Printer Friendly

Detect rogue access points: unsecured wireless access points negate any effort you've made to protect your network--even implementing firewalls. Here's how to detect them.

A BEAT UP VAN PULLS UP in front of a dark office building late at night. A bleary-eyed technician furiously taps away at the keyboard. Like a rat drawn to cheese, his pace accelerates as he gathers information about your network. Within half an hour, he takes control of the domain, and begins hunting for valuable information. Working late into the night, he copies databases and private files. Just before sunrise, he pulls the antenna from the top of the van as the vehicle shudders away from another successful attack.

What helped make this attack successful? An employee installed a wireless access point (AP) and left the default security settings, leaving the network wide open. One open AP effectively extends an unprotected wireless connection to the area surrounding your building, compromising any investments you've made to protect the network perimeter. A more sophisticated attacker could use a high-powered antenna to attack from miles away.

This potential breakdown of the perimeter defenses has inspired several technologies and methods designed to find weak spots. Rogue AP discovery techniques vary in format and price. In this article, I break them into three categories: war-walking, wireless intrusion detection systems (IDSs), and network layer authentication.


War-walking is the most common approach to detecting rogue APs. It involves walking around the company building(s) with a laptop and wireless network equipment looking for unauthorized connections. This isn't a one-time job; it's best to war-walk regularly.

This technique requires specialized equipment and software. At the least, you need a laptop with a wireless card and antennas. A spare battery, a global positioning system (GPS) device, and an additional wireless card (with an alternate chipset) are helpful extras.

After you assemble the basic equipment, I recommend trying the following software packages: Netstumbler, AiroPeek, Kismet, and BSD-Airtools. See the sidebar on this page for a discussion of wireless tools. Generally, it takes an experienced technician to use this software effectively, so you might have to outsource this task. If you hire a consulting firm to perform the scans, I recommend carefully screening them. Some companies set up a non-networked rogue AP to test the consultants. A good team should easily discover the device using the war-walking approach.

Wireless intrusion detection system

There are two ways to use a wireless intrusion detection system (IDS) to detect rogue access points. The first involves scanners that use a unique identifier called a Media Access Control (MAC) address to locate rogue access points. (MAC addresses are like license plates the manufacturer assigns to each access point.) However, this method comes with a weakness: Many access points let the user easily hide the AP's true MAC address through "MAC spoofing." Spoofing lets the access point change its MAC address to any value the user desires. This eliminates the ability to identify an access point by its unique MAC. A Linksys AP can impersonate a Cisco AP by simply spoofing the Cisco's MAC address. This means you can't rely solely on MAC scanners to locate rogue access points.

In response to MAC spoofing, another method has evolved, providing more reliable results. This method involves establishing a secondary wireless network with the sole purpose of listening for rogue wireless devices. Administrators use a set of sensors to listen for unauthorized traffic. This approach requires a substantial investment to create a physical network of listening devices. For example, with the AirDefense implementation (discussed in the sidebar on wireless tools) you install these listening devices next to existing APs, and configure them via a Web interlace. After they're installed, these current generation wireless IDS tools provide good detection, but they still only detect rogue APs after installation.

Network layer authentication

The final approach goes a step beyond detection to prevention. It takes advantage of security features in the next generation of network protocols called 802.1x. This innovative protocol can require encrypted passwords before a device attaches to the network. It requires careful configuration to avoid serious security flaws. However, proper configurations only let users with the correct information plug a wireless device into the network. A system properly implemented with this final approach provides a preventative approach to achieve a higher level of security and ease of administration.

Getting started

The first step to wireless security is establishing stronger internal security. You're protecting the network from hostile internal users, as well as other breaches in the perimeter. Second, you should develop techniques and implement a schedule for rogue access point discovery. Finally, you must create strong wireless policies and educate your company's business users about the proper use of wireless technology.

The advent of wireless technology makes in-depth security a crucial part of every enterprise, More than ever, companies must carefully protect their networks from the risks, while learning to leverage the benefits.


The beauty of wireless technology is that it's so accessible. You can find access points and wireless network cards in every consumer electronics store, and the equipment itself isn't too difficult to set up. But, with this strength comes a weakness: This ease of use gives users a false sense of security--literally. Many wireless enthusiasts only know just enough to install the access point. By leaving the default settings, they expose the corporate network to new threats. This opens a direct connection to the network that bypasses any firewalls.

RELATED ARTICLE: Strengthening Wi-Fi security.

The Wireless Fidelity Alliance has a plan for improving Wi-Fi security. Long the Achilles' heel of the popular wireless LAN (WLAN) technology, security is one of the biggest obstacles to Wi-Fi adoption in the enterprise. For example, Wired Equivalent Privacy (WEP)--the encryption mechanism used to protect data on 802.11b networks--is known to have serious flaws. These problems have cast doubt on the WLAN industry.

