Find wireless rogues without sensors
Combine wired and wireless scanning...
By Mathias Thurman, Computerworld | Published: 01:00, 03 March 2005
I finally settled on a strategy for wireless security. As wireless access points began appearing on our company's network, we configured them with Cisco's Lightweight Extensible Access Protocol (read my previous article, Migrate WLANs away from Cisco's LEAP). LEAP forces users to authenticate to the access point with their enterprise credentials - the same credentials used for virtual private network access, as well as services such as payroll and Microsoft Exchange e-mail. That's because we use a centralised directory that ties into most of our core applications and lets employees use a single password to sign on.
Although LEAP works well, we didn't want to take the chance that those enterprise credentials would become compromised if someone hacked the wireless infrastructure. So I decided to use Protected Extensible Access Protocol (PEAP) with RSA SecurID token authentication. This combination requires a wireless user to enter his user identity and his SecurID token, which is a personal identification number followed by a dynamic number that changes every 60 seconds. This way, even if PEAP is compromised to the extent that the user ID is obtained, the hacker would still need a SecurID token to gain access.
Testing and capacity
As I noted in November, we had to do extensive testing of this setup. Our current corporate standard is to issue Dell laptops with the TruMobile client installed. Our testing showed that the TruMobile client works well with PEAP, SecurID and the Cisco access points. Our small contingent of Linux users will need a third-party client such as Aegis from Portsmouth, N.H.-based Meetinghouse Data Communications, which supports Linux and PEAP.
Another issue is capacity, since there's a limit to how many clients can associate to a single access point. Until we beef up our infrastructure, the plan is to restrict wireless access to users who demonstrate a business need. Once a user obtains management approval, we'll send him a SecurID token with instructions on how to configure his client.
Now for the rogues!
With the PEAP/SecurID portion of our wireless policy in place, I turned my attention to evaluating and experimenting with various technologies for detecting rogue access points. My decision had to be based on several factors, the first being money. Unfortunately, my company is trying to conserve resources, and there just isn't enough money to outfit every remote office with wireless sensors.
Because the company operates worldwide, I decided to take both wireless and wired approaches to rogue access-point detection.
On the wireless side, we wanted to stick with Cisco. That wasn't because it has best-of-breed wireless sensors, but because we already have a relationship with Cisco and are already managing dozens of Cisco access points. We also believe that Cisco will eventually provide the type of functionality we're really looking for. In addition, if we use Cisco access points for rogue access-point detection, there's always the option of converting those devices back to access points.
But we have remote offices where we can't deploy wireless sensors, and we still want to be able to discover the presence of wireless access points on the wired network. On an enterprise level, this can be accomplished in two ways.
First try: Scan for wireless MACs
The first is to assess every switch port's media access control address in order to find the wireless vendors' IDs (the first three octets of the MAC address). This isn't foolproof, however, since some wireless vendors also make wired equipment.
For example, Cisco makes both network hardware and wireless access points. If we come across a MAC address for what looks like a Cisco device, we could have a false positive for a wireless device.
Another problem with this method is that we might not have access to every switch in our infrastructure. In our company, some of the engineering departments manage their own network gear.
Second try: scan every IP address for wireless fingerprints
The second way to detect wireless access points on the wired enterprise network is to scan every IP address and attempt to identify access points by the responses we get. If you know the signature of an access point, you'll know when your probing has hit on one. The problem is knowing those signatures. It would be fairly simple to write scripts that would allow our Nessus scanning infrastructure to look for wireless signatures, but since each vendor could have its own fingerprint, we'd have to purchase every vendor's access points and run tests to get a proper fingerprint. Unfortunately, we just don't have the resources to tackle that task.
But we do have the resources to turn to AirWave Wireless. Beyond its vendor-independent, centralised wireless management tool, AirWave has done all the legwork and fingerprinted more than 40 wireless access points. It then built a tool, called RAPIDS, that, among other features, scans the network for those fingerprints. By conducting some correlation with the MAC address scanning (which AirWave can also accomplish), we can determine whether a device that's been pinpointed by RAPIDS is rogue and then trace it back to the switch port to which it's attached.
All of this isn't a 100 percent fix for keeping rogue access points in check, but I feel that the combined wired/wireless approach will be about 90 percent effective. Over the course of the next several months, we'll deploy this technology and I'll be able to report back meaningful results.
What do you think?
"Mathias Thurman," is a real security manager, whose name and employer have been disguised for obvious reasons. Read his experiences with
Contact him at firstname.lastname@example.org.