MntnMan8000
10-05-2004, 05:49 PM
As a network administrator, how can one prevent rogue access points? How could you stop an employee from bringing in there own wireless router and plugging it into there Ethernet port?
Thank you
Thank you
Click to See Complete Forum and Search --> : Rogue Access Point
golfnut
10-05-2004, 09:21 PM
Short answer - you can't prevent it.
What you can do is create a network security policy that is communicated to all employess. It needs to clearly state the consequence for connected an AP to the network as well as other secuiry risk items.
Invest in a RF monitoring system and note this in your security policy. You don't have to spend a fortune on the system especially if you don't have WLANs deployed. You want to be alerted the minute someone plugs in an AP and take action per your security policy.
I wish more people knew how much of a security threat this is.
It happened at Lowes hardware, because of an open network...
http://www.securityfocus.com/news/8835
Greg
What you can do is create a network security policy that is communicated to all employess. It needs to clearly state the consequence for connected an AP to the network as well as other secuiry risk items.
Invest in a RF monitoring system and note this in your security policy. You don't have to spend a fortune on the system especially if you don't have WLANs deployed. You want to be alerted the minute someone plugs in an AP and take action per your security policy.
I wish more people knew how much of a security threat this is.
It happened at Lowes hardware, because of an open network...
http://www.securityfocus.com/news/8835
Greg
MntnMan8000
10-06-2004, 10:59 PM
Golfnut,
That is what I had thought.
Thanks you.
That is what I had thought.
Thanks you.
golfnut
10-07-2004, 12:33 PM
If you're in Western Washingon, we're in Bellevue and could show you some precautions to take.
Thanks,
Greg
ACJ Technology Solutions
www.acjts.com
Thanks,
Greg
ACJ Technology Solutions
www.acjts.com
matthyson
10-07-2004, 02:13 PM
There are A LOT of things you can and should do.
A corporate policy is great, and a must, but that's akin to having speed limits without police on the road. How do you expect to ensure the policy is being enforced.
There are a number of solutions that can monitor the air and detect access points. Some have even gone as far as being able to classify if an unathorized AP is actually plugged into the network and is causing an immdiate threat, or it it's just starbucks across the street. Most of these systems can be deployed for pennies per square foot.
Products from Aruba Networks, AirMagnet, and AirDefense are all popular. In fact it was reported on Unstrung that Microsoft deployed Aruba world wide for this reason. AirDefense were the first on the block with this technology and has many deployments as well.
Using these tools is the only way to prevent that $39.99 threat from CompUSA.
Matthew Hyson
mhyson@wirelessfriendly.com
A corporate policy is great, and a must, but that's akin to having speed limits without police on the road. How do you expect to ensure the policy is being enforced.
There are a number of solutions that can monitor the air and detect access points. Some have even gone as far as being able to classify if an unathorized AP is actually plugged into the network and is causing an immdiate threat, or it it's just starbucks across the street. Most of these systems can be deployed for pennies per square foot.
Products from Aruba Networks, AirMagnet, and AirDefense are all popular. In fact it was reported on Unstrung that Microsoft deployed Aruba world wide for this reason. AirDefense were the first on the block with this technology and has many deployments as well.
Using these tools is the only way to prevent that $39.99 threat from CompUSA.
Matthew Hyson
mhyson@wirelessfriendly.com
oshea85
10-28-2004, 07:48 AM
Ah, there's something that you can do for very little money, if you have closet switches with the appropriate features...
Cisco switches allow you to define "port-based security", meaning that you can lock an ethernet port to a particular MAC address. This allows you to prevent users from connecting their own devices to the networks. Also, you should disable unused ports.
This would stop 99.9% of your rogue AP risks.
Cisco switches allow you to define "port-based security", meaning that you can lock an ethernet port to a particular MAC address. This allows you to prevent users from connecting their own devices to the networks. Also, you should disable unused ports.
This would stop 99.9% of your rogue AP risks.
WFI-Maestro
10-28-2004, 11:56 AM
That's true oshea85, but given that most SOHO class APs have a feature to spoof a MAC address, it would defeat the security provided on the switch. Every enterprise class wireless network should have a wireless IDS/IPS like those described by matthyson.
gallwapa
11-09-2004, 03:42 PM
Our school district is having to deal more and more with the threat of rogue access points. We're currently investigating the best possible solution to allow our ports to be used for various purposes. Port-based security would be a harsh solution, as, we're in the process of rolling out 1200 laptops - and of course teachers will want to plug in wherever they go visit. Our ports need to be opened for that reason.
Conversely, similar to what is previously mentioned, a policy without police means nothing - our policy is violated daily, and we're trying to find a way for our group of 7 (only one of which has been tasked with locating all rogue AP's) to monitor and track down all rogue equipment that is being deployed by our legions of teachers. Thats around 2000 individuals a day- not including students with 'tech savvy'.
Conversely, similar to what is previously mentioned, a policy without police means nothing - our policy is violated daily, and we're trying to find a way for our group of 7 (only one of which has been tasked with locating all rogue AP's) to monitor and track down all rogue equipment that is being deployed by our legions of teachers. Thats around 2000 individuals a day- not including students with 'tech savvy'.
oshea85
11-09-2004, 07:50 PM
Our school district is having to deal more and more with the threat of rogue access points. We're currently investigating the best possible solution to allow our ports to be used for various purposes. Port-based security would be a harsh solution, as, we're in the process of rolling out 1200 laptops - and of course teachers will want to plug in wherever they go visit. Our ports need to be opened for that reason.
gallwapa, does your school provide wireless access now? If so, why are teachers needing to bring in rogues from home? If not, why not?? You're rolling out 1200 laptops that have to be plugged in everywhere they go? Yikes!
My wife's employer (a county government in NY) terminate employees for improper use of network equipment (i.e. non-business use of Internet, etc). A similar policy would prevent teachers from bringing in APs from home at little to no cost.
Another question I would raise is that if your school district is so relaxed about wired port security, what do you care so much about the wireless for?
That's true oshea85, but given that most SOHO class APs have a feature to spoof a MAC address, it would defeat the security provided on the switch. Every enterprise class wireless network should have a wireless IDS/IPS like those described by matthyson.
WFI-Maestro, in a K-12 school environment, I could do a pretty good job of keeping rogue APs off the network without having to spend the $$$ for very application-specific IDS for wireless.
Port-based security could be one part of a solution.
Another could be to disable unused ports.
Another could be to use static IPs. Another could be implementing 802.1x on wired ports, authenticating against an LDAP directory such as NDS.
Another could be to do manual checks with a laptop or pda running NetStumbler.
Another could be to buy commercial software and do manual scans.
Another could be to install a complete system of wireless sensors dedicated to keeping APs off your network.
Another could be to set up a Linux box running Snort, etc.
What mathson says is all true, although pennies per square foot adds up pretty quickly, and most good solutions cost a little more than that. AirMagnet, w/ a server, console, and four sensors used to list around $8K.
gallwapa, does your school provide wireless access now? If so, why are teachers needing to bring in rogues from home? If not, why not?? You're rolling out 1200 laptops that have to be plugged in everywhere they go? Yikes!
My wife's employer (a county government in NY) terminate employees for improper use of network equipment (i.e. non-business use of Internet, etc). A similar policy would prevent teachers from bringing in APs from home at little to no cost.
Another question I would raise is that if your school district is so relaxed about wired port security, what do you care so much about the wireless for?
That's true oshea85, but given that most SOHO class APs have a feature to spoof a MAC address, it would defeat the security provided on the switch. Every enterprise class wireless network should have a wireless IDS/IPS like those described by matthyson.
WFI-Maestro, in a K-12 school environment, I could do a pretty good job of keeping rogue APs off the network without having to spend the $$$ for very application-specific IDS for wireless.
Port-based security could be one part of a solution.
Another could be to disable unused ports.
Another could be to use static IPs. Another could be implementing 802.1x on wired ports, authenticating against an LDAP directory such as NDS.
Another could be to do manual checks with a laptop or pda running NetStumbler.
Another could be to buy commercial software and do manual scans.
Another could be to install a complete system of wireless sensors dedicated to keeping APs off your network.
Another could be to set up a Linux box running Snort, etc.
What mathson says is all true, although pennies per square foot adds up pretty quickly, and most good solutions cost a little more than that. AirMagnet, w/ a server, console, and four sensors used to list around $8K.
gallwapa
11-10-2004, 10:12 AM
We have some wireless networks at some of the schools - nothing excessive though. Each school is getting money from our recent bond, some are choosing to invest in new printers, others in wireless access points - at this point, there are very few hotspots in the district.
Yes, most of the laptop users will have to plug in. We have a tech steering committee who is directing bond spending - they made asid choices, we're only minions to work for them.
A number of our facilities simply are not equipped for wireless - we've surveyed and done trial runs at numerous buildings and it is too expensive requiring far too many AP's or singal boosters.
The problem we have now is that we have a teacher using an AP as a pass through to boost his signal - without an IP address, its been hard to catch.
Yes, most of the laptop users will have to plug in. We have a tech steering committee who is directing bond spending - they made asid choices, we're only minions to work for them.
A number of our facilities simply are not equipped for wireless - we've surveyed and done trial runs at numerous buildings and it is too expensive requiring far too many AP's or singal boosters.
