Rogue Access Points

  Wi-Fi Threats   -  


A rogue access point is a wireless access point that has either been installed on a secure company network without explicit authorization from a local network administrator, or has been created to allow a hacker to conduct a man-in-the-middle attack. Rogue access points of the first kind can pose a security threat to large organizations with many employees, because anyone with access to the premises can install (maliciously or non-maliciously) an inexpensive wireless router that can potentially allow access to a secure network to unauthorized parties. Rogue access points of the second kind target networks that do not employ mutual authentication (client-server server-client) and may be used in conjunction with a rogue RADIUS server, depending on security configuration of the target network.

To prevent the installation of rogue access points, organizations can install wireless intrusion prevention systems to monitor the radio spectrum for unauthorized access points.

Presence of a large number of wireless access points can be sensed in airspace of a typical enterprise facility. These include managed access points in the secure network plus access points in the neighborhood. A wireless intrusion prevention system facilitates the job of auditing these access points on a continuous basis to learn whether there are any rogue access points among them.

In order to detect rogue access points, two conditions need to be tested:

  • whether or not the access point is in the managed access point list;
  • whether or not it is connected to the secure network.

The first of the above two conditions is easy to test – compare wireless MAC address (also called as BSSID) of the access point against the managed access point BSSID list. However, automated testing of the second condition can become challenging in the light of following factors: a) Need to cover different types of access point devices such as bridging, NAT (router), unencrypted wireless links, encrypted wireless links, different types of relations between wired and wireless MAC addresses of access points, and soft access points, b) necessity to determine access point connectivity with acceptable response time in large networks, and c) requirement to avoid both false positives and negatives which are described below.

False positive (crying wolf) occurs when the wireless intrusion prevention system detects an access point not actually connected to the secure network as wired rogue. Frequent false positives result in wastage of administrative bandwidth spent in chasing them. Possibility of false positives also creates hindrance to enabling automated blocking of wired rogues due to the fear of blocking friendly neighborhood access point.

False negative occurs when the wireless intrusion prevention system fails to detect an access point actually connected to the secure network as wired rogue. False negatives result in security holes.

If an unauthorized access point is found connected to the secure network, it is the rogue access point of the first kind (also called as “wired rogue”). On the other hand, if the unauthorized access point is found not connected to the secure network, it is an external access points. Among the external access points, if any is found to be mischievous or potential risk (e.g., whose settings can attract or have already attracted secure network wireless clients), it is tagged as rogue access point of the second kind, which is often called an “evil twin”.

Soft Rogue Access Point

A soft Access Point (soft AP) is set up on a Wi-Fi adapter without the need of a physical Wi-Fi router. With Windows 7 virtual Wi-Fi capabilities and Intel My WiFi technology, one can easily set up a Soft AP on their Windows 7/Windows Vista machine. Once up and running, one can share the network access available on a machine to other Wi-Fi users that will connect to the soft AP. If any employee sets up a soft Access Point on their machine inside the corporate premises and share the corporate network through it, then this soft AP behaves as Rogue AP

Rogue Access Point detection/mitigation

To safely tap the full potential of WLANs, companies must take steps to find and annihilate these so-called Rogues. This paper explains what rogue access points and stations are, why they present a business risk, and how apply industry best practices to effectively:

  • detect;
  • block;
  • locate;
  • eliminate rogues.

A robust plan for managing rogue threats must address all four steps in this critical process, including automated blocking to immediately stop the damage that could occur while your investigation is underway.

New WLAN deployments typically begin with a site survey. WLAN planning tools are used to create a floor plan, specify desired coverage areas, and position APs to deliver service with required capacity and throughput. Portable site survey tools are used to sample received signal strength and noise at defined intervals throughout the coverage area and beyond. Samples are fed back into planning tools, creating actual coverage maps for each AP, ESSID, and channel. Power outputs are then fine-tuned to avoid gaps or excessive overlap between APs, and channels are assigned to minimize interference.

Rogue discovery plays an important role throughout this process. Before AP installation, potential sources of radio interference must be identified, including walls, doors, microwave ovens, and any existing 802.11 networks. At this stage, you must create a baseline list of untrusted APs and their characteristics, including MAC address, ESSID, channel, signal-to-noise ratio (SNR), and approximate location.


