1 All You Wanted to Know About WiFi Rogue Access Points A quick reference to Rogue AP security threat, Rogue AP detection and mitigation Gopinath K. N. Hemant Chaskar AirTight Networks
2 What is Rogue AP Unmanaged (unauthorized) AP attached to enterprise wired network
3 How does Rogue AP pop up on enterprise network Malicious intent or simply unwitting, impatient employee Commoditization of WiFi APs raises the risk of someone putting up personal AP on the enterprise network Wall Jack AP Pocket AP Wireless Router PCMCIA and USB APs It has been estimated that almost 20% of corporations have Rogue APs in their networks at some time
4 Why is Rogue AP such a bad thing Rogue AP on network = (logically) LAN jack of your network hanging out of the premises RF signal spillage of Rogue AP provides access to wired enterprise network from outside of the premises
5 What are some specific attacks which can be launched through Rogue AP Attacks on wired network infrastructure ARP poisoning, DHCP attacks, STP attacks, DoS attacks etc. Mapping the network for targeted attacks Scanning hosts on network for targeted attacks MIM (Man-In-Middle) and data sniffing on wired network See this blog article for details on attacks through Rogue AP So, how can you protect enterprise network from Rogue APs?
6 Can the firewall protect from Rogue AP No! Firewall works at traffic transfer point between LAN & Internet Firewall does not detect Rogue AP Firewall does not see traffic through Rogue AP Rogue AP Internet Firewall Office Premises and LAN Attacker
7 Can WPA2 protect from Rogue APs No! You can enforce security controls such as WPA2 only on APs which you manage, i.e., your Authorized APs Rogue AP is not your managed AP In fact, most Rogue APs found in the field installed by naïve users either have OPEN wireless link (out of box default) or WEP wireless link (deterministically crackable)
8 Is 802.1X port control sufficient to protect from Rogue AP As a matter of fact, most networks do not have 802.1x port control today If even if 802.1x is deployed, it cannot protect from all Rogue AP configurations, some examples below: 802.1X Rogue AP Legitimate user Rogue APs over bridging laptops MAC spoofer
9 Can antivirus, wired IDS protect from Rogue AP No! Rogue AP threats operates at a layer below antivirus and wired IDS protection
10 Is NAC sufficient to protect from Rogue AP As a matter of fact, most networks do not have NAC deployed today If even if NAC is deployed, it cannot protect from all Rogue AP configurations, some examples below: NAC Rogue AP Rogue APs over bridging laptops MAC spoofer Legitimate user
11 So what protects network from Rogue APs Sensor based wireless intrusion prevention system (WIPS) which Watches for Rogue APs 24x7 Performs wired/wireless correlation for AP network connectivity testing to detect Rogue AP Provides for automatic blocking of Rogue AP Locates Rogue AP for easy searching and removal from the network
12 WIPS in action - Rogue AP protection See demonstration video at demos/rogueap-demo/rogueap-demo.html
13 What are different types of Rogue APs Various permutations and combinations of Bridging APs (on subnets coinciding with or different from wired interface address) Router (NAT) APs (with and without MAC cloning) APs with encrypted wireless links APs with open wireless links Soft APs (natively configured on wireless client or which use external devices such as USB sticks) APs on different VLANs in the LAN including no-wifi subnets
14 Can wire side only scanning protect from all Rogue AP No! Several Rogue AP types are undetectable by wire side only scanning, examples: Bridging APs on a subnet inconsistent with their wired IP address (default configuration) Soft APs Router (NAT) APs with cloned wire side MAC address See for more details
15 What does AP auto-classification mean in the context of Rogue AP Automatically classifying APs visible in airspace into three categories: Authorized, External and Rogue Authorized AP External AP Managed APs (Static Part) All APs visible in air Unmanaged APs (Dynamic Part) Not connected to my network Rogue AP Connected to my network
16 What is key technology enabler for accurate autoclassification Robust testing of AP s connectivity to monitored enterprise network is the key technology enabler If AP is not detected as connected, when it is indeed connected to the monitored enterprise network, it results in security hole (false negative) If AP is detected as connected, when it is indeed not connected to the monitored enterprise network, it results in false alarm (false positive)
17 What are prevalent AP connectivity testing methods MAC Correlation (CAM table lookup) Collect all MAC addresses seen on wired network (CAM table lookup) Detect all MAC addresses seen on wireless network Presume network connectivity of APs based on match between wired and wireless MAC addresses Signature Packet Injection Inject signatures packets in the wired and wireless network Detect which APs forward signature packets between wired and wireless interfaces Confirm network connectivity of APs based on signature packet forwarding
18 How do these connectivity testing methods compare Packet injection method is superior to CAM table lookup as it is fast, accurate, gracefully scalable to large networks and capable of detecting all types of Rogue APs For more details on this comparison and auto-classification methods used in various WIPS in the market, see
19 How does WIPS block Rogue AP Over the air quarantine WIPS sensor blocks client s connection to Rogue AP by transmitting spoofed disconnection frames Deauthentication is popularly used disconnection frame Switch port disable WIPS attempts to locate switch port into which Rogue AP is connected If found, disables the switch port using SNMP WIPS Sensor Rogue AP
20 How do the two Rogue AP blocking methods compare Over the air quarantine Works independent of correlation between wired and wireless addresses of Rogue AP Non-intrusive with network infrastructure No interoperability problems with different switch vendors Deauthentication based over the air quarantine will not work with.11w Rogue APs Switch port disable Only works for those Rogue APs which have correlation between wired and wireless addresses Highly intrusive. WIPS needs need to know set password on switches. Error in tracing leaf switch may turn off entire switch branch Suffers from switch vendor interoperability problems
21 Conclusion Rogue AP is unmanaged AP plugged into wired enterprise network by unwilling or malicious employees or visitors Rogue AP can expose wired enterprise network to outsiders over its RF signal spillage Rogue AP threat is not mitigated by firewalls, WPA2, 802.1x, NAC, anti-virus or wire side scanners Sensor based wireless intrusion prevention system (WIPS) detects, blocks and locates Rogue APs Testing of AP s connectivity to monitored enterprise network is key technology enabler for reliable protection from Rogue APs
339 N. Bernardo Avenue Mountain View, CA 94043 www.airtightnetworks.net Overview With the rapid adoption of Wi-Fi networks by enterprise IT departments everywhere, network security now involves an entirely
A Whitepaper by AirTight Networks, Inc. 339 N. Bernardo Avenue, Suite 200, Mountain View, CA 94043 www.airtightnetworks.com 2012 AirTight Networks, Inc. All rights reserved. WiFi is proliferating fast.
