How to Detect a Rogue Access Point
A rogue access point is any Wi-Fi access point connected to a network without authorization. In order to protect sensitive data, it is critical to prevent the use of unauthorized access points. Since a rogue AP is not under the management of network administrators, nor does it necessarily conform to network security policies, then rogue access points can allow attackers to bypass network security and attack the network or capture sensitive data.
In the absence of a wireless probe to monitor the airwaves, security personnel can manually search for rogue access points. An inexpensive but effective method for finding potential rogues is to use a freely available Transmission Control Protocol (TCP) port scanner that identifies enabled TCP ports from various devices connected to the network.
The steps to discover a rogue access point begin with running the port scanner software from a computer connected to the network. The utility uncovers all Port 80 (HTTP) interfaces on the network, which include all Web servers, some printers, and nearly all access points. The access point will generally respond to the port scanner’s ping with the vendor name and its corresponding Internet Protocol (IP) address.
Once an access point is discovered, the network administrator must determine if the access point is or is not a rogue. Ideally, the administrator would use software that would allow a pre-configured authorized list of access points. If the scanning for rogue access points is manual, a list of authorized access points is still necessary. The authorized list can be populated using the following attributes:
- MAC Address
- SSID
- Vendor
- Radio Media Type
- Channel
The aforementioned attributes, determined automatically or manually if software is not being used, will alert the detection tool if access points with differing attributes from the authorized list are present.
When rogue access points are determined, the administrator must have procedures in place to identify their locations.
Perhaps the most difficult step in this discovery process is to determine the physical location of the rogue access point. Router table entries may help. A routing table is present on all IP nodes.
The routing table stores information about IP networks and how they can be reached. Because all nodes perform some form of IP routing then any node loading the TCP/IP protocol has a routing table. When an IP packet is to be forwarded, the routing table is used to determine the physical or logical interface used to forward the packet to either its destination or the next router.
With the information derived from the routing table, a rogue IP address may be located by determining which node the address utilizes. Keep in mind that the location of nodes must be correlated with the addresses in the routing table. The limited operational distance of the RF signal can be useful in narrowing down the physical location of the rogue access point as well.
Perhaps the most fundamental step in protecting against a rogue access point may be having a security policy. A security policy should outline the rules against unauthorized wireless devices and employees should be educated about the policy. This will help stop the most common users of unauthorized devices, employees.
Sources:
1. http://compnetworking.about.com/cs/wireless/g/bldef_ap.htm
2. http://www.wi-fiplanet.com/tutorials/article.php/1564431
3.http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cnbb_tcp_oauc.mspx?mfr=true
4. http://whitepapers.zdnet.co.uk/0,1000000651,260114539p,00.htm
5. http://www.manageengine.com/products/wifi-manager/rogue-access-point-detection.html
6. http://www.smallbusinesscomputing.com/webmaster/article.php/3590656
7. How to Cheat at Securing a Wireless Network, Chris Hurley and Lee Barken
