Sweep Time for Rogue Access Points
- 21 October, 2004 12:51
By now, practically every CSO and IT manager on the planet is familiar with both the benefits and the risks of 802.11 or Wi-Fi wireless networking. I wrote about them here back in January 2003 (see "On the Same Wavelength"). But the wireless world has changed a lot during the past two years, and it's time for an update.
Dropping a wireless access point on your office LAN is an easy way to provide mobile Internet access to people using laptops and handheld computers - many of which now come with built-in Wi-Fi support. What's more, a new generation of Wi-Fi telephones is about to hit the market. Some of these will be cellular phones that automatically switch to lower-cost voice over Internet protocol (VoIP) whenever they can pick up a Wi-Fi signal; others will be Wi-Fi only phones that work like standard cordless phones, except that they will work anywhere on your organization's wireless LAN.
Unfortunately, an unguarded access point can open up your network to people outside your company's four walls. These access points can be dangerous because they are invariably placed behind the corporate firewall. And most organizations are pretty lax when it comes to matters of internal security.
Organizations have struggled to deal with this double-edged wireless sword. Some require that the media access control (MAC) address of every wireless card and device be registered; access points are then configured so that only the registered machines can have network access. (Recall that both wireless and wired Ethernet systems use a 48-bit MAC address to identify the manufacturer and serial number of every network card. These addresses are typically written as 12 hexadecimal numbers separated by five colons, such as 00:03:6d:14:f1:c7.)
An alternative strategy is to divert all wireless users to a "captive portal" - that is, a Web registration form that forces users to provide a user name and password. Some of these systems will then go further and make users consent to a "terms of service" agreement that promises, among other things, that they won't use their newfound wireless access to hack the network. Unfortunately, captive portals don't work too well with those wireless phones and other Wi-Fi devices that don't have Web browsers. This is something to keep in mind if you are considering installing a "portal" system within the next year: Make sure that what you get today can grow with tomorrow's unanticipated network needs.
Open ChannelsBecause they rely on radio waves, and because radio waves travel in all directions, wireless networks are inherently open channels: Anybody in the vicinity can eavesdrop on your signals without your knowledge. Unless you take measures to protect the privacy of your communications, transmitting something over a wireless network is a lot like putting a file on your website.
Security-savvy administrators assume that the wireless network is just another hostile network out there on the Internet. They put wireless access points outside their firewalls and make their users tunnel in. The standard way to secure wireless networks is using the wireless equivalent privacy (WEP) standard. Alas, vulnerabilities with the WEP protocol are well-known and fairly easy to exploit with the proper tools. As a result, today WEP provides security against casual but not determined attackers.
Replacing WEP is a growing number of new technologies that add encryption to a wireless network - including Wi-Fi Protected Access (WPA), the Extensible Authentication Protocol (EAP), and 802.11i, among others. This is a fast-evolving area; you'll find an excellent, highly technical summary of these standards at www.drizzle.com/~aboba/IEEE.
Indeed, wireless security standards are evolving so fast that most security-conscious administrators I know have decided not to trust them. Instead, they plan to use their traditional Virtual Private Network (VPN) software to secure their wireless networks. Essentially, these administrators assume that the wireless network is just another hostile network out there on the Internet. They put the wireless access points outside their firewalls and make their users tunnel in.
The beauty of the VPN approach is that once those access points are safely off the organization's internal LAN, they can be opened up to business partners, travelling salesmen, spouses and just about anybody else who wanders into your building with a wireless-equipped device. Visiting executives get a lot less testy when their appointment is 25 minutes late to the meeting if they can spend that time checking e-mail or reading CNN.
A few organizations have gone the other direction and banned wireless devices entirely - or, at least, they've tried to. But banning wireless is hard because the technology has gotten so dirt cheap. Forbid your employees from using wireless and you might discover rogue access points showing up in the ceilings or hidden underneath people's desks.
I had the great pleasure of using one such rogue access point when I spoke at an Ivy League university earlier this year. The school's network group had a policy of "no unauthenticated devices" on the WLAN, so one of the professors just set up a little access point and hid it behind a few books in the office. The signal was weak but it covered a few couches, a meeting area, and, of course, all of the professors' offices. The antiwireless policy didn't keep visitors from having wireless access; it just kept them from having exceptionally good wireless access.
Rogue access points are certainly more of a concern in the business world than in academia. But discovering a $29 access point underneath Jenny's desk doesn't mean that Jenny put it there - perhaps it was Mike over in accounting, whose desk is only 20 feet away from Jenny's. Jenny may not notice any difference in that tangle of wires underneath her desk, and even though he's 20 feet away, Mike still gets the access point benefits because the 2.4GHz signal used by Wi-Fi easily penetrates walls. So consider talking to everybody in wireless range when you find these rogue access points to increase your chances of nailing the right person.
One way you can try to protect against rogue access points is to lock down your switches so that only authorized MAC addresses can be used on your wired network. Each wireless access point actually has two MAC addresses - one for the wireless interface and a second for the wired. If you register the MAC address for every desktop, print server and laptop, you can lock out all of the devices that are not registered, or so the theory goes. You can get almost the same level of security by programming your Ethernet switch to memorize the MAC address of every device connected to every port, and then automatically shut down that port if a new MAC address appears, which would presumably have happened when Mike unplugged Jenny's computer and plugged in his access point.
Of course, the clever companies that manufacture this wireless gear have already thought about this problem and have come up with a solution: MAC address cloning. Because many cable modem companies already do authentication based on the MAC address, most wireless access points allow you to set the MAC address of their wired Ethernet ports to any address of your choosing. After all, there's nothing wrong with using the same address as somebody else, just as long as both machines aren't on the same physical Ethernet at the same time.
Naturally, the Ethernet address that Mike wants to use is the address for Jenny's computer. He'll just unplug Jenny's computer, plug it into the wireless access point, tell the device to "clone" Jenny's MAC address, and then plug the access point into the wall. This "cloning" feature comes in handy when you are setting up a home wireless network on a cable modem, but it's also great for setting up rogue access points in the business environment.
One way to defeat cloning is by using the 802.1x network port authentication. Support for 802.1x is built into Windows XP, but not many older operating systems or most print servers. So perhaps Mike will have to leave Jenny's computer alone and instead unplug her networked workgroup laser printer.
The more common way to fight rogue access points is to scan for them. You can do a pretty good job just walking around the office with a copy of NetStumbler, a free wireless auditing tool available from wireless networking and security portal NetStumbler.com. Uber-hip network managers run MiniStumbler on handhelds running the Pocket PC operating system and a plug-in CF wireless card. For more serious monitoring, though, some organizations are using commercial tools like Aruba Wireless Network's RF Director. Meanwhile, a growing number of wireless infrastructure providers are adding the ability to monitor for rogue access points directly to their offerings.
Once you've found that access point, you might identify the perpetrator by unplugging the device and seeing who comes around to fix it. Be aware, though, that the perp might not actually be inside your organization - wireless LANs are an ideal tool for economic espionage. Or perhaps he simply set it up a year ago, and has since moved on to another job.
Remember, if you don't provide wireless access to your employees, these days it's all too easy for them to provide service for themselves. Danger.
Simson Garfinkel, CISSP, is a technology writer based in Boston.