Thursday, September 22, 2011

Rogue access points wired into your LAN - how afraid should you be?

I've been thinking about the fear that some enterprises have about the possibility of someone bringing an access point from home and connecting it into the LAN at work with no security enabled.

Most wireless vendors have a way to determine if rogue access points are actually connected into the wired LAN. Cisco's WCS has the ability to track a rogue access point on the LAN via RLDP, but it has been problematic for quite some time. Kicking off the RLDP search is a manual task for every rogue SSID that is detected by WCS.  There simply isn't a way for WCS to auto scan the rogue SSID to ensure it isn't cabled into the LAN. This makes it hard to determine if rogue access points are wired into the LAN or not. Unfortunately enterprises where PCI compliance is mandated, the manual scan will have to be run on every rogue SSID..
PCI DSS version 1.2 places special emphasis on WLAN security. It requires Cardholder Data Environments (CDE) change wireless defaults (passwords, SSIDs, keys, etc.), use strong encryption, eliminate rogue/unauthorized wireless devices, restrict physical access to wireless devices, log wireless activity, define wireless usage policies, etc.
For all other enterprise deployments not requiring PCI compliance, the fear of rogue access points being connected to your LAN may be overblown. Today there are a multitude of choices for personal hot-spot devices. Most Wi-Fi  power users have their own MiFi, Clear, Cradlepoint or hot-spot functionality enabled on their smart phone (or all four!). I think it would be very unlikely for an employee wanting unsecured/unfiltered Wi-Fi to bring/buy a Linksys/D-Link AP and plug it in at work. It is more likely that they would just use the web browser on their smart phone, or use a personal hot-spot Wi-Fi device to connect laptops to their personal, unfiltered Wi-Fi network. I think that the days of people bringing an access point from home and plugging it in at work are over

I've seen many an end user in their cubicle using the unfiltered internet connection on their smart phone to surf Facebook or Twitter, while their work PC is connected to the locked down LAN or WLAN network connection. The idea that the regular end user would bring an access point from home is increasingly unlikely. Physical security to your LAN is always the first step towards securing your network, but the average enterprise wireless user will just use their smart phone to surf the web.

6 comments:

  1. Interesting post.

    How about using good 'ol port security with the "sticky" feature turned on, to prevent users from plugging in anything other than their company assigned laptops?

    ReplyDelete
  2. I think port security would be a much better way to ensure that a rogue AP wasn't connected to a switch port. Securing the port closest to the end user is definitely the best way to go!

    ReplyDelete
  3. Jennifer,
    Although I agree that the "average" wireless user is likely to use a cellular connection, the real threat of rogue APs is from targeted malicious attacks. For organizations that have sensitive data (financial, health, banking, etc.) this is a real threat.

    The best way to prevent rogues is through adequate switch port security, as discussed in your last comment. However, port security is not sufficient. Many of the most vulnerable ports are in conference rooms and public spaces for printers and shared equipment. Stick MAC address learning cannot account for conference room ports, and MAC address spoofing can be easily accomplished by most consumer grade APs (often called MAC address cloning). The best way to go is full-blown 802.1X or NAC (or both) to secure the wired network.

    Unfortunately, 802.1X auth is not easy to accomplish on wired networks as it is on wireless networks. Legacy devices are everywhere and even devices that do support authentication often have very poor implementations and lack of scalable deployment, management, or support. That leaves ugly workarounds to account for those devices, like MAC address databases.

    This leaves many organization in tough spot, and they rely on the wireless infrastructure to "do it's best" to figure out if rogues are on the wired network. Cisco offers a few options, but none are automated which is a shame! These include:
    - RLDP (connect to an open Wi-Fi network and send a packet back to the controller to see if it gets through)
    - Rogue Detector AP (dedicated AP mode to watch wired network MAC addresses and report them back to the controller for correllation to rogue BSSIDs)
    - WCS Switch Port Tracing (import and monitor wired switches, and use CDP neighbors relationships to search for MAC addresses of rogues up to 3 hops from the AP back into the network)

    I have asked Cisco WNBU many times to automate the process, because manual switch port tracing is not scalable in any medium to large environment. Additonally, rogue detectors are a hardware solution and drive up expense very quickly in distributed branch office environments.

    Wow. This turned out to be a long comment. Sorry :)

    Thanks,
    Andrew vonNagy

    ReplyDelete
  4. Andrew,

    you can use this mac traceroute from core switch to host(AP) (cisco only, CDP must running)
    http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/l2trace.html


    but you can`t do copy/paste mac from WLC to switch because of difference of mac format on AirOS and IOS. I hate this.

    Duro

    ReplyDelete
  5. Locking your switch closets, along with adequate physical and information security polices is your best bet in controlling rogue access points. Many folks and many customers always look to a technical solution before covering those important areas.

    I would make sure all the above are implemented prior to looking at a technical solution. Assuming all these are in place, the threat of a rogue AP is overblown.

    Using wired 802.1x is as mentioned above is a great and possibly the best way to protect your wired networks. Would be great if everyone is using it, but unfortunately I find this is not the case. As andrew mentioned, legacy device abound that do not support 802.1x and in addition, some customers simply dont want the administrative overhead of it.

    Security has always been a balancing act between convenience and protection, it always will.

    Fantastic blog and post.

    Josh

    ReplyDelete
  6. Thanks for sharing with us

    Access point,,Industrial switch, Wireless serial server, Embedded serial module.

    ReplyDelete