Rogue access points
Content
Rogue access points: Preventing, detecting and handling best practices
28 May 2009 | SearchNetworking.com Digg This! StumbleUpon Del.icio.us
Rogue access points pose security threats to your business wireless network. To learn how to prevent, detect and eliminate unauthorized network devices, we asked our Wi-Fi expert, Lisa Phifer, and enterprise security expert Michael Gregg to answer the question "How do you deal with rogue APs?" From their answers you'll learn best practices for handling rogue wireless access points, in this technical advice. Question: What are the best practices for dealing with and monitoring for rogue access points (APs) in a business network? Can you suggest how to prevent, detect, and eliminate a found rogue access point or other unauthorized wireless device? Answer from enterprise security expert Michael Gregg: There are several potential problems with allowing end users to add wireless or other devices to the company network without approval. One big one is they may not employ the proper security measures. There is also the issue of maintaining control of the organizations' infrastructure. For the smaller organization there are several layers of control that can be built in to reduce the rogue wireless threat. The first place to start is with policy. All employees should know the rules regarding wireless and what can and cannot be plugged into the network. Policy enforcement will be easier if you have managed switches. You can disable unused ports and start restricting down active ones by MAC address filtering. Next, find some tools that will let you scan for rogue access points. There are commercial tools that will do this such as AirMagnet and AirDefense, and if your budget is tight you might want to try an open source tools such as RogueScanner. Finally, don't be shy about using tools like NetStumbler and other site survey tools to identify access points and verify their legitimacy. Answer from Wi-Fi expert Lisa Phifer: Any unknown AP operating in or close to your facility is a potential rogue -- but few turn out to be real threats. The trick is to reliably tell the difference -- and fast. In urban areas, most unknown APs will end up belonging to neighboring businesses, hotels, stores, or metro-area wireless local area networks (WLANs). These neighboring APs are not connected to your wired network, but still pose risk if employees connect to them (accidentally or intentionally), bypassing your
network's security. Thus, you may want to monitor your wireless clients to detect employee associations to unknown-but-unconnected APs. This can be done by using a network Wireless Intrusion Prevention System (WIPS) to watch the air or by using a host-resident Wireless IPS to monitor client activity. Large enterprises should deploy network WIPS solutions for fulltime air surveillance. Smaller businesses on more limited budgets may prefer to install standalone host WIPS programs like Sana Security Primary Response Air Cover. Note that AP discovery tools, e.g. NetStumbler, cannot provide client surveillance. Of course, some unknown APs in or near your office may be physically connected to your wired network – these "true rogues" pose immediate business threat because they create an unsecured backdoor into your network, accessible to anyone within wireless range. The vast majority of unknown-but-connected APs are installed by naïve employees for the sake of convenience, usually without Wi-Fi authentication or encryption. However, you never know whether one might turn out to be a malicious AP installed by a criminal. For example, a bank in Haifa Israel was robbed Protection against rogue by criminals who planted a rogue AP inside the building so APs that they could connect to the bank network from outside to -- Eliminate rogue wireless initiate fraudulent money transfers. access points in five steps Here again, large enterprises should really mitigate "true rogues" by deploying sophisticated network WIPS solutions -- Should you be regularly checking for rogue APs? that can not only spot those APs, but trace their network connectivity, estimate their physical location, and examine -- Does WEP and MAC visible Wi-Fi parameters to focus attention and automated address filtering protect response on real threats. For example, a WIPS may send a command to an upstream switch to disable the Ethernet port WLANs from hackers? connected to a rogue AP, thereby cutting off communication with your network. WIPS-estimated location and a portable tool like a WLAN analyzer can then be used to find the AP, determine who installed it, and decide how it should be dealt with. Small businesses may prefer to use less sophisticated alternatives for continuous rogue AP detection. For example, many Small Office Home Office (SOHO) or Small to medium business (SMB) APs can scan the airwaves periodically, looking for nearby APs they don't recognize. These APs can be configured with MAC lists of authorized and neighbor APs so that only unknown APs end up triggering rogue alerts. Traditional diagnostic tools like tracert can then be used to manually assess whether each potential rogue is connected to your network -- but keep in mind that rogues can hide behind NAT and other parts of your network that tracert won't reach. Rogues can also spoof MAC addresses used by legitimate APs or try to mimic your own WLAN's SSID. In short, reliable rogue AP classification is difficult and time-consuming – but a periodic scan and manual investigation may find employee-installed rogues that are not really trying to evade detection. However, many small businesses today rely upon scheduled rogue AP surveys, where admins walk the premises using an ordinary wireless client, WLAN discovery tool, or WLAN analyzer, looking for potential rogues. This methodology is arguably the most labor-intensive and least reliable. For example, a visitor could easily install a rogue AP, use it for a week, and then leave before your next survey. However, scheduled rogue surveys can be useful as a complement to continuous rogue detection -- for example, to check a radio band not scannable by your own APs.
