Slashdot Mirror
Rogue Access Point Detection?
Yossarian2000 asks: "With all the media attention WLANs have been getting lately, more and more businesses seem to be looking to better understand their implications as relates to company intranets. Whether a business is running a WLAN or not, detecting rogue access points is essential to maintaining some degree of security. Currently, it seems there are few options for detecting APs: subnet scans (which add overhead to the network and can still miss some APs), handheld devices (which require regular site surveys), and systems that use existing access points to detect rogues (this assumes you have APs covering your entire site). Has anyone heard of better methods for the detection of rogue APs?"
Just like telling people not to run attachments, most employees seem to do what they want to do especially if you tell them bad things will happen.
Can't most switches be set up to only allow a single MAC address to connect to a port? Why detect when you can prevent? (Well, maybe you want to weed out bad employees or something, sort of a network honeypot).
Democracy isn't about no one telling you what to do. It's about everyone telling you what to do.
In a really, well-run company, the CIO will tell the CEO, "we have a problem with rogue APs". The CEO tells the VPs, who tell the department managers. The managers bring it up in department meetings. Because the managers have good working relationships with all their subordinates, they figure out who has APs and which ones need to be hardened. Problem solved, and no Big Brother nonsense necessary.
In the real world, no company is that well run. This manager or VP doesn't get along with his or her subordinates. That one is a control freak. This employee doesn't see what the big deal is, and won't let anybody look at his AP. That one never goes to department meetings, doesn't take orders from anybody, and has so much seniority that...
Oops, the trauma of my last job is showing! Point is, not all problems end up being solved by management/worker trust and collaboration. It's certainly desireable that you solve as many problems that way as you can. But there's always something you end up having to enforce with rules and snooping, and other nasty stuff. When that sort of thing gets out of hand, the company is probably in deep trouble. But you always have to deal with some of it.
I think we're in violent agreement here.
The only thing I was adding was the fact that it's possible not to trust at one level (rogue attachments) while still trusting them at another (not running rogue APs). Saying that you don't trust your employees at something fairly small doesn't mean that you distrust them completely.
State in no uncertain terms when someone joins your company that setting up rogue access points will result in immediate termination and referral to the FBI.
Sounds like a reasonable policy to me!
I'd go one step further and make it more general, so that providing access to anyone unauthorized will result in immediate termination. That way it covers any new technology down the road.
A few possibilities present themselves to me here:
1) Move to IP Locking. Only allow 'approved' IPs to pass through your network. This would limit use of the APs, although they could still 'proxy' (some APs have NAT) using the persons assigned IP while they use an internal IP on their laptop, etc. This could be solved by:
2) MAC locking, either on firewall or DHCP. Even if you simply locked out a 'class of MACs' (IIRC, each manufacterer/product type has a block of MAC that identifies manufacturer + product) it would limit use of APs.
Just some thoughts... I'm sure I have more.