Study About Rogue Access Point Installations Computer Science Essay

Published:

To prevent the installation of rogue access points, organizations can install wireless intrusion prevention systems to monitor the radio spectrum for unauthorized access points.

Presence of large number of wireless access points can be sensed in airspace of typical enterprise facility. These include managed access points in the secure network plus access points in the neighborhood. Wireless intrusion prevention system facilitates the job of auditing these access points on a continuous basis to find out if there are any rogue access points among them.

In order to detect rogue access points, two conditions need to be tested: i) whether or not the access point is in the managed access point list, and ii) whether or not it is connected to the secure network. The first of the above two conditions is easy to test - compare wireless MAC address (also called as BSSID) of the access point against the managed access point BSSID list.

Lady using a tablet
Lady using a tablet

Professional

Essay Writers

Lady Using Tablet

Get your grade
or your money back

using our Essay Writing Service!

Essay Writing Service

However, automated testing of the second condition can become challenging in the light of following factors: a) Need to cover different types of access point devices such as bridging, NAT (router), unencrypted wireless links, encrypted wireless links, different types of relations between wired and wireless MAC addresses of access points, and soft access points, b) necessity to determine access point connectivity with acceptable response time in large networks, and c) requirement to avoid both false positives and negatives which are described below.

False positive (crying wolf) occurs when the wireless intrusion prevention system detects an access point not actually connected to the secure network as wired rogue. Frequent false positives result in wastage of administrative bandwidth spent in chasing them. Possibility of false positives also creates hindrance to enabling automated blocking of wired rogues due to the fear of blocking friendly neighborhood access point.

False negative occurs when the wireless intrusion prevention system fails to detect an access point actually connected to the secure network as wired rogue. False negatives result in security holes.

If an unauthorized access point is found connected to the secure network, it is the rogue access point of the first kind (also called as "wired rogue"). On the other hand, if the unauthorized access point is found not connected to the secure network, it is an external access points. Among the external access points, if any is found to be mischievous or potential risk (e.g., whose settings can attract or have already attracted secure network wireless clients), it is tagged as rogue access point of the second kind (also called as "honeypot").

http://ezinearticles.com/?How-to-Detect-a-Rogue-Access-Point-on-Your-WIFI-Network&id=4253671

A rogue access point (AP) is any Wi-Fi access point connected to a network without authorization. Since a rogue AP is not under the management of network administrators, nor does it necessarily conform to network security policies, then rogue access points can allow attackers to bypass network security and attack the network or capture sensitive data.

An inexpensive but effective method for finding potential rogues is to use a freely available Transmission Control Protocol (TCP) port scanner that identifies enabled TCP ports from various devices connected to the network.

The steps to discover a rogue AP begin with running the port scanner software from a computer connected to the network. The utility uncovers all Port 80 (HTTP) interfaces on the network, which include all Web servers, some printers, and nearly all access points. The AP will generally respond to the port scanner's ping with the vendor name and it's corresponding

Internet Protocol (IP) address.

Once an AP is discovered, the network administrator must determine if the AP is or is not a rogue. Ideally, the administrator would use software that would allow a pre-configured authorized list of access APs. If the scanning for rogue APs is manual, a list of authorized APs is still necessary. The authorized list can be populated using the following attributes: 

MAC Address

SSID

Vendor

Radio Media Type

Channel

The aforementioned attributes, determined automatically or manually if software is not being used, will alert the detection tool if access points with differing attributes from the authorized list are present.

Lady using a tablet
Lady using a tablet

Comprehensive

Writing Services

Lady Using Tablet

Plagiarism-free
Always on Time

Marked to Standard

Order Now

When rogue access points are determined, the administrator must have procedures in place to identify their locations.

Perhaps the most difficult step in this discovery process is to determine the physical location of the rogue access point. Router table entries may help. A routing table is present on all IP nodes.

The routing table stores information about IP networks and how they can be reached. Because all nodes perform some form of IP routing then any node loading the TCP/IP protocol has a routing table. When an IP packet is to be forwarded, the routing table is used to determine the physical or logical interface used to forward the packet to either its destination or the next router.