Finally, businesses that are too risk-averse for background AP scans and manual rogue mitigation, but not rich enough for (or ready to invest in) enterprise WIPS, should consider managed WIPS services. Many SMBs already pay providers to install and operate a wired network firewall/IPS on their behalf; some providers now offer Wireless IPS as a managed service. For example, see AirTight SpectraGuard Online.
http://searchnetworking.techtarget.com/generic/0,295582,sid7_gci1357421,00.html
Why are TCP/IP networks not considered secure? > It's not as if designers work to build insecurities into protocols or operating systems. It is really more an issue of priorities. TCP/IP was designed with usability in mind. In example, consider ARP; it is a two-step process that consists of a request and a response. Little thought was given at the time of the development of ARP that someone may actually send unsolicited ARP responses for the purpose of ARP poisoning. Other protocols and applications of TCP/IP also have security issues, such as ICMP, RIP, FTP, SNMP and Telnet. Protocols like IPSec were not originally envisioned, and it is actually an add-on to IPv4. For more information, view this tutorial on understanding TCP/IP from FreeSkills.com.
Why do we need IP security at the network layer? > Cryptographic functions must be ready at every layer to use the most appropriate type. However IPsec or other security solutions should only be layered where needed. For some situations, IPsec might be the best solution; for others, it could be Secure Sockets Layer (SSL). When IPSec or any other security solutions are layered, services will slow. Users won't be happy and you may even have issues or vulnerabilities you weren't expecting.
03 May 2007 | SearchNetworking.com Digg This! StumbleUpon Del.icio.us
Secure your network with this OSI model reference. Below, you'll find links to all the tips in our "OSI -- securing the stack" series by security expert and author Michael Gregg, based on his book, Hack the Stack.
The mythical Layer 8: People Layer 8 -- Social engineering and security policy Layer 7: The application layer Layer 7 -- Applications Layer 6: The presentation layer Layer 6 -- Encryption Layer 5: The session layer Layer 5 -- Session hijacking Layer 4: The transport layer Layer 4 -- Fingerprinting Layer 3: The network layer Layer 3 -- Understanding the role of ICMP Layer 2: The data-link layer Layer 2 -- Understanding the role of ARP Layer 1: The physical layer Layer 1 -- Physical security threats
OSI Reference Model illustrated
Open Systems Interconnection ( OSI ) is a standard reference model for communication between two end users in a network. The model is used in developing products and understanding networks. Also see the notes below the figure.
Illustration republished with permission from The manual Page .
OSI divides telecommunication into seven layers. The layers are in two groups. The upper four layers are used whenever a message passes from or to a user. The lower three layers are used when any message passes through the host computer. Messages intended for this computer pass to the upper layers. Messages destined for some other host are not passed up to the upper layers but are forwarded to another host. The seven layers are: Layer 7: The application layer ...This is the layer at which communication partners are identified, quality of service is identified, user authentication and privacy are considered, and any constraints on data syntax are identified. (This layer is not the application itself, although some applications may perform application layer functions.) Layer 6: The presentation layer ...This is a layer, usually part of an operating system, that converts incoming and outgoing data from one presentation format to another (for example, from a text stream into a popup window with the newly arrived text). Sometimes called the syntax layer. Layer 5: The session layer ...This layer sets up, coordinates, and terminates conversations, exchanges, and dialogs between the applications at each end. It deals with session and connection coordination.
Layer 4: The transport layer ...This layer manages the end-to-end control (for example, determining whether all packets have arrived) and error-checking. It ensures complete data transfer. Layer 3: The network layer ...This layer handles the routing of the data (sending it in the right direction to the right destination on outgoing transmissions and receiving incoming transmissions at the packet level). The network layer does routing and forwarding. Layer 2: The data-link layer ...This layer provides synchronization for the physical level and does bit-stuffing for strings of 1's in excess of 5. It furnishes transmission protocol knowledge and management. Layer 1: The physical layer ...This layer conveys the bit stream through the network at the electrical and mechanical level. It provides the hardware means of sending and receiving data on a carrier. http://whatis.techtarget.com/definition/0,,sid9_gci523729,00.html
LANs vs. WLANs: Which network designs are used for each company size?
