Hunting for rogue wireless devices

Detecting rogues is fairly easy, but eliminating them can be surprisingly tough. This tip describes a methodical rogue hunting process and tools that can help.

Whether your company runs or bans Wi-Fi, your offices have probably been visited by unauthorized "rogue" access points or stations. Most WLAN owners cite rogue elimination as a top priority. Detecting rogues is fairly easy, but eliminating them can be surprisingly tough. This tip describes a methodical rogue hunting process and tools that can help.

Managing rogue risk

The discovery of unauthorized access points (APs) or stations is very common. These so-called rogues may belong to metro-area networks, neighbors, vendors, customers, employees or malicious attackers. Managing rogue risk requires recognizing trusted devices so that you can mitigate threats posed by others. Since wireless attackers can do damage quickly and move on, it is essential to detect and react promptly to all new devices.

However, it's also important to manage rogue risk efficiently in large WLANs. Spot-checking offices with a discovery tool like NetStumbler or Kismet takes far too long and does nothing to evaluate, much less contain, each rogue's potential impact.

Efficient rogue management requires 24x7 radio monitoring with a wireless intrusion prevention system (WIPS). This can be done with a WLAN switch that scans part-time (e.g., Cisco, Aruba) or with a dedicated WIPS that watches the air full-time (e.g., Motorola AirDefense, AirMagnet, AirTight). A good rogue toolkit should do more that generate alerts – it should give you the power to investigate the rogue's actions, isolate the rogue's physical location and (when appropriate) interfere with the rogue's communication.

To assist with on-site rogue elimination, your toolkit should also include a Mobile WLAN analyzer. These analyzers are available from most WIPS vendors, third parties like WildPackets, TamoSoft and BVS, and in open source tools like Kismet and Wireshark. To reduce on-site effort, look for import/export capabilities that let these tools share data with your WIPS.

Game plan for rogue elimination

Once you've gathered the right tools, it's time to develop a methodical plan for dealing with rogues. Here is a list of steps that you might include in your plan:

  1. Create a baseline inventory of wireless devices
    Survey existing 802.11 devices -- APs, stations and ad hoc nodes -- by walking your site with a mobile WLAN analyzer. Record samples at regular intervals (e.g., every 200 feet, at building corners). Merge samples, documenting each device's MAC address, extended service set identifier (ESSID), average/peak signal-to-noise ratio (SNR), channel, security state and IP address. Stations may use many ESSIDs and channels, depending upon associated AP(s). Establish a threshold for distant neighbors, and then use a mobile analyzer to track down devices with a strong enough signal to be inside or very near your office. Try to determine wired network connectivity and probable owner and location with sufficient accuracy to enable classification.
  2. Classify all discovered devices and configure your tools
    Filter your inventory into several categories so that you can focus on real threats by treating some devices differently in access control lists and security alert policies. You may have your WIPS ignore distant neighbors but alert you to associations between your devices and close neighbors. Eliminate unauthorized devices inside your office, either by removing them or making them part of your official WLAN, then create an authorized AP and station list to enforce policies for those devices. For example, watch for AP settings that could indicate accidental reset or MAC spoofing. Accurate classification now will save investigation time down the road.
  3. Monitor your wireless and wired network for new devices
    Install a WIPS positioned to monitor slightly beyond your WLAN's footprint to spot rogues next door or outside. Small or remote offices not monitored by WIPS can be randomly spot-checked with mobile analyzers. If you have a WLAN controller, wired IDS/IPS or network management system, also configure it to spot rogues -- for example, prevent unauthorized MACs from using your Ethernet switches, or spot unexpected broadcasts on your AP VLAN. Finally, configure WIPS and mobile analyzer alerts so that you won't be deluged with false positives. For example, have WIPS automatically trace wired switch connectivity so that you can focus on network-connected rogues.
  4. Stem potential damage during your investigation
    Consider using WIPS "containment" features automatically upon rogue detection or manually after investigation. Although capabilities vary, an AP or station can often be temporarily kicked off your WLAN by aiming a deauthenticate flood at the rogue's MAC address. An AP connected to your network can often be impaired by disabling the nearest Ethernet switch port. Containment can stem damage while you track a rogue down, but it can also be destructive. Be sure that you know what these features do before using them -- especially auto-containment. For example, you may be comfortable blocking your own stations when connected to rogue APs that are attached to your own wired network, but avoid blocking potential rogues with indeterminate wired connectivity that could turn out to belong to a neighbor.
  5. Investigate new devices to determine threat
    Figure out whether that rogue belongs to a neighbor, visitor, employee or attacker by gathering evidence. Even basic properties like SNR and ESSID can be helpful. If that new AP seems to belong to the café next door, give them a call to confirm. In addition to connectivity tracing, capture traffic using sensors or a mobile analyzer to determine which systems and applications the rogue is using. Use location maps to predict the rogue's physical location. Capabilities vary, but many WIPSes can highlight a region on your floorplan, reducing the search area to 20 feet or less.
  6. Decide upon and execute a permanent course of action
    Use the fruits of your investigation to decide how to permanently deal with the rogue. This involves politics, policies and procedures, but it's pointless to get this far and not have a plan for what to do next. For example, how do you eliminate rogues installed without permission by naïve employees? If a malicious rogue has left the building, how do you protect yourself from a repeat performance? If the rogue is an employee-owned PDA, do you have a program for teaching safe wireless use?
  7. Update your device inventory to reflect the outcome
    After you've taken permanent action to mitigate a rogue threat, update inventory and associated policies so the device will be treated correctly in the future. If you contained the rogue during investigation, decide whether to cancel that now. If you were unable to find the rogue, use a "watch list" to speed future response or increase surveillance at that office for awhile.

Resource lists

In this tip, we mentioned several tools that can be helpful for rogue hunting. For additional suggestions and new tools, please visit these resource lists:

Wireless Security Lunchtime Learning

This was last published in June 2009

Dig Deeper on Wireless network security