WLAN Wars III: Attack of the rogues

This is the third time I’ve addressed wireless LAN (WLAN) security issues in this column, but the problem is only getting worse. I thought a companywide e-mail spelling out a prohibition of the use of wireless access point (AP) hubs would be enough to persuade employees to remove unauthorized APs from the network. It wasn’t.

Last week, I conducted another survey at our corporate headquarters and discovered six new APs in addition to the units I had previously detected. Not surprisingly, all of them were improperly configured. They had no encryption and were set to broadcast the Service Set Identifier (SSID). Since it’s easy to discover the SSID and there’s no encryption enabled, it’s not difficult for a hacker to gain access to our LAN through these rogue APs.

Tracking down the APs has been difficult. The signal strength for all but one was high enough to reach the street in front of our headquarters. I’ve been using the AirMagnet Handheld PC card and detection software from Mountain View, Calif.-based AirMagnet Inc. on my Pocket PC to detect the rogues, but I don’t have a directional antenna that would let me zero in on the exact location of these hidden, illegal devices.

My alternative course of action was more time-consuming, but only somewhat effective. All the APs I discovered had an associated, unique media access control (MAC) address on our LAN. Our company uses Catalyst Ethernet switches from Cisco Systems Inc., and by querying these, it’s possible to determine the switch port each access point is connected to. In theory, once I discovered the switch port, the Ethernet cable connected to that port could be traced back through a series of patch panels to the office or cubicle where the AP resides.

As a practical matter, this didn’t work too well. First, the process was time-consuming. There are four switches per floor, and each of our six buildings has four floors. Because we don’t have a monitoring tool like CiscoWorks, we had to log into each switch and conduct a search for each MAC address.

After some work, we were able to trace all but a few MAC addresses into the wiring closet on a specific building and floor. But once we traced a cable into a wiring closet, we had to rely on floor maps to determine which offices connected to which ports on the patch panel. It’s virtually impossible to trace a cable from a wiring closet to an office, since the cables run inside the walls and floors. To do this successfully, we’d need accurate, up-to-date wiring maps. They weren’t accurate, of course, and we were unable to trace any of the wires from the patch panel to the specific offices where the unwanted APs resided.

A Legal Matter

Still, we were closing in. The maps did give us a general idea of the section of a given floor where the APs might be found. Now it’s a legal matter. Do we have the authority to do an office-by-office search, entering each employee’s workspace in our search for unauthorized access points? The labor and privacy laws for the state I work in tend to favor the employee. Therefore, before I start down the path of conducting searches, I must be sure I don’t violate any privacy laws. I’m not a lawyer and I sure don’t want to be the cause of any legal problems, so I’ve placed a call to our general counsel’s office.

In the meantime, all we can do is disable the switch ports to which the rogue APs are attached. A smart user might just plug the AP into another office jack and be up and running again. But there are only two active ports in most offices, so sooner or later both ports will be disabled and the employees will have to identify themselves to get back on the network.

It’s clear that we can’t trust users to police themselves, and we don’t want to go through that laborious trace process every time. Therefore, we will either have to purchase a software tool such as CiscoWorks or come up with a more efficient method for automatically detecting these unauthorized APs as users attach them to the network.

There are only two ways to do this. The first is the wired method I’ve described, in which you monitor network traffic. If you know what to look for, you can detect the 802.11b WLAN traffic packets or identify the MAC address of a wireless access point. The other method is to use our existing APs as sniffers in conjunction with software that detects the radio frequencies of illegally attached devices.

I think the latter method is the better approach. Finding rogue APs by detecting wireless signals is more efficient simply because there’s less traffic to monitor on the wireless segment than there is on the wired LAN. In the latter case, the entire volume of traffic must be monitored and filtered in order to sift out wireless traffic for further analysis.

To use the wireless method, however, we will need to make a significant investment in hardware and software. Our AP layout covers only a limited area; to provide security, we need enough devices to cover the entire campus. If we can get them, we can buy software such as the AirWave Management Platform from San Mateo, Calif.-based AirWave Wireless Inc. that will let us use our WLAN infrastructure both to support legitimate wireless LAN traffic and sniff out unauthorized APs.

Despite the continuing problems I’ve had controlling rogue APs, I do think there’s a light at the end of the tunnel. But I can’t believe that I’m the only one experiencing these frustrations. If you’ve had similar experiences, drop me a line or share your recommendations in the Security Manager’s Journal Forum.

What Do You Think?

This week’s journal is written by a real security manager, “Mathias Thurman,” whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com, or join the discussion in our forum:


QuickLink a1590

To find a complete archive of our Security Manager’s Journals, go online to


Security Log

Security Bookshelf

– Anti-Hacker Tool Kit, by Mike Shema, Bradley C. Johnson and Keith J. Jones; Osborne McGraw-Hill, 2002.

Think of this as a cookbook of recipes for specific situations, with examples and step-by-step instructions on how to use some of the most popular security tools available on the Internet. The included CD-ROM contains almost all the tools referenced. The chapters explaining forensics are particularly strong — the authors offer up useful tips for analyzing both Windows NT and Unix systems.

Anti-Hacker Tool Kit is an awesome complement to any security professional’s reference set. Recommended.