Summary
Solutions Fast Track
Introduction
This chapter discusses what may be the single greatest problem of wireless local area networks (WLANs): rogue access points and unauthorized people using otherwise legitimate access points.This chapter covers wireless-aware product features that address both of these problems, as well as how to set up and use them.
This chapter also we will take a closer look and discusses how to mitigate the threat of rogue access points that pose significant security threats to businesses and their networks.
Employees install wireless devices in their offices and cubicles for their own per- sonal use because they are convenient and inexpensive. Installing access points is as easy as plugging into an Ethernet jack. Unauthorized wireless devices can expose protected corporate networks to attackers, allowing for a security breach. In this chapter, you will learn how personal access points can introduce such threats to your networks and how you can mitigate the threat of rogue access points by using both wireless- and wired-aware devices and their techniques.
You will study traditional techniques such as manual sniffing, physical detection, and wired detection to detect rogue access points, and will also use Cisco’s new cen- tralized solutions for detecting rogue access points. In a Cisco-aware infrastructure net- work, all wireless devices can work hand-in-hand to detect and report unauthorized access points to the central managing station. (Chapter 12 of this book details how to conduct a complete wireless penetration test using the Auditor Security Collection.)
The Problem with Rogue Access Points
A rogue access point is an unauthorized access point. Unauthorized access points can pose a significant threat by creating a back door into sensitive corporate networks. A back door allows access into a protected network by avoiding all front door access security measures. As discussed in previous chapters, wireless signals travel through the air and, in most cases, have no boundaries.They can travel through walls or windows, reaching long distances far outside of a corporate building parameter. Figure 4.1 shows a wireless signal from access points beaming through the air outside of a corporate building into the parking lot and nearby buildings across the street.These radio signal frequencies may represent both rogue and valid access points that carry sensitive confi- dential data from inside the corporation or from outside mobile workers.The differ- ence between the radio frequencies from these two wireless access points is that the rogue unauthorized access point was installed by an employee with limited security protection, often leaving it at its default plug-and-play unsecured configuration, while the authorized access point was installed by a skilled engineer with full security sup-
port. Further, unlike authorized access points that are configured to protect radio sig- nals confidentially with a robust authentication process, the rogue access point installed by the employee probably does not support such security options, as it does not have access to interact with third-party security servers to provide such services.
The bottom line is that rogue access points installed by employees pose a signifi- cant threat because they provide poor security measures while extending a corporate
network’s reachability to attackers from the outside.
Employees usually install unauthorized access points because of poor perfor- mance of current wireless infrastructure, because they may be located in a dead spot, or simply because their company does not provide wireless access. It is important to note that a rogue access point is most likely to be installed in an organization that does not support wireless networks for its employees.
N
OTEAudits to detect rogue wireless access points are required in all corpo- rate network environments, even if they do not provide wireless access.
Unauthorized installed access points are unsecured. An average employee is not an expert on wireless security and does not realize the threat they pose with their Figure 4.1 Wireless Reachability
Parking Lot Wireless Building Wireless Signal From AP Building A Building B Intruder Intruder Intruder
newly installed rogue access point. Most rogue access points implement a plug-and- play feature allowing for minimal configuration by the user in the order of their use. Security settings are turned off by default, and default passwords are used that need to be reconfigured to prevent from intruders.
As covered in Chapter 2, the best security is implemented using 802.1x protocol features or virtual private networks (VPNs). Both of these security solutions require a third-party device that employees would not have access to; thus, rogue access points are not secure and can be easily attacked to gain access into the connected corporate network.
A Rogue Access Point is
Your Weakest Security Link
A network is only as secure as its weakest security link. For example, consider that you have implemented a very stable and secure wireless and wired network.Your secure wireless local area network (LAN) includes per-user authentication using an 802.1x protocol, a dynamic Wired Equivalent Privacy (WEP) protocol key assign- ment with periodic key rotation for confidentiality, and logging for audit purposes.
Now consider that all of the time and money spent providing a secure wireless access can be diminished by a single rogue access point. Figure 4.2 repre- sents a wireless DMZ in a secure wireless network topology. In order for valid User A to gain access onto the protected corporate network, they must go through the proper authentication process, pass the firewall and Intrusion Detection System (IDS), and use encryption. Unlike User A, User B does not need to go through any security measures in order to gain access to the corporate network. User B is simply taking advantage of a rogue access point that was most likely installed with a weak security policy and default settings.
This example represents a back door into a corporation that can be used by the employee who installed the rogue access point and by an intruder that may take advantage of the poorly secured rogue access point.
