Handling Rogue Access Points
Rogue access points have become a sort of hot-button issue. Rogue access points are any
wireless access points that exist on your network without the consent of the business. Even
"secure" rogue access points that are connected to your network can pose a security risk.
Preventing rogue access points can be a little tricky, although not impossible. Not only
is it critical for use to find and remove rogue access points from your network, but it can
actually be pretty fun!
We discussed in previous chapters the many different types of devices that could be used
to create rogue wireless networks, as well as the potential for these devices to be deliberately
placed on your network. Remember that regardless of the intent, a rogue access point does
pose security risks.
Rogue wireless networks have received so much attention that some compliance
standards require businesses to specifically address them. For example, the
Payment Card Industry (PCI) Data Security Standard, which is the security
standard that companies that process credit card information must comply with,
has the following requirement:
PCI-DSS 2.0: Test for the presence of wireless access points and detect
unauthorized wireless access points on a quarterly basis.
Even though your organization might have to comply with PCI, this is still
a great process to adopt.
Preventing Rogue Wireless Networks
There are actually very reliable ways to prevent rogue wireless networks from working
on your network. You should note that I didn't say "prevent them from being plugged into
your network." There's really no way to truly prevent rogue wireless devices
from being plugged into your network. The best you can do is educate your users on the
dangers of plugging rogue devices into your network and back up the policy with administrative
discipline if users don't comply. As far as preventing outsiders from placing rogue devices
on your network for malicious purposes, you have to rely on your physical security to do
this. In addition, you should educate your users to notify the IT department if they notice
anything plugged into a network jack that doesn't look like it belongs there.
Therefore, if you can't rely on preventing the devices from being plugged into your
network, you should focus on preventing them from functioning properly once they are
plugged in. Here are your best solutions for preventing them from operating:
• 802.1x (Port-Based Access Control)
• Network Access Control
• Port Security
802.1x Port-Based Access Control
Yes, good old 802.1x. You should be very familiar with it at this point. Remember that
802.1x does not allow a device to communicate past the authenticator (in this case, a
network switch) until after the device has authenticated. For a more in-depth refresher
of 802.1x, you should revisit Chapter 9. In this case, the network switch would play a
role similar to that of an access point configured for WPA-2-Enterprise, and would be
considered our 802.1x authenticator.
Just as with 802.1x for wireless networks, we have the flexibility to authenticate
against a variety of backend systems. In figure 11-1, you can see we're authenticating
to a RADIUS server, which authenticates the user against Active Directory. The same
restrictions we covered in previous chapters can be configured here - restrictions based on
user, group, or even time of day to grant or deny access to the network.
If you configure your switches to require 802.1x authentication, how will this prevent
an unauthorized wireless network from operating on your network? The first and most
important point is that an attacker should not have valid credentials for your network. Even
if an attacker plugs a device with an 802.1x supplicant (client software) into your network.
he won't be able to authenticate, and therefore the port will be useless to the attacker.
Most access points today don't have 802.1x supplicant software, so that prevents most
devices from being able to even operate on your network. This would also prevent most
regular inside users who try to plug a regular access point into the network because it
would simply not work.
There is one situation that 802.1x would not help to prevent. If an insider (most likely
with malicious intent) were to use a device such as a laptop to act as an access point, the
user would authenticate to the switch using her credentials and than configure the wireless
card on the laptop tom provide wireless services to other users (see Figure 11-2). In this
scenario, 802.1x alone would have no way of preventing this action. You should note,
however, that this is an extreme scenario, and if you have an inside user capable of doing
this, you probably have a bigger issues on your hands.