Whether your company runs or bans Wi-Fi, your offices have probably been visited by unauthorized "rogue" access points or stations. Most WLAN owners cite rogue elimination as a top priority. Detecting rogues is fairly easy, but eliminating them can be surprisingly tough. This tip describes a methodical rogue hunting process and tools that can help.

Managing rogue risk
The discovery of unauthorized access points (APs) or stations is very common. These so-called rogues may belong to metro-area networks, neighbors, vendors, customers, employees or malicious attackers. Managing rogue risk requires recognizing trusted devices so that you can mitigate threats posed by others. Since wireless attackers can do damage quickly and move on, it is essential to detect and react promptly to all new devices.

However, it's also important to manage rogue risk efficiently in large WLANs. Spot-checking offices with a discovery tool like NetStumbler or Kismet takes far too long and does nothing to evaluate, much less contain, each rogue's potential impact.

Efficient rogue management requires 24x7 radio monitoring with a wireless intrusion prevention system (WIPS). This can be done with a WLAN switch that scans part-time (e.g., Cisco, Aruba) or with a dedicated WIPS that watches the air full-time (e.g., Motorola AirDefense, AirMagnet, AirTight). A good rogue toolkit should do more that generate alerts – it should give you the power to investigate the rogue's actions, isolate the rogue's physical location and (when appropriate) interfere with the rogue's communication.

To assist with on-site rogue elimination, your toolkit should also include a Mobile WLAN analyzer. These analyzers are available from most WIPS vendors, third parties like WildPackets, TamoSoft and BVS, and in open source tools like Kismet and Wireshark. To reduce on-site effort, look for import/export capabilities that let these tools share data with your WIPS.