Watching for rogues

Q: How can I protect my network from rogue access points? – Kent, N.J.

A: Historically, the only way to detect rogue access points was through manual scans. By this we mean having your IT staff manually walk through your premises using a software stack, or specialized device, to detect these security threats. Naturally, this is a costly and time-consuming process. In addition, it is not always effective – employees often find out when scans are taking place and unplug their devices to avoid detection. 

Some vendors have introduced specialized products to address the problem of rogue access points, particularly in traditional peer-to-peer wireless LAN (WLAN) implementations where no such security exists. These work by creating an overlay network of “rogue sniffers” that are responsible for monitoring a WLAN infrastructure to detect unauthorized activity.  This provides a good fix for rogue detection, but can be costly to implement and not always tied in with the WLAN itself. 

Other WLAN systems have addressed this problem by building rogue detection capabilities into the access points themselves, combining traffic delivery and intrusion detection in a single infrastructure. With minimal impact on performance, this method provides the best rogue detection visibility into the network with the lowest impact on capital expenditures.

Note, however, that merely seeing the presence of an unauthorized access point does not necessarily mean it is a security threat.  For instance, there is a difference between an unauthorized access point connected by an employee and an access point in a neighboring building, or a coffee shop across the street. 

A WLAN system should provide tools to make accurate decisions as to what a “rogue” really is, with special attention paid to minimizing “false positives.” For example, it should identify whether the rogue device is physically connected to your wired network or if it is outside your domain. In addition, it should provide trending information to help paint a complete picture of rogue activity over time.  As always, information is key to accurate analysis.

But you asked about rogue protection, not just rogue detection. Once a rogue device is identified, how do you prevent it from doing harm?  It is time-consuming to mobilize the troops in order to track down and unplug a rogue device.  Furthermore, by the time the rogue device is finally found and unplugged, the damage could already have been done.  As a result, some wireless LAN systems offer what is commonly called “rogue containment,” whereby clients can be prevented from effectively using any device identified as a rogue access point.  This makes rogue protection immediate and effective, giving IT staff the time to take physical action.