With the information derived from the routing table, a rogue IP address may be located by determining which node the address utilizes. Keep in mind that the location of nodes must be correlated with the addresses in the routing table. The limited operational distance of the RF signal can be useful in narrowing down the physical location of the rogue access point as well.

http://www.smallbusinesscomputing.com/webmaster/article.php/3590656/How-to-Track-Down-Rogue-Wireless-Access-Points.htm

A rogue AP is a Wi-Fi Access Point that is set up by an attacker for the purpose of sniffing wireless network traffic in an effort to gain unauthorized access to your network. Ironically, though, a malicious hacker or other malcontent typically doesn't implement this breach in security. Instead, it's usually installed by an employee looking for the same convenience and flexibility at work that he's grown accustomed to using on his own home wireless

Detecting the Device

One of the more popular and cost-effective techniques is to have a technician perform manual checks with a laptop or PDA running NetStumbler.NetStumbler is a tool for detecting all wireless networks within a broadcast area. There are actually two different versions of NetStumbler, and both are downloadable for free at the company's Web site. One version is designed for use with laptops, while the other version (Mini Stumbler) is for use with a Pocket PC. Both versions also support GPS cards. This lets NetStumbler create a map showing the locations of all the wireless APs within a specified area.

The simplest way to hunt down a rogue AP is to take a laptop that's running NetStumbler and walk in the direction that produces the greatest signal strength from the questionable access point. You'll soon know if the signal is coming from within your building or from somewhere else. If the signal is coming from your building, you can use the signal strength to narrow down your search to a single room. After that, you'll just have to hunt around the room until you find the access point.

One thing to keep in mind when using NetStumbler: if you are using an 802.11b Wi-Fi card in your laptop, you can expect to find 802.11b and 802.11g access points. However, if you are a running 802.11a network, then an 802.11b card will not detect it. That's because 802.11b uses a 2.4GHz signal, while 802.11a operates in the 5GHz range.

Figuring out which access points are, in fact, rogue may sometimes be difficult. To avoid confusion, it's best that you judiciously document all of the access points in use in your business. If not, you might think you have a rogue AP on your network when one doesn't exist.

These techniques should work well enough in a small office, but for larger environments, you should really consider investing in something a bit more specialized. There are a number of proprietary solutions available from a variety of creditable vendors. These vendors will deploy an advanced RFmonitoring system into your network that can monitor the air and detect access points. Some have even gone as far as being able to classify whether a unauthorized AP is actually plugged into the network and causing an immediate threat or if it's just the local Starbucks across the street. Many of these systems can be deployed for pennies per square foot.

If you have such an environment, we recommend visiting the Aruba Networks Web site. Though not as economical as NetStumbler, (the cost varies according to the size of your network), wireless products from Aruba can help you gain far greater control over your wireless network environment. Products fromAirMagnet and AirDefense are also popular choices for wireless network security. These products let you track down the rogues based on channel, MAC address, radio band, SSID] or vendor. On top of that they can monitor the air 24/7 and send alerts if a rogue is detected. They can also alert you to repeated authentication failures that might signal the presences of a hacker.

Lady using a tablet
Lady using a tablet

This Essay is

a Student's Work

Lady Using Tablet

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Examples of our work

Every enterprise-class wireless network should have a wireless IDS/IPS system in place. A wireless IDS/IPS is an Intrusion Detection/Intrusion Prevention System. A full featured IDS/IPS will detect and "kill" rogue APs, detect and stop denial-of-service attacks, man in the middle attacks and report on suspicious activity.

While some of these solutions can get a bit expensive, it's only through the use of these techniques and the proprietary hardware solutions available from dedicated wireless vendors like those mentioned, that will make it possible to shield your network from a potentially costly threat that anyone can buy for $50 at the local computer store.

http://barnson.org/node/611

How to detect rogue wireless access points

This is a basic, rough outline of how to detect rogue wireless access points on your network. It's how I've done it before. If you're not technical enough to understand what switches, routers, and APs do, you may not get it. But, like many of my other articles, I'm posting this one as a reminder on how network security professionals do rogue AP hunts.

And heck, maybe it will be useful to you if you want to run a rogue access point...

On a mailing list I subscribe to, one subscriber suggested that you simply turn off SSID broadcasting to hide your rogue access point. I disabused him of the notion that merely hiding your SSID would protect you from rogue AP hunters...

I'm a UNIX and network admin for a living. SSID scanning is only the first thing you do in finding rogue access points.

With the right software (well, the right network adapter in your laptop), you will see the wireless networks that are not advertising their SSID, too. Then you do some basic triangulation, or as I liked to call it, "hot/cold" checks. Buildings frequently reflect signals weirdly, but you can normally figure out what floor a rogue AP is on, which wing of that floor, and the location within 10-30 meters or so.