Figure 1

It’s possible to create this initial rogue list with adapter client utilities or shareware stumblers. But creating a rigorous baseline now will save you time and money later. For efficiency and accuracy, gather data using a professional site survey application, plus a GPS receiver for outdoor surveys. Scan all channels in both 802.11 bands, since rogues may operate any available frequency. Tools that overlay floor maps with AP locations and signal information (see Figure 1) are particularly useful to visualize and understand survey results.

Site surveys are an iterative process of design, simulation, observation, and adjustment. Once your survey has been completed and your APs have been staged, your baseline list serves as the foundation for on-going rogue surveillance.

As shown in Figure 3, WLANs can be monitored by several complementary systems, including Wireless Intrusion Detection or Prevention Systems (WIDS/WIPS) that offer 24/7 surveillance using distributed sensors to relay observations to a central server, portable WLAN analyzers used for spot-checking and drill-down investigation, and Network Management Systems (NMS) that control AP software, configuration, and operational status.


Figure 2

Each of these systems supports a different set of WLAN management tasks, but all can help you detect suspicious activities that warrant investigation, including rogue devices. To generate Rogue Alerts, these systems rely on Access Control Lists (ACLs) that identify APs and stations by MAC address, a configurable name, and a recently-used IP address. In addition, ACL entries must be configured to differentiate between:

  • Known/Authorized Devices: APs in your WLAN and stations permitted to use them,
  • Known/Unauthorized Devices: APs and stations operating in or near your facility that are not part of your WLAN, or
  • Unknown/Unauthorized Devices: Newly-discovered APs and stations that require investigation and remedial action.

It is safest to assume that each newly-discovered unknown/unauthorized device could be a Malicious AP or Station. For this reason, wireless analyzers and intrusion detection systems typically generate Rogue Alerts upon spotting transmissions from any device not found in the ACL, calling immediate attention to the potential threat.

You don’t want to be continuously alerted to the presence of Neighbor APs and Stations, but you do want to know if your devices accidentally associate with them. By treating Neighbors as known but unauthorized, Rogue Alerts can focus attention on unknown devices that pose genuine concern, while other alerts can warn of unauthorized activity. For example, you should still be alerted when your authorized stations are communicating with an unauthorized AP, even if it is a known neighbor AP.

In fact, ACLs are just one component of policy: the set of relationships and rules that define secure, robust, correct operation for your WLAN. Depending upon the capabilities of your Wireless Intrusion Detection System, policies can:

  • Dictate alert severity, letting you defer action for less important incidents, while calling for rapid response to events with more serious consequences.
  • Establish different rules for different devices based on business risk — for example, ignoring unknown devices using guest SSIDs, but not private SSIDs.
  • Escalate alerts based on event frequency — for example, progressing from alert logging to pager notification to automated blocking as an attack intensifies.
  • Forward high-priority alerts to upstream management systems responsible for monitoring the security and health of your entire network.
  • Automatically invoke defined actions to disable rogue devices and stop ongoing attacks from causing (further) damage.

Automated policy-based surveillance systems can provide an efficient, effective foundation for rogue management. For ease-of-use and consistency, use integrated systems that can share ACLs and alerts when performing complementary tasks. For example, ACLs created by portable analyzers during site surveys should be exportable to your WIDS and NMS. Alerts generated by your WIDS server should provide easy navigation to remote sensors for incident investigation. WIDS-generated actions that reconfigure devices should be executed through your NMS, letting these supervisory systems do their jobs in tandem.

To ensure that these systems can interact as needed, select survey tools, analyzers, WIDS, and NMS products that are interoperable. You should also beware of rogue detection systems that work with just one brand of AP. Seek solutions that enable effective rogue defense without constraining your network design or equipment purchases.

Neutralizing Rogue Devices

Unauthorized and malicious rogue devices present a real threat, so must be dealt with swiftly to prevent confidential data disclosure, network compromise, damage to vulnerable systems, and other consequences of WLAN misuse or attack.