The problem we have now is that we have a teacher using an AP as a pass through to boost his signal - without an IP address, its been hard to catch.
matthyson
11-10-2004, 09:29 PM
Sure you could do.......
Port-based security (lock ports to MACs)
Another could be to disable unused ports.
Another could be to use static IPs. Another could be implementing 802.1x on wired ports, authenticating against an LDAP directory such as NDS.
Another could be to do manual checks with a laptop or pda running NetStumbler.
Another could be to buy commercial software and do manual scans.
as oshea85 suggests.... but the majority of organizations have to consider the operational cost of such an undertaking. This is far more important than straight capex. When factoring in that, a proactive IDS/IPS becomes a significant cost savings.
Just consider how much your Moves/Adds/Changes go up by introducing such security mechanisms....
And such goes the dicotamy... Mobility VS Security
Matthew Hyson
mhyson@wirelessfriendly.com
Port-based security (lock ports to MACs)
Another could be to disable unused ports.
Another could be to use static IPs. Another could be implementing 802.1x on wired ports, authenticating against an LDAP directory such as NDS.
Another could be to do manual checks with a laptop or pda running NetStumbler.
Another could be to buy commercial software and do manual scans.
as oshea85 suggests.... but the majority of organizations have to consider the operational cost of such an undertaking. This is far more important than straight capex. When factoring in that, a proactive IDS/IPS becomes a significant cost savings.
Just consider how much your Moves/Adds/Changes go up by introducing such security mechanisms....
And such goes the dicotamy... Mobility VS Security
Matthew Hyson
mhyson@wirelessfriendly.com
keenanj
11-11-2004, 02:19 PM
The AirMagnet laptop / handheld products have many ways to detect rogue access points. You create a security policy and can track down the rogues based on channel, MAC address, radio band, SSID or vendor.
They can also find the access point after detected using a Geiger counter like find tool.
On top of that the AirMagnet Enterprise / Distributed product can monitor the air 24/7 and send alerts if a rogue is detected. It can also alert you to repeated authentication failures that might signal a hacker.
They can also find the access point after detected using a Geiger counter like find tool.
On top of that the AirMagnet Enterprise / Distributed product can monitor the air 24/7 and send alerts if a rogue is detected. It can also alert you to repeated authentication failures that might signal a hacker.
WFI-Maestro
11-11-2004, 02:44 PM
What you're saying oshea85 is all possible, but you have to look at the time required to implement and maintain that type of infrastructure. If we assume that you go on the cheap and use NetStumbler and do all of the other things you said on the network you would have a couple of problems. First of all, NetStumbler wouldn't detect non-broadcast SSIDs, but that's the least of your worries. To have a person walk around every day and analyze the results, and perform moves, adds and changes as required it would cost, conservatively $50 / day (assume 1 person, 2 hours a day, and they get paid $25/hr). Assume that this is done only on weekdays, so 260 days a year. Your cost is $13,000 a year, every year. Or you could purchase an AirMagnet Enterprise starter kit for $9,000 once. Then you're talking about less than 9 months ROI...pretty darn good. Alternatively you could look at Aruba RF Lock, or AirDefense...I'm partial to Aruba or AirMagnet depending on the requirements. Aruba is actually less expensive for just the RF Lock component (around $6,600 for a starter package comparable to AirMagnet Enterprise).
The point is that if you want to properly secure your wireless environment 24x7, whether you have / want wireless or not, you need a dedicated wireless IDS/IPS. In the end it's a lot less expensive than throwing human resources at the problem.
The point is that if you want to properly secure your wireless environment 24x7, whether you have / want wireless or not, you need a dedicated wireless IDS/IPS. In the end it's a lot less expensive than throwing human resources at the problem.
jawinn
11-12-2004, 10:50 AM
Can someone explain what an IDS/IPS is?
thanks
thanks
WFI-Maestro
11-12-2004, 12:12 PM
A wireless IDS/IPS is an intrusion detection / intrustion prevention system. A full featured IDS/IPS will detect and "kill" rogue access points (by doing a deauth flood on the rogue AP), detect and stop denial of service attacks, detect and stop man in the middle attacks, report on suspicious activity, etc. Basically it helps to protect your wireless network from intruders / hackers.
johnp
11-23-2004, 06:39 AM
Check out http://www.airtightnetworks.net.
Their SpectraGuard 2.0 product might be something you are looking for.
It can detect, locate and block a rogue connected to your
network.
John Peterson
(Cisco Certified Network Engineer)
Their SpectraGuard 2.0 product might be something you are looking for.
It can detect, locate and block a rogue connected to your
network.
John Peterson
(Cisco Certified Network Engineer)
wi-fiplanet.com
Copyright Internet.com Inc., All Rights Reserved.
Copyright Internet.com Inc., All Rights Reserved.