EXPERT RESPONSE FROM: Lindi Horton Pose a Question Other Networking Categories Meet all Networking Experts Become an Expert for this site
Wireless networks news, advice and technical information Digg This! StumbleUpon Del.icio.us
> QUESTION POSED ON: 17 November 2008 Do you consider LAN to be the best choice for small area? If so, why? > I do consider that a Local Area Networks (LAN) is the best choice for small areas. There are several considerations that I would make to assess this decision, but LANs are in fact designed for small areas. With this question, I assume there's a little bit more to the question. Typically when asked, there's some confusion about wireless versus wired LAN environments. So I'm going to go with a massive assumption that is what you're inferring. In today's ubiquity of technical availability, LAN's provide the users quick, efficient access to local resources and a route to the Internet that is also quite simple to set up and maintain by IT staff. There are several pros and cons to my choices for wired versus
wireless technologies used to implement the LAN. My personal preference is wireless technologies as I am absolutely abysmal at running and cabling. I could frighten you with stories of my feeble attempts to get all of my cabling done correctly. I'd get the patterns correct but the ends would never line up. And if you're as OCD as I am, this would be a massive problem. While this personal story is a little humorous, it brings up a valid point to implementing a wired LAN environment. In wired environments, the equipment is easy and cheap but requires cables to be run and switches to be configured. NICs on servers and workstations need administration as well as DHCP scopes. The overhead to managing and wiring things tends to be a little more difficult than setting up a wireless network. Setting up and maintaining wireless networks is a little easier. You don't have to match pretty little blue and white striped wires to plastic ends. With wireless networks, the initial setup is much simpler, but be sure to set up the SSID's and security properly. Troubleshooting wireless networks tends to be the hardest thing to do in that signaling might be weak and disconnections may run rampant. A vast array of new features in the wireless access points (WAPs) and administration of these devices has made provisioning WAP's a breeze. There are some new additional tools on the market that provide great visibility into troubleshooting. It also simplifies the administration of trying to find cables in conference rooms and roam around with laptops, providing a mobile workspace. And did I mention you don't have to run cables? Wireless LAN (WLAN)technologies are where I would invest in my infrastructure for end-users. I would implement wired technologies for servers. So yes, LANs are designed for small areas. WLANs are ideal for end-users while wired LANs are suggested for server connectivity. http://searchnetworking.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid7_gci133 5178_mem1,00.html
28 May 2009 | SearchNetworking.com Digg This! StumbleUpon Del.icio.us
Rogue access points pose security threats to your business wireless network. To learn how to prevent, detect and eliminate unauthorized network devices, we asked our Wi-Fi expert, Lisa Phifer, and enterprise security expert Michael Gregg to answer the question "How do you deal with rogue APs?" From their answers you'll learn best practices for handling rogue wireless access points, in this technical advice. Question: What are the best practices for dealing with and monitoring for rogue access points (APs) in a business network? Can you suggest how to prevent, detect, and eliminate a found rogue access point or other unauthorized wireless device? Answer from enterprise security expert Michael Gregg: There are several potential problems with allowing end users to add wireless or other devices to the company network without approval. One big one is they may not employ the proper security measures. There is also the issue of maintaining control of the organizations' infrastructure. For the smaller organization there are several layers of control that can be built in to reduce the rogue wireless threat. The first place to start is with policy. All employees should know the rules regarding wireless and what can and cannot be plugged into the network. Policy enforcement will be easier if you have managed switches. You can disable unused ports and start restricting down active ones by MAC address filtering. Next, find some tools that will let you scan for rogue access points. There are commercial tools that will do this such as AirMagnet and AirDefense, and if your budget is tight you might want to try an open source tools such as RogueScanner. Finally, don't be shy about using tools like NetStumbler and other site survey tools to identify access points and verify their legitimacy. Answer from Wi-Fi expert Lisa Phifer: Any unknown AP operating in or close to your facility is a potential rogue -- but few turn out to be real threats. The trick is to reliably tell the difference -- and fast. In urban areas, most unknown APs will end up belonging to neighboring businesses, hotels, stores, or metro-area wireless local area networks (WLANs). These neighboring APs are not connected to your wired network, but still pose risk if employees connect to them (accidentally or intentionally), bypassing your
