One of the primary concerns that security professionals express with regard to WLANs is rogue APs. Rogue APs can be APs that are connected to the enterprise wired LAN without authorization or APs that are not connected to the wired LAN but that accept associations from clients. Rogue APs can even be APs with a wireless card and a special software package that makes them act as an AP. The rogue APs that are connected to the wired LAN are a security concern because they might not be secured according to a corporation's security policy; this in turn creates a vulnerability in the enterprise network. The rogue APs that are not connected to the wired LAN might accept association requests from clients, which can hamper or deny enterprise clients' access to the corporate WLAN. Also, rogue APs can be classified into two security categories: nonmalicious and malicious.
In the case of nonmalicious APs, the majority of the cases consist of someone installing a rogue AP with the intent being not to bypass the corporation's security policy but to deploy wireless as a convenience or productivity enhancer. The rogue AP installer does not intentionally try to evade detection and uses the default configuration of the AP. The network administrator can often rely on these defaults to identify if there is a conflicting Service Set Identifier (SSID) after the SSIDs are compared to the enterprise WLAN and the Media Access Control (MAC) addresses matching the IEEE OUI for an AP manufacturer.
In the case of malicious APs, the attacker sets up the AP to gain access to the wired network or to disrupt the performance of the WLAN. The attacker can spoof a MAC address to match a legitimate AP, or the attacker can set power, channel, and SSID on the rogue AP to limit its effective coverage area, which in turn minimizes the likelihood of the rogue AP being detected.
Significant technology and manual effort must be expended to mitigate the threat of rogue APs. The primary methods of rogue AP detection are as follows:
WLAN infrastructure reporting
Manual rogue AP scanning
Wired network auditing
This section focuses on these three approaches and covers the pros and cons of each. In most environments, the use of two or all three methods might be appropriate.
Chapter 9, "SWAN: End-to-End Security Deployment," discusses SWAN rogue AP detection. However, the network administrator needs to address additional considerations when deploying SWAN rogue AP detection.
The first consideration is covering areas that currently do not have approved WLAN coverage. The network administrator must make a decision about how to best scan these areas for rogue APs. There are two primary options. The first is to do manual rogue AP detection, which is covered in the following section. The second option is based on SWAN and utilizes an AP that is deployed in scan-only mode. In this mode, the AP is not configured to accept WLAN client connections but scans only the frequency channels for AP or client activity. It might transmit beacons, but it will not interfere with the client-to-AP communication. In addition, it will not respond to probes. Finally, scan-only APs are capable of detecting unassociated clients. It is important to detect unassociated clients in areas without authorized WLAN infrastructure because you do not want them to potentially associate to an unauthorized AP. For both options, the network administrator should use a high-gain antenna to maximize the range of the radio for rogue AP detection. For instance, with scan-only APs, you might want to deploy with an omnidirectional, high-gain antenna to get maximum coverage.
Note
Bug lighting is a term sometimes used to describe attackers' efforts to get unsuspecting clients to associate to a rogue AP. The analogy is that attackers set up a rogue AP and fire up a valid SSID in an attempt to lure unsuspecting clients to their rogue AP, much like a bug light is set up to lure unsuspecting bugs.
The second consideration covers both the 2.4-GHz and 5-GHz frequency ranges when the enterprise has approved only deployments in single frequency ranges. In these deployments, the network administrator must choose a method by which to scan the other frequency range to make sure rogue APs do not utilize that range for unauthorized access. Again, the network administrator needs to choose whether to use manual rogue AP detection or a scan-only AP to provide this coverage. In many cases, network administrators might choose to deploy dual-mode APs with high-gain antennas just to enable the ability to monitor the secondary frequency for rogue APs.
The third consideration is to detect 802.11 ad-hoc mode WLANs occurring within a building. The 802.11 ad-hoc WLANs allow clients to set up a local network in which participants communicate directly with each other. This is known as an independent basic service set (iBSS) network configuration. A member of a wired or infrastructure WLAN that participates in an ad-hoc could potentially provide unwilling and unauthorized access to the enterprise network. For this reason, the network administrator might find it necessary to detect these ad-hoc networks. Ad-hoc network detection leverages the SWAN architecture and its radio management (RM) features.
For an ad-hoc network to be created, the participants must issue beacons that synchronize their communication. APs deployed in an infrastructure WLAN can detect these beacons and report them to the Wireless Domain Services (WDS) in their RM messages. The WDS then puts the relevant information into the RM aggregator messages that it sends to the Wireless LAN Solution Engine (WLSE). Figure 11-1 shows this detection and reporting mechanism.