An Intruder’s Rogue Access Point
An intruder can also install a rogue access point into a corporation.The difference between an intruder’s access point and an employee’s access point is that the intruder’s is not connected to the wired network. How does this make it an unau- thorized access point? It is still an unauthorized access point within the radio signal strength area that is used as the trap device to catch valid users. When a valid user tries to connect to an intruder’s access point, the intruder’s access point can trick the user into providing useful information such as the authentication type and creden- tials of the user, which can then be recorded and used later by the attacker to gain access to a valid access point.
One way to mitigate an intruder’s rogue access point is to provide for dual authentication. In dual authentication, the user needs to authenticate the access point and the access point has to authenticate the user. Dual authentication is supported in the 802.1x protocol. Dual authentication allows the user to verify the validity of the access point before its use.The details of the 802.1x protocol are covered in
Chapter 2.
Figure 4.2 Bypassing Security with a Rogue Access Point
Corporate LAN Rogue AP ACS Management Wireless DMZ IDS Firewall AP Data Bank User A User B
Preventing and
Detecting Rogue Access Points
Many techniques exist to prevent and detect rogue access points. Detecting rogue access points should be performed on every network audit to avoid possible back door exposure. As mentioned earlier, your security is only as strong as your weakest link. Do not let one rogue access point dismiss your entire security-configured infrastructure.
Preventing Rogue Access
Points with a Security Policy
First and foremost, your security policy must include the use of wireless networks and prohibit the use of personal rogue access points. A security policy does not elim- inate the threat of rogue access points, but it does set guidelines for current and future network installations and what steps to take if a rogue access point is detected. A security policy should mandate that all employees follow proper security measures for wireless networks and should also require written approval from the Information Technology (IT) and Security teams approving the installation of a personal access point. It is important that all employees know that freelance access points are prohib- ited, why they are prohibited, and what will happen if they break the rule.The risks are such that some companies will fire individuals for setting up their own access points.
For a security policy to be successful, it needs to be communicated to the users. If users are not aware of these security rules, they will not follow them. Continuous education and audits of the security policy are a must.
Provide a Secure, Available Wireless Network
Most rogue access points are installed by non-malicious employees who simply want wireless access in their work area. One way to prevent employees from installing such rogue access points is to provide wireless access to them. Installing stable wire- less access throughout meeting rooms, the cafeteria, and the outdoor campus, allows you to control its access and security implementation. Doing so does not mean you can stop auditing and searching for rogue access points within your network, but it will decrease their detection count and improve overall security.
Sniffing Radio Frequency to
Detect and Locate Rogue Access Points
Another technique for detecting rogue access points is to manually use a network sniffer to sniff the radio frequency within your organization’s perimeter. A wireless sniffer allows you to capture all communication traveling through the air, which can then be used for later analysis such as Media Access Control (MAC) address compar- ison. Every wireless device has its own unique MAC address. If a new, unknown MAC address of an access point is detected in a wireless sniffer trace, it will be red flagged as a rogue access point and investigated further.
Designing & Planning…
Finding MAC Addresses
Every manufacturer programs a unique MAC address into their network card. Every network card has its own MAC address that it uses to communicate with. A MAC address is 48 bits long. The Institute of Electrical and Electronic Engineers (IEEE) controls the first 24 bits (3 octets) of the address. These first 3 octets are called the Organizationally Unique Identifier (OUI). OUIs are given to corporations that produce network devices such as network cards. These corporations must use the unique first 3 octets assigned to them in all of their network devices. The second 24 bits of the 48-bit long MAC address are controlled by the manufac- turer. If the manufacturer runs out of unique addresses for the second half of the MAC address, it requests a new 3-octet address from the OUI.
If you detect a MAC address and want to look up its manufacturer, refer to the OUI database Web site at http://standards.ieee.org/ regauth/oui/index.shtml
Knowing that every network device has a unique MAC address, you can find out a lot of useful specific information about each device. In Figure 4.3, MAC address 000CCE211918 has been detected. Entering 000CCE (the first half) into the OUI online database reveals that the device detected is a Cisco device.
Tools such as NetStumbler can be used as rogue access point detection sniffers. It displays a list of detected access points within the area of signal strength that can be compared to a friendly database of access points. NetStumbler can further be used to zero in on a physical rogue access point and its location by measuring the signal strength. Figure 4.3 shows a detected access point with MAC address
000CCE211918. After checking the list of friendly access points, we have deter- mined that this detected MAC address does not match any of the authorized access points and thus is a possible rogue access point.To locate this rogue access point, we begin searching by walking around with a laptop and the NetStumbler utility fol- lowing the signal strength. Notice that the signal strength increases as we close in on the physical location of the detected access point.