network's security. Thus, you may want to monitor your wireless clients to detect employee associations to unknown-but-unconnected APs. This can be done by using a network Wireless Intrusion Prevention System (WIPS) to watch the air or by using a host-resident Wireless IPS to monitor client activity. Large enterprises should deploy network WIPS solutions for fulltime air surveillance. Smaller businesses on more limited budgets may prefer to install standalone host WIPS programs like Sana Security Primary Response Air Cover. Note that AP discovery tools, e.g. NetStumbler, cannot provide client surveillance. Of course, some unknown APs in or near your office may be physically connected to your wired network – these "true rogues" pose immediate business threat because they create an unsecured backdoor into your network, accessible to anyone within wireless range. The vast majority of unknown-but-connected APs are installed by naïve employees for the sake of convenience, usually without Wi-Fi authentication or encryption. However, you never know whether one might turn out to be a malicious AP installed by a criminal. For example, a bank in Haifa Israel was robbed Protection against rogue by criminals who planted a rogue AP inside the building so APs that they could connect to the bank network from outside to -- Eliminate rogue wireless initiate fraudulent money transfers. access points in five steps Here again, large enterprises should really mitigate "true rogues" by deploying sophisticated network WIPS solutions -- Should you be regularly checking for rogue APs? that can not only spot those APs, but trace their network connectivity, estimate their physical location, and examine -- Does WEP and MAC visible Wi-Fi parameters to focus attention and automated address filtering protect response on real threats. For example, a WIPS may send a command to an upstream switch to disable the Ethernet port WLANs from hackers? connected to a rogue AP, thereby cutting off communication with your network. WIPS-estimated location and a portable tool like a WLAN analyzer can then be used to find the AP, determine who installed it, and decide how it should be dealt with. Small businesses may prefer to use less sophisticated alternatives for continuous rogue AP detection. For example, many Small Office Home Office (SOHO) or Small to medium business (SMB) APs can scan the airwaves periodically, looking for nearby APs they don't recognize. These APs can be configured with MAC lists of authorized and neighbor APs so that only unknown APs end up triggering rogue alerts. Traditional diagnostic tools like tracert can then be used to manually assess whether each potential rogue is connected to your network -- but keep in mind that rogues can hide behind NAT and other parts of your network that tracert won't reach. Rogues can also spoof MAC addresses used by legitimate APs or try to mimic your own WLAN's SSID. In short, reliable rogue AP classification is difficult and time-consuming – but a periodic scan and manual investigation may find employee-installed rogues that are not really trying to evade detection. However, many small businesses today rely upon scheduled rogue AP surveys, where admins walk the premises using an ordinary wireless client, WLAN discovery tool, or WLAN analyzer, looking for potential rogues. This methodology is arguably the most labor-intensive and least reliable. For example, a visitor could easily install a rogue AP, use it for a week, and then leave before your next survey. However, scheduled rogue surveys can be useful as a complement to continuous rogue detection -- for example, to check a radio band not scannable by your own APs.
Finally, businesses that are too risk-averse for background AP scans and manual rogue mitigation, but not rich enough for (or ready to invest in) enterprise WIPS, should consider managed WIPS services. Many SMBs already pay providers to install and operate a wired network firewall/IPS on their behalf; some providers now offer Wireless IPS as a managed service. For example, see AirTight SpectraGuard Online.
http://searchnetworking.techtarget.com/generic/0,295582,sid7_gci1357421,00.html
Why are TCP/IP networks not considered secure? > It's not as if designers work to build insecurities into protocols or operating systems. It is really more an issue of priorities. TCP/IP was designed with usability in mind. In example, consider ARP; it is a two-step process that consists of a request and a response. Little thought was given at the time of the development of ARP that someone may actually send unsolicited ARP responses for the purpose of ARP poisoning. Other protocols and applications of TCP/IP also have security issues, such as ICMP, RIP, FTP, SNMP and Telnet. Protocols like IPSec were not originally envisioned, and it is actually an add-on to IPv4. For more information, view this tutorial on understanding TCP/IP from FreeSkills.com.
Why do we need IP security at the network layer? > Cryptographic functions must be ready at every layer to use the most appropriate type. However IPsec or other security solutions should only be layered where needed. For some situations, IPsec might be the best solution; for others, it could be Secure Sockets Layer (SSL). When IPSec or any other security solutions are layered, services will slow. Users won't be happy and you may even have issues or vulnerabilities you weren't expecting.
03 May 2007 | SearchNetworking.com Digg This! StumbleUpon Del.icio.us
Secure your network with this OSI model reference. Below, you'll find links to all the tips in our "OSI -- securing the stack" series by security expert and author Michael Gregg, based on his book, Hack the Stack.
