Do we really need rogue AP detection?
It all depends whether your 802.1x and WPA implementation is really, really good...
By Joanie Wexler, Network World | Network World US | Published: 01:00, 16 December 2004
Securing wireless LANs has become big business for specialist vendors (see Managing wireless LANs - small vendors are ahead). But why do we need to bother?
Theoretically, if enterprises properly implement current wireless LAN security standards, rogue (unauthorised) access points shouldn't allow intruders to sneak onto a network. Right?
I mean, by definition, with 802.1x authentication in place, outsiders shouldn't be able to gain network authentication. Thus, they shouldn't be able to access any (or hardly any) network resources, depending on how the enterprise has set up its policies. So do we need to monitor the air for rogue APs?
Some readers of these articles have asserted that, if you've done a good job getting all your other network security ducks in a row, you shouldn't have to chase after rogue access points (AP). I agree. But I also think that's a big "if", at least in these early days of wireless.
Others felt that even when properly implemented, 802.1x authentication wouldn't keep rogues from admitting intruders on to the corporate network. There I tend to disagree. But note the synergies between these two arguments.
Argument No. 1: An otherwise well-secured network shouldn't be susceptible to rogues
True. But how many of you are completely up to speed with 802.11i deployments, wireless best practices and wired-network best practices, all working in harmony? 802.11i (a.k.a. WPA2) product certifications are very new, for example and thus only a few are on the market.
In addition, very few of the enterprises I interview tell me they are using even the older WPA to secure their wireless LANs. Most use dynamic WEP or MAC filtering (usually with SSID suppression) as their primary security method. In many of those cases, unblessed APs could plug right into an Ethernet port and unauthorised users attached to that AP could start accessing network resources, if no other credential-checking systems have been set up.
Until wireless security deployment and practices catch up to the technology, it's not a bad idea to suppress rogues as a backup.
Argument No. 2: 802.1x wouldn't disarm rogues
With no authentication measures implemented in the network, a rogue would allow any client to associate to the WLAN and possibly penetrate the wired corporate network. But with a properly configured 802.1x framework in place, the supplicant (client) needs authentication credentials that can be verified by the back-end authentication server. If those don't exist, accompanied by network-access permissions, the user should not be able to tap any resources on the wired network.
That leaves the user able to communicate, potentially, with other wireless devices.
However, you could implement a two-way, mutual authentication algorithm within the 802.1x framework (using a two-way Extensible Authentication Protocol such as EAP-TTLS, PEAP or Cisco LEAP). This algorithm will authenticate not only the supplicant but also the AP. If it's a rogue, clients can't use it to get anywhere, on either the wireless or wired network.
The degree to which you need to scan for rogues does depend on the strength of the rest of your security system. Until the latest wireless security products and best practices are installed and humming, though, having an automated system to identify rogues connected to your network and to potentially close them down is probably wise.
This is why specialists are strengthening the degree of automation in their rogue intrusion detection/prevention systems.
Using attack for defence
AirMagnet, for example, recently upgraded the centralised flavor of its WLAN monitoring system, now called AirMagnet Enterprise. The latest version, 5.0, not only discovers if a wireless rogue device has found its way onto the WLAN; it will instruct the wired Ethernet switch to block the port to which that AP is connected. That way, the system automatically shuts down anyone accessing the wired network through the unauthorised AP (someone in the parking lot, for example).
Likewise, according to the company, the system can now automatically block rogue communications over the airwaves. You can set a policy ahead of time that says, for instance, "In our financial building, if you see a rogue AP, disable it entirely, e-mail me and page me," says vice president of marketing Rich Mironov.
The company has also added triangulation software capabilities so that once that pesky AP has been blocked, you can locate it quickly and take appropriate action. AirMagnet recently announced upgrades to its offering, including a combined AP and probe. We have reviewed the previous version here.
By way of background, the AirMagnet Enterprise architecture uses distributed "smart" sensors that perform all traffic analysis locally and forward only the result to a centralised server appliance. This way, they don't forward all the event data over the WAN and consume multiple megabits of WAN bandwidth. AirMagnet's Mironov claims that the company uses just "two percent of the WAN bandwidth of alternate solutions" - by which he means, primarily, AirMagnet's main competitor, AirDefense.
Speaking of AirDefense, aside from its recently reported integration efforts with Cisco, the company has also upgraded its own software, and some start-ups have also joined the WLAN intrusion-detection crowd.