Tools such as Cisco’s Aironet Client Utility (ACU) can also be used to follow the strength of a radio signal in order to find a detected rogue access point’s physical location.The ACU is installed with Cisco’s Aironet wireless adapter. Figure 4.4 shows the Link Status Meter tool in the ACU that displays the signal strength for MAC address 000CE211918, which was determined to be a rogue access point in the previous example. Another useful tracking tool within Cisco’s ACU application is the Site Survey tool, as shown in Figure 4.5. Again, using the Site Survey tool, the closer you move to the physical location of a detected access point the higher the signal strength will be.
Cisco’s Rogue Access Point Detection
Detecting rogue access points with a sniffer device can be a time-consuming and almost impossible task in large-scale wireless and wired environments.The adminis- Figure 4.4 ACU: Link Status Meter
trator must walk throughout the entire area and manually compare friendly detected access points with possible rogue access points.This task must be repeated almost daily to assure security against rogue access points.
Cisco has developed a more robust solution to overcoming the manual work effort of sniffing for rogue access points. Instead of walking around with a laptop and antenna to detect possible rogue access points, Cisco’s solution allows you to turn all of the wireless clients and access points into an army of sniffers that con- tinually analyze and monitor the radio frequencies around them (see Figure 4.6). This allows you to perform 24 hours a day/7 days per week automatic detection of rogue access points throughout all locations where authorized wireless clients and access points are located. Rogue access points detected by wireless clients and access points are then sent to the central management station where the network administrator is alerted.
Central Management with
WLSE to Detect Rogue Access Points
The Wireless LAN Solution Engine (WLSE) is a CiscoWorks application that pro- vides central management for all Cisco-aware wireless devices. WLSE can be used to receive rogue access point-detected information from wireless clients and access points through Simple Network Management Protocol (SNMP). When a wireless client detects a possible rogue access point, it sends the information to a friendly Figure 4.6 All Cisco-aware Devices Become Sniffers
Friendly Wireless Client Rogue AP Friendly Friendly Rogue AP
access point, which then sends it to WLSE engine via SNMP-trap
protocol to inform the management server of its findings (see Figure 4.7). WLSE receives this information and compares it against a database of friendly access points. If the WLSE cannot find the reported access point on its friendly list of valid access points, it red flags it and alerts management that a possible rogue access point has been detected.
A WLSE centralized solution is welcomed by administrators in large- and mid- sized Cisco wireless-aware environments, as it provides scalability and central man- agement and greatly improves the overall security against rogue access points, with its automated process.
The WLSE can also use triangulation to calculate the physical location of rogue access points, by using the signal strength of multiple wireless clients and access points at the time of detection.This allows you to not only detect rogue access points, but also to know its approximate physical location. WLSE is also capable of providing the switch IP and port details into which the rogue access point is physi- cally connected to, allowing you to quickly locate and disable the rogue access point to eliminate its security threat.
Figure 4.8 shows a rogue access point detection alert from the WLSE that reports that an unauthorized access point has been detected by four friendly access points. Further information shows that the detected rogue access point is broad- Figure 4.7 Rogue Access Point Detection by Client
WLSE Server
Management LAN User LAN
Rogue AP Friendly AP Friendly AP 1. Rogue AP Detected 2. Notify Friendly AP 3. Notify WLSE Server 4. Log Detection Wireless User A Wireless User B
casting “ROGUE” SSID in its beacons.The Received Signal Strength Indicator (RSSI) next to each reporting access point represents the signal strength relationship between the rogue and the friendly access point, and is used to estimate the approxi- mate physical location of the detected rogue access point.
One WLSE feature allows you to import and configure your floor blueprints, which can be used to provide a visual of the wireless clients and access points within the network wireless area. In Figure 4.9, a floor map is used along with RSSI infor- mation from friendly access points to visualize the location of a detected rogue access point. As you can see, the visual map shows four friendly access points reporting the detected rogue access points and their estimated physical location. Such automatic and detailed support from WLSE allows you to quickly find and ter- minate rogue access points.
IEEE 802.1x Port-based Security
to Prevent Rogue Access Points
This section reviews IEEE 802.1x protocol, its use in wireless and wired LANs, and how it can aid in mitigating the threat of rogue access points. For further details on the 802.1x protocol and its implementation in a wireless environment, refer to Chapter 2.
As discussed earlier, there are two different types of rogue access points: one that is installed by an employee with a physical connection to the corporate LAN or one that is installed by an intruder without any physical connection to the wired LAN. An intruder’s rogue access point is used to trick valid users into establishing a con- nection in order to obtain confidential information. A valid user needs a method of validating an access point just as the access point needs a method that validates the user, to prevent connection to a rogue access point.
Prevent Users from Using
Rogue Access Points with 802.1x
In a wireless environment, the 802.1x protocol provides mutual authentication that