For example, rogue APs can provide immediate intruder access to valuable corporate resources. An unsecured AP plugged into an open Ethernet jack can let an outsider reach databases and file servers on the corporate network – bypassing all wireless security that might be provided by properly protected APs. Therefore, network owners must be able to block unauthorized network access immediately, instead of waiting hours or days to physically locate and remove the rogue.

As shown in Figure 3, rogue blocking methods fall into two categories: wired and wireless.


Figure 3

Wired methods prevent a rogue AP (or a rogue station connected to an authorized AP) from penetrating the adjacent network. This can often be accomplished by disabling the LAN switch port closest to the AP’s Ethernet point of attachment. Wired-side remedies can also be implemented with firewall or router filters, but blocking LAN access as close to the rogue as possible is most effective.

There are many ways to determine whether a rogue device is on the wired network, and where it is connected. For example, a WIDS can send periodic SNMP or CDP requests to LAN switches to retrieve lists of connected devices, matching those addresses to detected rogues. A WIDS can use traceroute to send wireless traffic to rogues, traversing the wired network to determine a rogue’s local subnet and nearest router. Another method is periodic ping-scanning for unknown devices, although this can be inefficient and resource-intensive. In any case, it is essential that you be able to quickly and accurately determine whether a rogue is attached to your wired network.

Once a rogue is located on the wired network, access can be blocked by disabling the LAN switch port closest to the rogue, isolating it from all other wired resources. An immediate automated blocking action is the best way to protect the wired network from damage, during both short- and long-term intrusions.

Wireless methods prevent a rogue AP (or a rogue station connected to an authorized AP) from productively using the WLAN. This is can be accomplished by repeatedly sending device(s) 802.11 Disassociate or Deauthenticate control frames. These frames can be targeted at a single station or broadcast to all stations using a given AP, effectively preventing new associations or data transmission until the flood ends. Again, the ability to start wireless blocking automatically, at the first sign of intrusion, can be critical to prevent damage while further responses are considered.

Another wireless blocking method is to jam the channel used by a rogue AP or station by generating RF noise at that frequency. This method is far less selective, impacting not just the rogue but any nearby WLAN using that channel. With either method, blocking is usually invoked by a WIDS and carried out by a sensor located near the rogue device.

Wireless rogue blocking methods should be used with great care, and invoked automatically only after extensive experience with manual blocking and risk/benefit analysis. Jamming (and to a lesser extent, flooding) can take down other nearby WLANs, including those owned by neighbors. Clearly, these power tools should be used by trained administrators with authority to take a portion of your network offline. Disabling switch ports may be less disruptive, but can’t stop ad hoc associations, rogue APs connected to someone else’s network, or rogue stations attacking other wireless devices. Ideally, your toolbox should include both wireless and wired blocking methods so that you can apply the technique(s) best suited to each situation.

During a malicious attack, delayed response could let a rogue penetrate further, gather more data, and do more damage. Blocking side effects incurred during incident investigation may be acceptable and justified for short periods, and temporary action may be enough to discourage some war drivers. Surveillance systems that can automate immediate blocking based on very granular policies provide the best foundation for protecting high-value assets.

Locating and Eradicating Rogue Devices

Once a rogue has been detected and (optionally) disabled, you should physically locate the device and decide on a course of action to permanently mitigate on-going risk.

Hunting down a rogue can be time-consuming without proper tools. Wireless devices are often mobile, and wireless associations are by definition transient. If you don’t find the rogue quickly, the attacker may move on and you’ll never really know what hit you. To narrow your search, start by leveraging location services provided by your WIDS.

A simple but coarse method to predict rogue location uses signal strength to identify the nearest sensor (or, in the absence of sensors, the nearest AP or station). The sensor reporting the strongest signal from a rogue is probably within one hundred feet of that device, perhaps less. The rogue may be upstairs, downstairs, or on the same floor as the sensor. In fact, since signal is affected by RF obstructions, attenuation, and reflection, the rogue may actually end up closer to another sensor. Identifying the nearest sensor can provide a starting point, but is usually not accurate enough to conduct a fast, efficient manual search or confidently predict whether the rogue lies inside your facility.

