Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Find wireless rogues without sensors

Combine wired and wireless scanning...

Article comments

I finally settled on a strategy for wireless security. As wireless access points began appearing on our company's network, we configured them with Cisco's Lightweight Extensible Access Protocol (read my previous article, Migrate WLANs away from Cisco's LEAP). LEAP forces users to authenticate to the access point with their enterprise credentials - the same credentials used for virtual private network access, as well as services such as payroll and Microsoft Exchange e-mail. That's because we use a centralised directory that ties into most of our core applications and lets employees use a single password to sign on.

Although LEAP works well, we didn't want to take the chance that those enterprise credentials would become compromised if someone hacked the wireless infrastructure. So I decided to use Protected Extensible Access Protocol (PEAP) with RSA SecurID token authentication. This combination requires a wireless user to enter his user identity and his SecurID token, which is a personal identification number followed by a dynamic number that changes every 60 seconds. This way, even if PEAP is compromised to the extent that the user ID is obtained, the hacker would still need a SecurID token to gain access.

Testing and capacity
As I noted in November, we had to do extensive testing of this setup. Our current corporate standard is to issue Dell laptops with the TruMobile client installed. Our testing showed that the TruMobile client works well with PEAP, SecurID and the Cisco access points. Our small contingent of Linux users will need a third-party client such as Aegis from Portsmouth, N.H.-based Meetinghouse Data Communications, which supports Linux and PEAP.

Another issue is capacity, since there's a limit to how many clients can associate to a single access point. Until we beef up our infrastructure, the plan is to restrict wireless access to users who demonstrate a business need. Once a user obtains management approval, we'll send him a SecurID token with instructions on how to configure his client.

Now for the rogues!
With the PEAP/SecurID portion of our wireless policy in place, I turned my attention to evaluating and experimenting with various technologies for detecting rogue access points. My decision had to be based on several factors, the first being money. Unfortunately, my company is trying to conserve resources, and there just isn't enough money to outfit every remote office with wireless sensors.

Because the company operates worldwide, I decided to take both wireless and wired approaches to rogue access-point detection.

On the wireless side, we wanted to stick with Cisco. That wasn't because it has best-of-breed wireless sensors, but because we already have a relationship with Cisco and are already managing dozens of Cisco access points. We also believe that Cisco will eventually provide the type of functionality we're really looking for. In addition, if we use Cisco access points for rogue access-point detection, there's always the option of converting those devices back to access points.

But we have remote offices where we can't deploy wireless sensors, and we still want to be able to discover the presence of wireless access points on the wired network. On an enterprise level, this can be accomplished in two ways.

First try: Scan for wireless MACs
The first is to assess every switch port's media access control address in order to find the wireless vendors' IDs (the first three octets of the MAC address). This isn't foolproof, however, since some wireless vendors also make wired equipment.

For example, Cisco makes both network hardware and wireless access points. If we come across a MAC address for what looks like a Cisco device, we could have a false positive for a wireless device.

Another problem with this method is that we might not have access to every switch in our infrastructure. In our company, some of the engineering departments manage their own network gear.

Second try: scan every IP address for wireless fingerprints
The second way to detect wireless access points on the wired enterprise network is to scan every IP address and attempt to identify access points by the responses we get. If you know the signature of an access point, you'll know when your probing has hit on one. The problem is knowing those signatures. It would be fairly simple to write scripts that would allow our Nessus scanning infrastructure to look for wireless signatures, but since each vendor could have its own fingerprint, we'd have to purchase every vendor's access points and run tests to get a proper fingerprint. Unfortunately, we just don't have the resources to tackle that task.

But we do have the resources to turn to AirWave Wireless. Beyond its vendor-independent, centralised wireless management tool, AirWave has done all the legwork and fingerprinted more than 40 wireless access points. It then built a tool, called RAPIDS, that, among other features, scans the network for those fingerprints. By conducting some correlation with the MAC address scanning (which AirWave can also accomplish), we can determine whether a device that's been pinpointed by RAPIDS is rogue and then trace it back to the switch port to which it's attached.

All of this isn't a 100 percent fix for keeping rogue access points in check, but I feel that the combined wired/wireless approach will be about 90 percent effective. Over the course of the next several months, we'll deploy this technology and I'll be able to report back meaningful results.

What do you think?

"Mathias Thurman," is a real security manager, whose name and employer have been disguised for obvious reasons. Read his experiences with

.

Contact him at mathias_thurman@yahoo.com.


Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *