Rogue Access Points

One of the major risks faced by network administrators is the unauthorized installation of 802.11 networks by users. So-called "rogue" access points can pose significant threats. The primary threat is that a device installed by users will not have the full security configuration of an authorized deployment; users probably are not sophisticated enough (and may not be willing) to enable high-security features correctly. Even if they are appropriately secured, unauthorized devices may interfere with the operation of the existing network.

Detection

The first step in dealing with rogue devices is to find out that they exist. Some radio device somewhere must note the existence of an unauthorized device. In the initial years of 802.11 equipment, access points were expensive enough that carrying around a laptop-or handheld-based sniffer was an effective detection mechanism. As more people have become familiar with 802.11, detection needed to become a continuous, automated process. For cost and management reasons, detection is now integrated into most mainstream wireless LAN systems. Depending on the vendor's implementation, the detection component may be implemented through the use of a scanning feature that searches periodically for unauthorized devices or dedicated scanning devices. Scans for unauthorized devices may be passive scans that listen for traffic, Beacons, or Probe Responses, or they may be active scans that use 802.11 Probe Request frames to make unathorized networks reveal themselves.

To be effective, detection must cover all the available 802.11 channels. Initial corporate deployments were largely based on 802.11b, and the radio interface chipsets were not capable of operating in the 802.11a frequency range or with 802.11a modulation. Clever deployers of rogue access points have been known to purchase unauthorized 802.11a devices on the theory that the existing network is not capable of detecting them, and any network analysis tools used by network administrators may be 802.11b-only as well.

Detection capabilities may be built into wireless LAN infrastructure, or it may require standalone devices. There is usually a trade-off between the quality of service provided to users, the quality of detection information, and cost. Dedicated sensors provide the best detection, but also cost the most. Using radios that provide service to users to detect unauthorized devices is much cheaper, but may interrupt or diminish service provided to users.

When a radio searches for unauthorized deployment, it will look for indicators of rogue devices. At the minimum, sensors must search for Beacon frames. All access points and ad hoc networks send Beacons. Some complete 802.11 systems may also observe client traffic and compare the list of clients seen in the radio domain with the clients associated to the infrastructure. Any clients that are present in the former list but not the latter are associated with unauthorized deployments.

Physical Location

Once a rogue AP is detected, network administrators usually want to locate it, usually as a prelude to some sort of response. In many cases, it may be appropriate to simply note the existence of a rogue AP so that an administrator can visit the user and deactivate the device. If active countermeasures are required, it is often best to limit them to rogue devices within a specific area. There are several major types of location technologies in use:

1. Closest AP radius calculations
2. Triangulation
3. RF fingerprinting
4. Differential timing

The easiest method of locating a rogue AP is to use the radius to the closest AP, as shown in Figure 22-2 (a). After searching the network for a MAC address, the network system can determine a very rough location based on the location of the AP that detected the device. Radio signal propagation through free space follows a well-known mathematical model. Based on the received signal strength at the detecting AP, the maximum radius can be calculated by finding out how far away a device operating at maximum transmission power would need to be so that the calculated received signal strength would match the measured value. In Figure 22-2 (a), the received signal strength at the AP can be used to detemine the free-space distance to the closest AP, but it does not offer any guidance as to which position on the circle the AP is at.

Figure 22-2. Radius to the closest AP

AP radius calculations suffer from a number of flaws. First of all, the free-space radius of a signal transmitted at maximum power is likely to be much larger than the actual radius. While a free-space propagation model may allow for a 100-foot coverage radius, the resulting 30,000 square foot space is too large to be useful. To pinpoint the offending device better, some location tools will build a mathematical model of the radio environment, and take into account any building features along a particular path. In most office buildings, the effective coverage radius is often half the free-space value or less. By reducing the radius from a theoretical 100 feet in free space to an environment-specific value 50 feet or less, the target is reduced to a much smaller 8,000 square feet. 8,000 square feet, however, is still an area of 70-100 cubicles, depending on their size and the office layout. In Figure 22-2 (b), there is a wall on the right-hand side of the diagram, which has the effect of reducing the coverage radius because the radio signals must penetrate the wall. The thickness of the arrow corresponds to signal strength at a given point. When the radio signal encounters the wall, the signal strength drops, which has the effect of reducing the coverage area. Correction of coverage radius for building features works best when there are a large number of them; it is not much of an improvement in typical cubicle-filled offices where the propagation distance is much farther.

AP radius-based approaches can be further refined by using triangulation, as shown in Figure 22-3. Triangulation, when used with its original definition, measures the distance from three known points to determine a location. Many of the "triangulation" techniques used in wireless LAN systems can work with more than three measurement points.

Overlapping coverage areas, overlapping radii, and in some cases, probabalistic simulations, are used to come up with likely locations for devices. In Figure 22-3 (a), the overlapping coverage areas of three APs are used to derive a guess at the location. As with the AP radius approach, some triangulation algorithms can be used in conjunction with knowledge of the building construction to further refine the location. In Figure 22-3 (b), the signal deadening effects of two walls are taken into account, which results in a much better prediction.

