How To Secure Your Wireless Network: Identifying Rouge Wireless Devices

rouge wireless devicesDetecting rouge wireless devices can be a headache if not performed properly. I’ve asked customers “How do you ENFORCE your zero wireless policy?” and received many answers. Example one is “We have random sweeps with wireless detectors” which are only good at the time of the sweep and range of the detector. Example two is “We use network access control (NAC) so plugging in rouge wireless devices will be denied” which can be bypassed by having an approved laptop act as a wireless bridge. Example three is “We have wireless scanners in our building” however are they certified for all frequencies or are you missing devices on other frequencies? Here are some tips for properly detecting rouge wireless devices.

It’s extremely important to automate access control to any part of your network. Regarding the LAN, see my blog on Network Admission Control HERE. For wireless, walking the halls with a scanner such as a Fluke appliance or laptop detection software is not a reliable practice. I’ve heard stories of users powering down devices to avoid detection or rouge wireless devices on the edge of a campus being out of range or hidden behind a wall. Plus manual methods are time consuming and leave vulnerability gaps between scans.

Relying on LAN access control technologies such as port security or Network Admission Control (NAC) may stop rouge wireless devices plugged into the network however will not detect approved devices such as laptops becoming wireless bridges. Some examples could be a nearby Starbucks offering wireless near your campus, which a user could be connected to the cooperate LAN and Starbucks wireless network simultaneously. A common virus known as “Free WIFI” could turn your endpoints into open wireless bridges that permit anybody in range of your campus free WIFI access to your network.

One solution to prevent endpoint wireless bridges is locking down endpoints with software that disables wireless use when physically connected to the LAN. This may work for trusted endpoints however fails if guest or contactors are permitted on the network without security software enforcing the zero wireless policy. A better solution is developing a wireless detection solution using WIDS WIPS (Wireless Intrusion Detection / Prevention) even if you do not plan to provide wireless access. See my blog on defining WIDS WIPS HERE. Using a wireless detection solution with WIDS WIPS can detect all forms of wireless including approved LAN devices exposing rouge wireless access. It’s also wise to include data security using Data Loss Prevention (DLP) and encryption to provide defense in depth in the event your access layer is bypassed.

When developing a rouge wireless detection solution with WIDS WIPS, its best practice to deploy one dedicated WIDS WIPS sensor for every five service providing access points. When enforcing WIPS prevention, your design should be capable of leveraging multiple access points near a identified rouge device to ensure your access points are close enough to drown out the rouge signal. Hardware should be capable of detecting all channels or some rouge devices may be missed.

It’s highly recommended to treat a wireless detection solution with WIDS WIPS to detect rouge wireless devices the same way as designing a solution to provide wireless access. Site surveys are critical to how effective your detection will be. Not planning for obstacles or proper access point placement may leave you with vulnerable areas. The bonus of a rouge wireless detection system delivered properly is the capability to enable wireless using the same hardware if wireless access is desired in the future.

VN:F [1.9.22_1171]
Rating: 3.8/5 (4 votes cast)
How To Secure Your Wireless Network: Identifying Rouge Wireless Devices, 3.8 out of 5 based on 4 ratings

3 thoughts on “How To Secure Your Wireless Network: Identifying Rouge Wireless Devices”

  1. Dear Thesecurityblogger,
    Neat Post, WEP, WPA/WPA2, and the connected authentication procedures are fashioned to preserve invaders out. But nevertheless, it has turned out to be progressively more convenient to crack WEP encrypted networks and cracking WPA/WPA2 networks is really difficult, but possible. These procedures facilitate always keep exterior consumers from remaining equipped to access delicate info, but what about inner, authenticated people?
    Wishes

    VA:F [1.9.22_1171]
    Rating: 2.0/5 (1 vote cast)
    1. Hi Rachel. Agreed that you can’t go with a jellybean design (hard outside shell but soft once inside). The best approach is having a layered defense design that leverages a central reporting engine to help correlate different alerts into events. Regarding authenticated users, there are a few things to consider.

      1) What types of users are authenticated and where do you place them? For example, do guests end up on VLAN X while employees are on VLAN Y?
      2) What policy must be met prior to providing network access? Do you permit employees to use personal devices? Are there policies against certain applications such as Limewire? Do you treat mobile devices differently from PCs?
      3) How do you handle devices that can’t authenticate? Printers? IP Phones?
      4) What data is made available to users? What protects that data from leaking beyond the approved boarders?
      5) Do you monitor what authenticated users do while on the network?

      If a hacker gains access to the network, there should be other means to stop that user from accessing confidential data. For example, if a user leaves their computer unlocked so a hacker can gain access, there could be other means to protect the network (lock the screen after X amount of seconds, use two factor authentication such as CAC card with login, use TACACS/RAIDUS to access other devices once on the network, DLP protect with authentication for critical data, etc.). There are profiling technology that can monitor if a hacker spoofs something else (IE if a printer starts surfing the web for the first time, it may not be a what the MAC address has on file). There are web content filters, IPS/IDS, packet level forensics applications, netflow tools, and other sensors that can monitor what insiders are doing on the network (IE flag if a hacker attempts to open holes to the outside or bot phone home attempts). Timeouts can be placed on certain groups of users requiring re-authentication every 24 hours. Network Admission Control solutions can monitor specific policies for authenticated users such as denying access if the physical machine is not cooperate issued even if the user authenticates properly, kick a user off who violates policy while on the network, etc.

      In summary, its best to focus on all network layers rather then putting all your eggs in an access control solution. Cheers

      VN:F [1.9.22_1171]
      Rating: 3.0/5 (1 vote cast)

Leave a Reply

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.