WIRELESS NETWORKING SECURITY Dec 2010 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
VMG1312-B Series Wireless N VDSL2 4-port Gateway with USB Default Login Details LAN IP http://192.168.1.1 Address User Name admin Password 1234 Version 1.00 Edition 1, 7/2012 www.zyxel.com IMPORTANT! IMPORTANT!
WL-5460AP 54Mbps Multi-Function Wireless AP User s Manual 1 Regulatory Information Federal Communication Commission Interference Statement This equipment has been tested and found to comply with the limits
Wireless Networking for Small Businesses 1 Running Head: WIRELESS NETWORKING FOR SMALL BUSINESSES Wireless Networking for Small Businesses Russell Morgan East Carolina University Wireless Networking for
Conceptronic 300N Wireless LAN Broadband Router User s Manual Version: 1.0 Contents Chapter I: Introduction 1-1. Product Features 1-2. Safety information 1-3. Package contents 1-4. Familiar with your new
Copyright Statement is the registered trademark of Shenzhen Tenda Technology Co., Ltd. All the products and product names mentioned herein are the trademarks or registered trademarks of their respective
Dolphin 70e Black powered by Android Network and Security Guide Disclaimer Honeywell International Inc. ( HII ) reserves the right to make changes in specifications and other information contained in this
WHITE PAPER SAFE: A Security Blueprint for Enterprise Networks Authors Sean Convery (CCIE #4232) and Bernie Trudel (CCIE #1884) are the authors of this White Paper. Sean is the lead architect for the reference
BiPAC 7401VGP R3 VoIP/ 802.11g ADSL2+ Firewall Router User Manual Version released: 6.24b.dm2 Last Revised Date: July 04, 2012 Table of Contents Chapter 1: Introduction...1 Introduction to your Router...1
Emerson Wireless Security WirelessHART and Wi-Fi TM Security Wireless security is critical to the successful deployment of both field instrument networks and plant application solutions. This paper demonstrates
Vodafone R101 Table of Contents Welcome...3 1. Getting Started Initial Connection and Security Settings... 4 1.1 Overview... 5 System Requirements... 5 Device overview... 5 Sharing Dock and USB Stick LEDs...
BT Business Total Broadband User Guide Contents To install your BT Business Hub, follow your handy Quick Start guide. This User Guide contains more detailed set-up and service information, including troubleshooting.
An ISS Technical White Paper Wireless LAN Security 802.11b and Corporate Networks 6303 Barfield Road Atlanta, GA 30328 Tel: 404.236.2600 Fax: 404.236.2626 Introduction Although a variety of wireless network
VoIP Security Best Practice (Version: 1.2) NEC Corporation Liability Disclaimer NEC Corporation reserves the right to change the specifications, functions, or features, at any time, without notice. NEC
How can I protect a system from cyber attacks? System Technical Note Cyber security recommendations Design your architecture 2 Disclaimer This document is not comprehensive for any systems using the given
- 1 - Wireless Modem Router User Guide Copyright Statement is the registered trademark of Shenzhen Tenda Technology Co., Ltd. All the products and product names mentioned herein are the trademarks or registered
Prestige 660HW Series ADSL 2+ 4-Port Gateway with 802.11g Wireless Prestige 660H Series ADSL 2+ 4-Port Gateway Compact Guide Version 3.40 September 2004 Table of Contents 1 Introducing the Prestige...4
Unified Security Monitoring Best Practices June 8, 2011 (Revision 1) Copyright 2011. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of
Cox Business Internet Gateway and Guest WiFi Administrator Guide April, 2014 Introduction This guide provides instructions for configuring your Wireless Gateway. The software s Graphical User Interface
NETGEAR VoIP Avaya QE 20 Avaya Quick Edition and NETGEAR Design Guide Table of Contents 1.0 Introduction................................................ 2 2.0 Scope....................................................
1 VoIP Reliability in Managed Service Deployments Technical White Paper Introduction This White Paper introduces the Aspen 365 family of network appliances and explains how service providers offering a
OPEN824RL / RLW VoIP/(802.11g) ADSL2+ Router Technical Reference Copyright Copyright 2006 OPEN Networks Pty Ltd. All rights reserved. The content of this manual is subject to change without notice. The
Promiscuous Monitoring in Ethernet and Wi-Fi Networks Executive Summary This white paper examines the problems related to the deployment and usage of software-based network monitoring solutions in wired