Rogue Access Points

Rogue access points are those connected to a network without planning or permission from the network administrator. For example, we know one administrator in Dallas who just did his first wireless security scan (war driving) on his eight-building office campus. To his surprise, he found over thirty access points. Worse, only four of them had authorization to be connected to the network. Needless to say, heads rolled.

Rogue access points are becoming a major headache in the security industry. With the price of low-end access points dropping to just over one hundred dollars, they are becoming ubiquitous. Furthermore, many access points feature settings that make them next to transparent on the actual network, so their presence cannot be easily detected .

Many rogue access points are placed by employees looking for additional freedom to move about at work. The employees simply bring their access points from home and plug them directly into the corporate LAN without authorization from the IT staff. These types of rogue access points can be very dangerous, as most users are not aware of all the security issues with wireless devices, let alone the security issues with the wired network they use each day.

In addition, it is not always well-intentioned employees who deploy rogue access points. Disgruntled employees, or even attackers can deploy an access point on your network in seconds, and they can then connect to it later that night. In addition, if the access point has DHCP enabled, you now have a rogue DHCP server in addition to a wireless hole in your perimeter.

The following are seven key points to successfully placing a rogue access point:

• Determine what benefit can be gained from placing the access point.

• Plan for the future. Pick a location that will allow you the ability to work on a laptop or PDA without looking suspicious.

• Place the access point in a discreet location that allows for maximum coverage from your connection point.

• Disable the SSID Broadcast (silent mode). This will further complicate the process of detecting the access point, as it will now require a wireless sniffer to detect the rogue access point.

• Disable any management features. Many access points have the ability to send out SNMP traps on both the wired and wireless networks.

• Whenever possible, place the access point behind some type of firewall, thus blocking the MAC address from the LAN and the ARP tables of routers. There are several programs on the market that scan wired networks looking for the MAC addresses of access points.

• Do not get greedy! Leave the access point deployed for short periods of time only. The longer it is deployed, the more likely you are to get caught.

If you already have a wireless network deployed, and then someone places a rogue access point on your network using your existing SSID, this can also create additional problems. This type of access point could extend your network well beyond the bounds of your office. In some cases, the rogue access point could be set up as a link broadcasting your network traffic across town. They can even be made to appear as if they are part of your network, thus causing clients on your network to use them for connectivity. When a client connects to the rogue access point and attempts to access a server, the username and password can be captured and used later to launch an attack on the network.