What are evil twin wireless access points? I heard about a new tool for detecting them, but is it worth considering...
in an enterprise setting? Are there other ways to prevent users from connecting to evil twin wireless access points?
The evil twin access point attack has been around almost as long as wireless networking. It and other attacks -- such as Firesheep -- are why people should be careful when they connect to insecure wireless networks. Insecure wireless networks are the easiest to spoof and the most susceptible to these attacks. An evil twin attack is when a wireless network is set up with the same name as a legitimate wireless network, but operated by an unauthorized party. The twin is almost always configured without security features, so the greatest number of potential victims will connect to it and receive minimal security warnings about certificate mismatches or incorrect WPA2 keys, among others.
A new tool, called EvilAP_Defender, automates the defense against an evil twin attack. One of the most effective defenses against an evil twin access point is monitoring wireless networks for access points that do not match those used by your enterprise. This could be a difference in the manufacturer or model, security settings and so on. Some wireless control systems have similar functionality, but -- like all security tools -- they require someone to be monitoring the tools to determine what to do when an attack is detected. EvilAP_Defender has the option to just monitor or to perform active defense to protect your wireless network. This could mean sending disassociate packets or otherwise disabling the rogue wireless by using the same channel at a higher power. These actions are general tools to manage wireless networks when a misbehaving access point is discovered.
Using a VPN is also a good way to prevent an evil twin attack and protect users, but it will not necessarily stop users from connecting to the rogue access point. You could disable the option to connect to unapproved wireless networks, but this could be a significant limitation for your users. There may be a configuration option for the wireless supplicant that allows users to only connect to a secure wireless network, rather than just a warning that the user is connecting to an insecure network.
Want to monitor your Wi-Fi network for malicious behavior? Learn how to use the open source networking monitoring tool Kismet
Find out how to secure Wi-Fi now for the future
Dig Deeper on Network device security: Appliances, firewalls and switches
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading