Rogue access points (AP) can show up on a network for any number of reasons. A user may set up an AP so he or she can bring a laptop to the break room and still have an Internet connection. A contractor or an internal engineer may set up a wireless router to create a test network and then forget to disable it at the end of the test. People who set up unauthorized APs usually don't mean any harm, but that doesn't make it harmless. If you think attackers aren't looking for wireless connections or can't exploit them, Google the TJX breach. Then start checking your own network. Here are a few suggestions for doing that.
NetStumbler, Kismet and other software tools are great for identifying access points in the area, but they don't provide a lot of information. Are the APs you've discovered on your network, or that of the company or house next door? Unless you're in an isolated area with few businesses, these tools won't tell you everything you need to know.
Another option is to scan your network for unusual MAC addresses, though this can be time consuming and error prone. It used to be easy to scan for MAC addresses registered to D-Link, Netgear, and other SMB device makers, but as major players buy up smaller vendors, it's not as effective. For instance, since Cisco bought Linksys, the MAC addresses show as being Cisco. If you have a known list of good MAC addresses, you can scan for anything that is not approved. However, if you don't have a good inventory of your gear to start with, this method may not be very effective. And even if your network inventory is up to snuff, MAC scanning isn't 100 percent effective. That's because devices can move around the network, or they might not respond to a ping, or they might be powered off at the time of the scan.
Several wireless access point vendors build rogue detection capabilities into their products. They identify the access point from the air and track it via the network. They identify the network port and let you take it from there. On the downside, these products don't come cheap.
Whatever technique or techniques you employ to hunt rouge APs, the key is to search regularly. The PCI security standard requires a quarterly scan, but we recommend more frequent patrols. You should also prepare your response for when you find unauthorized APs.
Be fair and measured. If the user needed to build a test network and IT was taking too long to provision a switch, don't cut her head off. Find a switch and move the connection. If the user just wanted wireless, disconnect the device and explain to him about the risk he exposes the company to with the device. Even better, see if you can set up authorized wireless access in that area; it's a safe bet other users like having it, too. It should go without saying that if you don't have a written policy regarding rogue APs, write one and share it with the organization.Adam Ely is the founder and COO of Bluebox. Prior to this role, Adam was the CISO of the Heroku business unit at Salesforce where he was responsible for application security, security operations, compliance, and external security relations. Prior to Salesforce, Adam led ... View Full Bio