Subtitles of the Movie

The last thing we'll talk about when we're talking about security testing is actually detecting rogue access points and illegal clients. Now, the reasons that people connect to networks illegally is, is wide and varied reasons. Some people just want to get, uh, free Internet access. But some people have more nefarious, uh, uh, reasons. They may want to steal your data. They may want to prevent your legitimate users from connecting, uh, to your networks. They want, they may want to do denial of service. Things like that. What you want to do is prevent user from connecting unauthorized hardware to your networks but you also want to secure your wireless networks from outside threats as well. Now, why do people, uh, uh, attack wireless networks? Well, there's a couple of reasons. Some insiders, uh, set up rogue systems because of convenience. A lot of people want to use their own laptop from home or their own PDA and just kind of use your network as, uh, as the network to surf with. They just want their applications and stuff, maybe listen to their MP3s or, or things like that. So they may just set up their laptops and things on your network for convenience. Now other folks who may have more sinister desires may set up fake access points to get your wireless clients to talk to them so they can, uh, fake being on your network and steal data. You know, steal, steal sensitive messages, passwords that are sent back and forth. Now, how might you detect these unauthorized clients and access points? Well, there's a few things you can do, uh, things you can look for as well. First of all, use your wireless security testing tools to look for unusual SSIDs. You see SSIDs out there that, uh, don't match your naming scheme. And, and I hope you have a naming scheme on your wireless network so that you know and you can identify which access point is where. Look for unusual SSIDs. They, SSIDs that don't belong. Look for ad hoc mode clients. Clients that are just talking to another computer. In some cases these will be, uh, laptops that people bring in that have a wireless card that's just simply turned on and it's, uh, automatically trying to talk to the networks, so it may be something as harmless as that. But it also may be a, uh, a network sniffer that someone's put out there, a wireless sniffer that they're trying to find, uh, information about your wireless network. But look for access points in your network that simply don't belong there. Look for access points that are a different brand than you use. Look for access points that have different MAC addresses than what you normally see. You can compare your list of authorized MAC addresses, uh, MAC addresses that are authorized to connect to your wireless network to a list of your currently connected clients. I'm sure, as a wireless network security administrator, you should probably go to your wireless access points from time to time and log, uh, collect the logs and see whose been connecting to your wireless networks and then compare that to the list that you already have somewhere of authorized MAC addresses. You know, look for excessive traffic from a particular client or an access point that may indicate an attempt to get a DHCP address or attempt to spoof, for example, or in some cases, a rogue access point or a rogue client will send a burst of traffic back and forth to try and get a wireless access point to, uh, repeat its initialization vector or to give out a SSID or just to generate traffic so it can see what MAC addresses are out there so that it can later spoof those addresses. Again, look for different hardware types than what you normally use. If your baseline standard is, say, you Cisco cards, for example, in all the PCs, if you see a, another brand of card out there, that my indicate that, uh, you have some rogue access points or rogue clients connecting to your network. The other thing you could do is use automated wireless intrusion detection devices, or WIDs devices to detect unauthorized clients and access points. There are devices out there that you can put on your wireless network that will continuously monitor and log and send the results of those logs to you or archive them to a, uh, to a server that can be looked at. The big thing you need to do to prevent rogue access points and illegal clients is actually have and enforce strict policies on connecting to the wireless network. Enforce the use of heavy encryption. Enforce the use of MAC address filtering. Enforce the use of SSID hiding. Even though a couple of these may sound like they're very weak measures, it all adds up. It's called defense in depth. But have policies regarding that. Let your users know that they can't bring in personally-owned PDAs and laptops to connect to the wireless network because that can interfere with and reduce the security of your overall network.