olly - Fotolia

Manage Learn to apply best practices and optimize your operations.

How can enterprises defend against an evil twin attack?

The threat of an evil twin attack has plagued enterprises for years, and it's still not leaving. Expert Nick Lewis explains how to defend against evil twins.

What are evil twin wireless access points? I heard about a new tool for detecting them, but is it worth considering...

in an enterprise setting? Are there other ways to prevent users from connecting to evil twin wireless access points?

The evil twin access point attack has been around almost as long as wireless networking. It and other attacks -- such as Firesheep -- are why people should be careful when they connect to insecure wireless networks. Insecure wireless networks are the easiest to spoof and the most susceptible to these attacks. An evil twin attack is when a wireless network is set up with the same name as a legitimate wireless network, but operated by an unauthorized party. The twin is almost always configured without security features, so the greatest number of potential victims will connect to it and receive minimal security warnings about certificate mismatches or incorrect WPA2 keys, among others.

A new tool, called EvilAP_Defender, automates the defense against an evil twin attack. One of the most effective defenses against an evil twin access point is monitoring wireless networks for access points that do not match those used by your enterprise. This could be a difference in the manufacturer or model, security settings and so on. Some wireless control systems have similar functionality, but -- like all security tools -- they require someone to be monitoring the tools to determine what to do when an attack is detected. EvilAP_Defender has the option to just monitor or to perform active defense to protect your wireless network. This could mean sending disassociate packets or otherwise disabling the rogue wireless by using the same channel at a higher power. These actions are general tools to manage wireless networks when a misbehaving access point is discovered.

Using a VPN is also a good way to prevent an evil twin attack and protect users, but it will not necessarily stop users from connecting to the rogue access point. You could disable the option to connect to unapproved wireless networks, but this could be a significant limitation for your users. There may be a configuration option for the wireless supplicant that allows users to only connect to a secure wireless network, rather than just a warning that the user is connecting to an insecure network.

Next Steps

Want to monitor your Wi-Fi network for malicious behavior? Learn how to use the open source networking monitoring tool Kismet

Find out how to secure Wi-Fi now for the future

This was last published in December 2015

Dig Deeper on Network device security: Appliances, firewalls and switches