures that might signal the presences of a hacker.

Every enterprise-class wireless network should have a wireless IDS/IPS system in place. A wireless IDS/IPS is an Intrusion Detection/Intrusion Prevention System. A full featured IDS/IPS will detect and “kill” rogue APs, detect and stop denial-of-service attacks, man in the middle attacks and report on suspicious activity.

While some of these solutions can get a bit expensive, it’s only through the use of these techniques and the proprietary hardware solutions available from dedicated wireless vendors like those mentioned, that will make it possible to shield your network from a potentially costly threat that anyone can buy for $50 at the local computer store.

Adapted from, part of the Network.

Do you have a comment or question about this article or other small business topics in general? Speak out in the Forums. Join the discussion today!

Must Read

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.