Figure 22-3. Triangulation

Location can be further refined by taking RF fingerprint measurements. After generating a set of predictions about how radio waves will interact with the building, the mathematical model is refined with data about how radio waves actually behave. To build a fingerprint database, devices are placed at known locations and then measured. Data on received signal strength and other signal characteristics is then stored as a "fingerprint" for that location. Fingerprints include all the signal propagation characteristics that are hard to calculate, such as reflection off of walls and multi-path interference. When unknown devices are being located, their signal characteristics can be compared to the fingerprint database to refine the location prediction. Improving the quality of location predictions depends on the number of fingerprint locations collected as part of the extended site survey. Although fingerprinting can improve location information, it may require the collection of a great deal of additional data to build a large enough fingerprint database for the desired accuracy.

A final method of location is based on the relative time of received signals. Signal strength depends on a variety of factors, including building construction. Radio waves, however, always travel at the speed of light. Triangulation can be performed based on the relative arrival time of transmissions at measurement locations. Although this technique has the potential to be quite accurate, radio waves are extremely fast, and incredibly precise timing synchronization is required. In Figure 22-4, two APs are measuring the arrival of a transmission from a source. After some amount of time, the signal reaches the first AP. The location system must measure the difference in time between the arrival of the signal at the first measurement device and the second measurement device with extremely high precision. Radio waves travel at approximately one foot per nanosecond, which requires that the location devices be able to discern very small time differences between distributed devices. Although theoretically feasible, the differential time arrival approach typically requires the use of highly specialized devices with timing equipment that is far more accurate than is found in typical access points.

Figure 22-4. Differential timing analysis

 

Disabling Rogue APs

Many products offer the ability to automatically shut off unauthorized networks, a feature that is often referred to as containment or suppression. The technical details vary, but some combination of protocol tricks is used to prevent or disrupt connections to rogue APs. Generally speaking, the tricks either prevent associations to rogue APs or disrupt established connections. Many of the tricks depend on the lack of authentication on control frames, which allows infrastructure devices to impersonate rogue APs. It remains to be seen how effective countermeasures will be when the 802.11 protocols authenticate important network control information. Figure 22-5 illustrates the two major techniques for launching denial-of-service attacks on rogue networks.

Figure 22-5. Rogue suppression techniques

To disrupt the association process, some devices send spoofed Beacon or Probe Response frames, as shown in Figure 22-5 (a). Without authentication of Beacon or Probe Response frames, an access point can easily impersonate the rogue. The spoofed frames may contain information that contradicts the corresponding frames transmitted by the rogue to confuse client devices. Some clients will be unable to associate to a network that appears to be announcing it is both encrypted (in Beacon frames with the Protected Frame bit set) and not encrypted (with the Protected Frame bit clear). Spoofed Probe Response frames may have the same effect. Some wireless LAN systems may also attempt to capture client association requests by trapping devices associating with rogue clients on to a captive network to prevent damage. To handle stations that are already associated with a rogue AP, Dissasociation and Deauthentication messages can be used, as shown in Figure 22-5 (b). These messages are not signed, which will allow the network infrastructure to kick clients off of rogue networks.

Using messages that are transmitted in response to client communications is not foolproof. Due to multipath coverage, and the placement of infrastructure devices in relation to the clients, it is not always be possible to see all communications initiated on behalf of rogue-attached clients. Some devices will simultaneously send spoofed Deauthentication messages from the client addresses to access points to force access points to drop the connections of rogue associated clients. Some wireless LAN management systems may offer capabilities that can further limit the damage from rogue APs. If clients associated to rogue APs can be identified, a wireless LAN management system could, in theory, take action on the network backbone to lock out the clients from network services on the backbone, as in Figure 22-5 (c).

One of the interesting paradoxes of rogue suppression is that 802.11 networks often spring up in response to the self-determined need of users to have mobile network connectivity. To ensure that supression devices have appropriate coverage scope to disable rogue networks, there must be a fair number of them. In fact, the number of 802.11 access points required for decent rogue suppression is often quite similar, if not identical, to the number of APs required to provide decent coverage. Providing the desired level of supression capabilities often requires deploying enough access points to run a reasonable network for the users.

One of the reasons that some access points are becoming 802.1X supplicants is so that they must authenticate to the network themselves before providing service. Rather than wait for rogue APs to pop up, an 802.1X-enabled wired network simply rejects them before they become a problem.

And now, a word from your lawyers

Interfering with a wireless network through rogue containment may be treated as network tampering or "hacking" under computer crime statutes. (Please consult an attorney who is familiar with all the laws that may apply in your location, especially since I am not a lawyer.) Equipment that is acting to stop rogue devices by spoofing their identity is designed to interfere with the operation of that wireless network. If the network belongs to a neighbor, or coffee shop across the street, your action may be illegal or subject to a civil action.

To avoid creating more work for lawyers, it is an excellent idea to ensure that a rogue AP is in fact connected to the network that you are attempting to protect before launching your counterattack. If the rogue AP is the property of the coffee shop across the street, for example, the owners will almost certainly have a very strong opinion about having their network shut down. A wireless network set up in a large building with many offices may also have several neighboring networks which should be protected from countermeasures. (Enabling unrestricted countermeasures if you rent an office next to a law firm is probably particularly dumb, especially if the law firm is computer savvy.)

Recent FCC regulatory actions prevent property owners from asserting any ownership over the electromagnetic spectrum. Therefore, it is unwise to apply rogue countermeasures to your tenants or neighbors.