WiFi Manager

The term ‘Rogue Access Point’ is often referred to unauthorized access points that are deployed with a malicious intent. But in general it would refer to any unauthorized device irrespective of its real intent. Different types of rogue wireless devices are shown in the figure below. Rogue access points can be any of the following types mentioned below:

• Employee installed rogue access points
• Mis-configured rogue access points
• Rogue access points from neighboring WLANs
• Rogue access points that dont adher to corporate policies
• Malicious rogue access points operated by attackers

Different Types Of Rogue Devices

Employee Installed Rogue Access Points: Driven by the convenience of Wireless home networking some employees plug cheap Small Office Home Office (SOHO) grade access points to corporate LAN. This unintentional act by the novice users punches a big hole on enterprise security exposing critical data to outsiders. The cheap AP may not follow enterprise standard deployment procedures thus compromising security on the wireless and wired network. Visitors inside your building and hackers outside your building can connect to such unauthorized APs to steal bandwidth, send objectionable content to others, retrieve confidential data, attack company assets, or use your network to attack others.

Mis-Configured Rogue Access Points: Sometimes an authorized access point could suddenly turn into a rogue device due to a minor configuration flaw. Change in Service Set Identifier (SSID), authentication settings, encryption settings etc., should be taken seriously as they could enable unauthorized associations if not configured properly. For example, in open mode authentication any wireless client device in state1 (unauthenticated & unassociated) can send authentication requests to an AP and on successful authentication would move to state2 (authenticated but unassociated). If an AP doesn’t validate the client properly due to a configuration flaw, an attacker can send lot of such authentication requests, overflow the AP’s client-association-table, and make it reject access to other clients including the legitimate ones.

Rogue Access Points From Neighbor WLANs: 802.11 clients automatically choose the best available AP nearby and connect with them. For example, Windows XP connects automatically to the best connection possible in the vicinity. Due to this behavior, authorized clients of one organization can connect to Access points from the neighboring organization. Though the neighbors APs have not intentionally lured the client, these associations can expose sensitive data. Ad-hoc devices: Wireless clients can communicate among themselves without requiring a LAN bridging device such as Access Point. Though such devices can essentially share data among themselves, they pose significant threat to the enterprise as they lack the necessary security measures such as 802.1x user authentication and the dynamic key encryption. As a result, ad-hoc networks risk exposing data in the air (as data is not encrypted). In addition, weak authentication may allow unauthorized devices to associate. If the ad-hoc mode clients are also connected to the wired network, the entire enterprise wired network is at risk.

Rogue Access Point That Dont Adher To Corporate Policies: Enterprises can set polices on what constitutes an authorized AP. The basic one is MAC addressed based filtering. Enterprises can pre-configure the list of authorized devices’ MAC and identification of any other device outside the MAC list will signify the presence of a rogue device. Also if an organization standardizes on Cisco Access Points then AP from any other vendor (plugged into the corporate LAN) can be deemed rogue. Similarly enterprises can set various policies including SSID, Radio Media Type, and Channel. Whenever a new access point is discovered in the network that falls outside the pre configured authorized LIST, it can be assumed to be a rogue AP.

Rogue Access Points Operated By Attackers: Wireless LANs are prone to numerous attacks. Furthermore, freely available open-source attack tools ease the job of attackers. Attackers can install Access Points with the same ESSID as the authorized AP. Clients receiving stronger signal from the attacker operated AP would then attract legitimate clients to associate with it. The AP can then launch a man-in-the-middle attack. Attacker operated clients: Using a wireless enabled laptop and couple of tools an attacker can successfully disrupt wireless service in networks few feat away. Most such denial-of-service attacks aim at exhausting AP resources such as the client-association-table.

In short, a rogue access point is any untrusted or unknown access point running in your WLAN. Detecting these rogue access points is the first step to efficiently defend your WLAN from rogues.

Rogue Access Point Detection