A more complex and more accurate location method involves measuring the rogue’s signal strength from three or more points to triangulate its probable location. A rogue detected by one sensor can be predicted to lie a certain distance from that sensor, in any direction. A rogue detected by two sensors may be located anywhere those individual predictions intersect. Combining predictions from three sensors can narrow possibilities down to a single location, as shown in Figure 5. Here again, variations in RF behavior affects accuracy, but triangulation with three or more measurements can pinpoint a rogue’s location to within 20 feet. This yields a search area that’s small enough to readily-determine the affected room(s) and conduct a quick manual search.


Figure 4

Your WLAN planning and site survey tools already know the physical layout of your facility and the actual location of sensors, APs, and stations. Your rogue detection solution should leverage that floor plan to plot the rogue’s probable location, creating a search map.

Ultimately, hunting the rogue down will require on-site staff, armed with a search map. If the rogue is not in plain view (e.g. hidden in a ceiling or cabinet), on-site staff will also need a portable analyzer to listen for rogue transmissions, moving towards the signal source (i.e., in the direction of increasing RSSI). Neighbor and Unauthorized APs may be discovered quickly when using good tools and predictions. Devices that transmit intermittently or move can require a combination of rapid response and patience. For example, triangulation may need to be repeated several times, so look for tools that make this easy by automating both the sampling and plotting process.

In addition, traffic analysis can help you prioritize search efforts by focusing on rogues that present the most immediate danger. Factors to be considered include:

Is the rogue penetrating your wired network? Watch for TCP sessions to inside servers, and use ping or trace to verify wired-side connectivity. For example, use a remote sensor to associate with a rogue AP and aim a traceroute at a server inside your network to identify the wired-side IP address used by the rogue AP. Look for distributed tools that let you easily trace from both sides of the rogue.

How many authorized stations are associated with a rogue AP? An AP that associates only with un-trusted stations probably belongs to a neighbor. An AP actively associated with your stations poses a clear privacy risk and could be performing a man-in-the-middle attack. Use monitoring tools that make this kind of ACL-based association information readily available.

What kind of traffic is being generated by a rogue station? A station browsing the Internet may consume bandwidth, but a station generating a DoS flood or port scan is far more likely to be well on its way to doing serious harm. Look for tools that can summarize a rogue’s history and present a real-time view of rogue traffic.

The more you know about a rogue’s network connectivity and traffic, the better equipped you’ll be to take corrective action. Once a rogue has been located, traffic has been analyzed, and threats have been assessed, further action is required to permanently resolve the incident:

If the rogue is determined to be a Neighbor AP or Station, ACL(s) should be updated to avoid triggering future Rogue Alerts. Neighbor APs should be added to your floor plan, including location and ownership details, and channel assignments should be adjusted if needed to avoid interference. Keep an eye on future alerts related to this Neighbor to determine whether additional policy or device adjustments are needed for optimal cohabitation.

If the rogue is found to be an Unauthorized AP or Station, steps must be taken to eliminate the device or (better yet) safeguard and bring it into the fold. For example, Unauthorized APs can be moved outside the firewall, configured with security policies, added to known/authorized AP ACLs, and managed by your NMS. Unauthorized stations can be outfitted with desktop security measures for safer wireless use outside the office, and their wireless adapters disabled in profiles used at the office.

If a rogue appears to be malicious, carefully review its traffic history to identify all system(s) and data that may have been compromised. To facilitate this, put any suspicious device on a “watch list” to record traffic in greater detail during investigation. To learn an attacker’s identity, some organizations even create “honeypots” — an AP and isolated LAN segment designed to lure rogue stations. If you intend to pursue criminal or civil legal action against a rogue, engage a network forensics expert to guide you through formal evidence gathering procedures. Finally, identify and eliminate vulnerabilities the attacker may have exploited, like compromised logins and passwords used to gain access.

When clearing a Rogue Alert from your surveillance system, create an audit trail of what was done to find, contain, and neutralize the rogue. If you’re unable to locate the device on its first visit, history may help nail the rogue on its next visit. Use history reports to spot patterns, identifying holes that should be closed and assessing the speed and effectiveness of your rogue management practices.