The mythical Layer 8: People Layer 8 -- Social engineering and security policy Layer 7: The application layer Layer 7 -- Applications Layer 6: The presentation layer Layer 6 -- Encryption Layer 5: The session layer Layer 5 -- Session hijacking Layer 4: The transport layer Layer 4 -- Fingerprinting Layer 3: The network layer Layer 3 -- Understanding the role of ICMP Layer 2: The data-link layer Layer 2 -- Understanding the role of ARP Layer 1: The physical layer Layer 1 -- Physical security threats
OSI Reference Model illustrated
Open Systems Interconnection ( OSI ) is a standard reference model for communication between two end users in a network. The model is used in developing products and understanding networks. Also see the notes below the figure.
Illustration republished with permission from The manual Page .
OSI divides telecommunication into seven layers. The layers are in two groups. The upper four layers are used whenever a message passes from or to a user. The lower three layers are used when any message passes through the host computer. Messages intended for this computer pass to the upper layers. Messages destined for some other host are not passed up to the upper layers but are forwarded to another host. The seven layers are: Layer 7: The application layer ...This is the layer at which communication partners are identified, quality of service is identified, user authentication and privacy are considered, and any constraints on data syntax are identified. (This layer is not the application itself, although some applications may perform application layer functions.) Layer 6: The presentation layer ...This is a layer, usually part of an operating system, that converts incoming and outgoing data from one presentation format to another (for example, from a text stream into a popup window with the newly arrived text). Sometimes called the syntax layer. Layer 5: The session layer ...This layer sets up, coordinates, and terminates conversations, exchanges, and dialogs between the applications at each end. It deals with session and connection coordination.
Layer 4: The transport layer ...This layer manages the end-to-end control (for example, determining whether all packets have arrived) and error-checking. It ensures complete data transfer. Layer 3: The network layer ...This layer handles the routing of the data (sending it in the right direction to the right destination on outgoing transmissions and receiving incoming transmissions at the packet level). The network layer does routing and forwarding. Layer 2: The data-link layer ...This layer provides synchronization for the physical level and does bit-stuffing for strings of 1's in excess of 5. It furnishes transmission protocol knowledge and management. Layer 1: The physical layer ...This layer conveys the bit stream through the network at the electrical and mechanical level. It provides the hardware means of sending and receiving data on a carrier. http://whatis.techtarget.com/definition/0,,sid9_gci523729,00.html
LANs vs. WLANs: Which network designs are used for each company size?
EXPERT RESPONSE FROM: Lindi Horton Pose a Question Other Networking Categories Meet all Networking Experts Become an Expert for this site
Wireless networks news, advice and technical information Digg This! StumbleUpon Del.icio.us
> QUESTION POSED ON: 17 November 2008 Do you consider LAN to be the best choice for small area? If so, why? > I do consider that a Local Area Networks (LAN) is the best choice for small areas. There are several considerations that I would make to assess this decision, but LANs are in fact designed for small areas. With this question, I assume there's a little bit more to the question. Typically when asked, there's some confusion about wireless versus wired LAN environments. So I'm going to go with a massive assumption that is what you're inferring. In today's ubiquity of technical availability, LAN's provide the users quick, efficient access to local resources and a route to the Internet that is also quite simple to set up and maintain by IT staff. There are several pros and cons to my choices for wired versus
wireless technologies used to implement the LAN. My personal preference is wireless technologies as I am absolutely abysmal at running and cabling. I could frighten you with stories of my feeble attempts to get all of my cabling done correctly. I'd get the patterns correct but the ends would never line up. And if you're as OCD as I am, this would be a massive problem. While this personal story is a little humorous, it brings up a valid point to implementing a wired LAN environment. In wired environments, the equipment is easy and cheap but requires cables to be run and switches to be configured. NICs on servers and workstations need administration as well as DHCP scopes. The overhead to managing and wiring things tends to be a little more difficult than setting up a wireless network. Setting up and maintaining wireless networks is a little easier. You don't have to match pretty little blue and white striped wires to plastic ends. With wireless networks, the initial setup is much simpler, but be sure to set up the SSID's and security properly. Troubleshooting wireless networks tends to be the hardest thing to do in that signaling might be weak and disconnections may run rampant. A vast array of new features in the wireless access points (WAPs) and administration of these devices has made provisioning WAP's a breeze. There are some new additional tools on the market that provide great visibility into troubleshooting. It also simplifies the administration of trying to find cables in conference rooms and roam around with laptops, providing a mobile workspace. And did I mention you don't have to run cables? Wireless LAN (WLAN)technologies are where I would invest in my infrastructure for end-users. I would implement wired technologies for servers. So yes, LANs are designed for small areas. WLANs are ideal for end-users while wired LANs are suggested for server connectivity. http://searchnetworking.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid7_gci133 5178_mem1,00.html
