For the past month or so, I’ve been struggling to find a way to locate and eliminate rogue wireless LAN access points (AP). This week, I believe I finally found an answer.
I was thinking that APs, which typically function as a bridge between wireless and wired LANs, should act like a traditional Ethernet hub. That means attached devices should broadcast their media access control (MAC) addresses to the AP, which should pass that information to the LAN switch. The switch then keeps a list of MAC addresses and the associated LAN ports in memory.
With that in mind, I conducted a test. I used my AirMagnet handheld scanner to detect an improperly configured AP. Mountain View, Calif.-based AirMagnet Inc. includes a cool utility with its scanner that lets you communicate with a detected AP.
Associating to the AP was simple, since — like most consumer-grade APs that show up in the enterprise — the test AP broadcast its Service Set Identifier (SSID) access code by default and had no encryption or other authentication mechanisms enabled.
Not only was I able to communicate with the AP, but my company’s Dynamic Host Configuration Protocol server immediately assigned my laptop an IP address. Since this address was internal to our network, I knew I could open a browser and reach our corporate intranet.
So I went to work. I went to an area where I had detected a rogue AP before, booted up my laptop, connected to the rogue AP and used a browser to connect to our corporate intranet. Then I logged into one of our Cisco Catalyst LAN switches to search for my laptop’s MAC address in the switch’s content-addressable memory table.
By issuing the command “show cam dynamic,” I should have been able to view a list of addresses and associated switch ports. The problem was, I wasn’t sure which building the rogue AP was in. I had to log into three different switches before I finally found my laptop’s MAC address. From there, finding the illicit device was just a matter of going into the wiring closet, tracing the cable from the switch port to the patch panel and cross-referencing that with the associated wiring maps to determine the exact jack location.
I found this one in a conference room — hidden above one of the ceiling tiles. The only indication of its existence was the telltale Ethernet and power cables stretching down one wall. I had been in this very conference room a few weeks before. How did I miss that? I suppose I went in expecting to find an AP on the counter or under the conference table. I didn’t expect people to hide them in the ceiling. I removed the clandestine device and began cleaning out the rest of the rogue APs, which I found carefully hidden away in test labs and employees’ offices.
I should add that I was lucky; this method won’t help if the AP has been set to not reveal the SSID, or in the event that encryption or authentication mechanisms are active.
That problem solved, I turned to our official WLAN deployment. We decided to go with Aironet 1200 APs and wireless PC cards from Cisco Systems Inc. But we’ll manage and monitor the APs using AirWave Management Platform (AMP) from San Mateo, Calif.-based AirWave Wireless Inc., not Cisco’s Wireless LAN Solutions Engine (WLSE). Cisco’s APs are fine products, but the WLSE software wasn’t intuitive to use and could manage only Cisco devices. AMP can manage multiple vendors’ APs, should we need to do so.
Initially, we were reluctant to deploy AMP because we have had bad experiences with start-up companies. But my network engineer and I spent a considerable amount of time in the lab with AirWave, and we like the product. I feel confident that the company will succeed, and I was able to convince management to approve the purchase.
Now it’s just a matter of conducting a site survey to determine how many APs we’ll need to provide full coverage, and initiating a deployment plan that includes training, help desk support, management, monitoring, policies and standards.
Now that the wireless project is mostly behind me, I’ve been asked to put together a project initiation request for a deployment of a public-key infrastructure (PKI). My experience with PKI is limited. I’ve tried to roll it out at other companies in the past, but those projects quickly died once management realized the time, cost and resources required. I suspect that companies often implement PKI because it’s a cool buzzword or because it’s viewed as a point solution to a specific problem. In my experience, if it’s not executed with proper planning and resources, PKI ends up forever in prototype stage.
At a previous employer a few years ago, I attempted to implement PKI for e-mail and disk encryption. When we received the cost estimate of more than US$400,000, management decided that the risk to the information it wanted to protect wasn’t worth the cost. Instead, the company took its chances with my recommendation: Pretty Good Privacy (PGP) from Palo Alto, Calif.-based PGP Corp. The product, which PGP acquired from Network Associates Inc. in August, offers the same basic features as PKI. And with a new version and a new vendor backing it, PGP deserves consideration.
It’s been some time since I’ve been exposed to PKI, so this is the perfect opportunity to evaluate the current state of PKI technology and products. I hope that there have been some major technology and cost improvements that will make investing in PKI worthwhile this time around.
Version 8 of PGP Corp.’s popular encryption software includes updates to PGP Mail and PGP Disk for Windows and Macintosh clients, and it supports the Advanced Encryption Standard. PGP offers a freeware version, but the enterprise version, which starts at $260 per seat, includes an administration program for setting security policies and configuring and managing keys.
PGP 8 works the same way previous versions do but has an improved look and feel. I like its ability to create self-decrypting archives. Recipients don’t need PGP to read them, although they do need to know the pass phrase. I recommend PGP as a quick, inexpensive way to provide data integrity, confidentiality and nonrepudiation for basic office functions such as e-mail and file encryption.
— Mathias Thurman
Security Incidents Surge
Security incidents reported in 2002 through Q3
Total incidents reported in theprevious five years combined
Source: CERT Coordination Center, Carnegie Mellon University, Pittsburgh
Pay by the Scan
Qualys Inc. in Redwood Shores, Calif., has introduced pay-per-scan pricing for its vulnerability assessment services. The company is offering the pricing as an alternative to its traditional billing model, which includes unlimited network scanning for an annual fee. Qualys charges for each scan request and each specified IP address. Pricing starts at $4,995 for 250 network scans and is based on a prepaid annual license.