To address this problem, the Wireless Fidelity Alliance is replacing the WEP security standard with an IEEE standard called Wi-Fi Protected Access (WPA). WEP uses fixed keys that are easy to attain via commonly available software such as Netstumbler. In contrast, WPA uses Temporal Key Integrity Protocol (TKIP), generating a new key for every 10KB of data transmitted over the network. WPA will be integrated into 802.11i.

"This approach allows the industry to bring a strong, standards-based security solution to the market today while giving the IEEE 802.11 Task Group I the time to complete and finalize the full 802.11i Robust Security Network amendment to the existing wireless LAN standard. Security is, and will continue to be, the highest priority for the Wi-Fi Alliance and for the industry," says Wi-Fi Alliance Chairman Dennis Eaton.

The WPA standard is backward-compatible with equipment already in use. Most vendors are expected to offer firmware and software updates for Wi-Fi certified products currently in use.

Wi-Fi-certified products using WPA will appear on the market in the first quarter of 2003. 802.11i will offer a new version of the Wired Equivalent Privacy (WEP) security protocol that uses a 128-bit key instead of the 40-bit key currently in use.

The Wi-Fi Alliance is a non-profit organization formed in 1999 to certify interoperability of 802.11 products and to promote them as the global wireless LAN standard. The Wi-Fi Alliance has instituted a test suite to certify that products are interoperable with other Wi-Fi certified products. For more information about the Wi-Fi Alliance, go to

RELATED ARTICLE: Wireless tools.


Marius Milner


This software package comes with a user-friendly interface for access point discovery. However, Netstumbler doesn't help you detect access points that have beaconing disabled. (Beacons let the access point advertise its existence to the world. Because 802.11b doesn't require beacons to function, you should disable them if possible.) In spite of this shortcoming, this tool helps even novice users discover access points.

AiroPeek NX

WildPackets, Inc.

US$3.495 for a single user license with 12 months of support AiroPeek is a sniffer that provides a tremendous amount of information about wireless traffic. The designers at WildPackets have done a good job creating an interface and robust filtering system to help users sort through all this data. The latest version detects both 802.11b and 802.11a traffic.


Dachb0den Labs


BSD-Airtools is a sniffer software package for 8SD-UNIX systems. This comprehensive set of tools includes a wireless sniffer, a packet capture tool, a Wired Equivalent Privacy (WEP) key generator, and a WEP cracker. I use this tool primarily when testing WEP key strength. This tool is invaluable, but you must know BSD to use it effectively. For more information about WEP and its security implications, see the sidebar on strengthening Wi-Fi security.


Kismet Wireless


This Linux based tool comes with many of the features of BSD-Airtools, with the exception of the WEP cracking capability. One of Kismet's most useful features is its ability to tie GPS coordinates to maps. I recommend this tool for people comfortable with Linux, but still learning BSD systems.


AirDefense, Inc.

Prices range from US$15,000 for a basic system up to US$79,000 for enterprise solutions.

This hardware solution uses a system of access points to act as a listening network designed to detect new, rogue access points on the network. This requires the expense of establishing a second network of listening devices, and a central device for collecting data. However, depending on the size of your company, the price may be reasonable when compared with war-walking your entire campus every few months.

John Eder gained invaluable consulting experience working in the security and technology solutions practice at Ernst & Young, LLP. While with Ernst & Young, he also earned his Cisco Certified Network Administrator (CCNA) and Certified Information System Security Professional (CISSP) certifications. John now works as a system security consultant for Experlan Corporation. He is active in the security community, presenting and writing on wireless and application security. John's latest research focuses on methods for rogue
COPYRIGHT 2003 Advisor Publications, Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2003, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Wireless Security
Author:Eder, John
Publication:Mobile Business Advisor
Geographic Code:1USA
Date:Feb 1, 2003
Previous Article:When Murphy's Law meets Wi-Fi don't panic. Here's how to troubleshoot your wireless connection.
Next Article:Voice over IP goes wireless: VoIP promises great cost savings, but quality of service and security are still issues to consider.

Related Articles
Site Survey 1.0 software. (Database/Network News & Products).
Sharp Labs selects WiMetrics' WiSentry to protect corporate network; Sharp Labs uses WiSentry to monitor and secure its wireless Lan 24 X 7.
Take control of Wi-Fi security: when it comes to Wi-Fi hotspots, such as those offered by coffee houses, hotels, and airports, "public" usually means...
Unprotected wireless--a new threat.
Technology: two quick hits.
Banking on wireless? Ken Newman, Director and Infrastructure Security Assurance Manager for a major global financial institution, shares his...
WPA aims to finish the job WEP started: what to know before it does.
Protecting against threats to enterprise network security.
The hidden downside of wireless networking: Wi-Fi can cause big trouble--and you may not even know it. Here's how to keep the hackers at bay.
7 Myths about protecting Web applications.

Terms of use | Privacy policy | Copyright © 2018 Farlex, Inc. | Feedback | For webmasters