The next step for checking for a rogue access point is to do some log analysis at your switch(es) for that wing. Look at the MAC addresses connecting. Most access points have well-publicized MAC ranges they use. You can also do this at your DHCP server, if you have access to it. Just grep through the MAC log and look for the octets which likely indicate an access point. They are very easily recognizable, and since most people just plug their rogue AP into a wall jack, they're about as obvious in the logs as an elephant in your living room.

OK, so you know the wing. You know the floor. You know which switch they are connected to (maybe). Hit your port wiring diagrams, and you'll find the cube (or room) they're coming from. Walk over and have a quiet chat with them, if possible. Discuss it with their manager (if corporate; I'd guess their RA if it's a college) if that is what your security policies require. Go on with life, and keep a close eye on that infringer for a few months.

People can be sneaky, though. For instance, they can hide their access point behind a legitimate computer acting as a proxy gateway for their wireless network (usually, Windows connection sharing). Well, at that point, WEP-cracking becomes kind of important. Crack their WEP key.

I'm not entirely sure how to crack a WEP key and sniff traffic when I lack the SSID for the network. However, I'm pretty certain I could Google up an answer in short order.

See if you can sniff the traffic. Hop onto your firewall or intrusion-detection system, and grep through the log for some keywords from the traffic log you got from cracking the WEP key and sniffing the traffic. Normally, this will net you some positives; you can see the IP, run an "nmblookup -A" (if using SAMBA) to see the hostname and currently logged-in user of the Windows box, and then track down via DHCP logs or the username (if recognizable) where the machine lives.

Of course, you can also just block that IP from going through the firewall, and wait for the support call, too...

If they're really savvy, it will be a Linux or BSD box. That could be more interesting :)

Now, the really sneaky people would use WPA behind a proxy legitimate box. Can't crack WPA yet, and you can't tell by the MAC that there's an access point there since it's either being proxied or NAT'd. So you're stuck with only being able to roughly triangulate the location of the rogue access point to within about 100 square meters or so. At that point, it comes down to hunting and figuring out whether it's worth your time. You might be able to find it, or you might not. Signal strengths indoors are not a reliable triangulation method, because strength drops off irregularly due to structural blocks. But you can sometimes find it.

It's even more frustrating when they're a person who only turns on their access point when they're using it, and they turn it off when they're done. You can't hunt late at night, and you don't have unlimited time to figure out where the rogue AP is. However, if a user is using WPA, proxies behind a legit box, and shuts it off when they're not using it, then I just chalk up a victory for the security-mindedness of the individual who set up the AP. Because that's the same way I'd use it if I wanted to run an AP on a network that didn't allow it, and it's an exercise in frustration trying to track it down.

It's basically professional courtesy at that point. I tip my hat, think "good jeaorb Homer", and move on to the next project. Unless they get lazy and leave it running for a few days...

As far as locking down my personal access point in my home in suburbia? I just did 40-bit WEP and a MAC address filter. I monitor everything that happens on my network, so I'd know if someone happens to connect and push some data through. Most folks aren't tech-savvy enough to try to crack a WEP key. If they are, well, I know all my neighbors and know who the one guy is that would be savvy enough to try it. Yeah, I know that some potential malicious person could sniff my traffic. Fact is, we run anything important that could be sniffed through SSL. My family doesn't use file-sharing and any copying I need to do is done through SSH.

Of course, my printer is kind of hanging out there. That's sometimes a worry, that someone would connect and send a few thousand pages to my printer. With its high-capacity bins, that could cost me some money :)

Or maybe they'd sniff my traffic to my printer, which frequently includes receipts. Really, people digging through my garbage bins for destroyed credit card applications is a bigger worry.

In this kind of low-security-environment, though, I think it's all that's needed. People respect WEP like they respect windows and door locks. Sure, they can get in if they want to by breaking a window or knocking down a door, but that's not neighborly.

At work, it's another story. WPA, dynamic key assignment, registered computers only, set up behind a firewall from the rest of the network, fascist logging, you name it. And you can also detect NAT being used on your network if you analyze packets closely enough. But who has that kind of time for a casual or school campus LAN?

http://www.wi-fiplanet.com/tutorials/article.php/1564431/Identifying-Rogue-Access-Points.htm

Identifying Rogue Access Points

One of the most critical security concerns of IT managers today is the possibility that rogue wireless access points may be present on the corporate network. A rogue access point is one that the company does not authorize for operation. The trouble is that a rogue access points often don't conform to wireless LAN (WLAN) security policies, which enables an open, insecure interface to the corporate network from outside the physically controlled facility.

Major issues arise, however, when an employee or hacker plugs in a rogue access point. The rogue allows just about anyone with an 802.11-equipped device on the corporate network, which puts them very close to mission-critical resources.

Find Rogues

One method of detecting rogues involves the use of wireless sniffing tools (e.g., AirMagnet or NetStumber) that capture information regarding access points that are within range of where you're using the tool. This requires you to walk through the facilities to capture the data. With this method, you can scan the entire facility, but this can be very time consuming for larger companies with many buildings or that span a large geographical area.

Capturing data in this fashion is only valid at the time of capture. Someone could activate a rogue seconds after you turn of the sniffing device, and you won't have any idea that it's present. Still, it's often the most common and least expensive method of finding rogues. It just takes a lot of time and effort.

When using wireless sniffing tools, look for access points that have authorized Medium Access Control (MAC) addresses, vendor name, or security configurations. Create a list of MAC addresses of the authorized access points on the LAN and check whether or not each you find is on the list. An access point with a vendor name different than your authorized access points is the first alert to a possible rogue. Improper security settings (e.g., WEP disabled) could indicate a rogue, but it may also be authorized but wrongly configured.

If you find an access point that looks suspicious, consider it to be a rogue, and then try locating it through homing techniques. To do this, walk in directions that cause the signal strength of the access point's beacons to increase. Eventually, you'll narrow the location down to a particular room, which often requires you to do some looking. In some cases, the "rogue" will simply be an active access point that it not connected to the corporate network -- this doesn't cause any security harm. When you find one that actually interfaces to the corporate network, immediately shut it off.

Centralized Detection

The ideal method of detecting rogue access points is to use a central console attached to the wired side of the network for monitoring. This eliminates the need to walk through the facilities.

Several vendors offer specialized products that provide centralized monitoring. AirWave, for example, makes use of a company's existing access points installed throughout the facility. These authorized access points listen for rogues and send results to a centralized console that can alert security personnel if a rogue appears.

This is effective at spotting rogues, but those not within range of an installed access point go undetected. Such systems can be relatively expensive, and they don't work unless you either have or plan to install a WLAN. (Yes, rogue access points can be a problem even if the company doesn't have a WLAN.) If funding is limited or you don't have a WLAN, then using a wireless sniffing tool to manually search the facility periodically likely your best alternative.

Poor Man's Approach

As an alternative, a fairly crude (but effective and inexpensive) method for finding potential rogues from the wired side of the network is to use a free Transmission Control Protocol (TCP) port scanner, such as SuperScan 3.0, that identifies enabled TCP ports from various devices connected to the network. Run the software from a laptop or desktop PC connected to the corporate network, and the tool uncovers all Port 80 (HTTP) interfaces on the network, which includes all Web servers, some printers, and nearly all access points. Even if an access point's Port 80 interface is disabled or protected by a username and password, the access point will generally respond to the port scanner's ping with the vendor name and its corresponding Internet Protocol (IP) address.

You can scroll through the list of found Port 80 interfaces and discover potential rogues if their vendor names are different from those authorized in your WLAN. With the IP address of a suspected access point, attempt to open its administration screen. You'll quickly notice if an access point is a legitimate one or not. The difficult chore will be to determine the physical location of the rogue; router table entries may help.

One method of detecting rogues involves the use of wireless sniffing tools (e.g., AirMagnet or NetStumber) that capture information regarding access points that are within range of where you're using the tool. This requires you to walk through the facilities to capture the data. With this method, you can scan the entire facility, but this can be very time consuming for larger companies with many buildings or that span a large geographical area.

Capturing data in this fashion is only valid at the time of capture. Someone could activate a rogue seconds after you turn of the sniffing device, and you won't have any idea that it's present. Still, it's often the most common and least expensive method of finding rogues. It just takes a lot of time and effort.

When using wireless sniffing tools, look for access points that have authorized Medium Access Control (MAC) addresses, vendor name, or security configurations. Create a list of MAC addresses of the authorized access points on the LAN and check whether or not each you find is on the list. An access point with a vendor name different than your authorized access points is the first alert to a possible rogue. Improper security settings (e.g., WEP disabled) could indicate a rogue, but it may also be authorized but wrongly configured.

If you find an access point that looks suspicious, consider it to be a rogue, and then try locating it through homing techniques. To do this, walk in directions that cause the signal strength of the access point's beacons to increase. Eventually, you'll narrow the location down to a particular room, which often requires you to do some looking. In some cases, the "rogue" will simply be an active access point that it not connected to the corporate network -- this doesn't cause any security harm. When you find one that actually interfaces to the corporate network, immediately shut it off