Detecting rouge wireless devices can be a headache if not performed properly. I’ve asked customers “How do you ENFORCE your zero wireless policy?” and received many answers. Example one is “We have random sweeps with wireless detectors” which are only good at the time of the sweep and range of the detector. Example two is “We use network access control (NAC) so plugging in rouge wireless devices will be denied” which can be bypassed by having an approved laptop act as a wireless bridge. Example three is “We have wireless scanners in our building” however are they certified for all frequencies or are you missing devices on other frequencies? Here are some tips for properly detecting rouge wireless devices.
It’s extremely important to automate access control to any part of your network. Regarding the LAN, see my blog on Network Admission Control HERE. For wireless, walking the halls with a scanner such as a Fluke appliance or laptop detection software is not a reliable practice. I’ve heard stories of users powering down devices to avoid detection or rouge wireless devices on the edge of a campus being out of range or hidden behind a wall. Plus manual methods are time consuming and leave vulnerability gaps between scans.
Relying on LAN access control technologies such as port security or Network Admission Control (NAC) may stop rouge wireless devices plugged into the network however will not detect approved devices such as laptops becoming wireless bridges. Some examples could be a nearby Starbucks offering wireless near your campus, which a user could be connected to the cooperate LAN and Starbucks wireless network simultaneously. A common virus known as “Free WIFI” could turn your endpoints into open wireless bridges that permit anybody in range of your campus free WIFI access to your network.
One solution to prevent endpoint wireless bridges is locking down endpoints with software that disables wireless use when physically connected to the LAN. This may work for trusted endpoints however fails if guest or contactors are permitted on the network without security software enforcing the zero wireless policy. A better solution is developing a wireless detection solution using WIDS WIPS (Wireless Intrusion Detection / Prevention) even if you do not plan to provide wireless access. See my blog on defining WIDS WIPS HERE. Using a wireless detection solution with WIDS WIPS can detect all forms of wireless including approved LAN devices exposing rouge wireless access. It’s also wise to include data security using Data Loss Prevention (DLP) and encryption to provide defense in depth in the event your access layer is bypassed.
When developing a rouge wireless detection solution with WIDS WIPS, its best practice to deploy one dedicated WIDS WIPS sensor for every five service providing access points. When enforcing WIPS prevention, your design should be capable of leveraging multiple access points near a identified rouge device to ensure your access points are close enough to drown out the rouge signal. Hardware should be capable of detecting all channels or some rouge devices may be missed.
It’s highly recommended to treat a wireless detection solution with WIDS WIPS to detect rouge wireless devices the same way as designing a solution to provide wireless access. Site surveys are critical to how effective your detection will be. Not planning for obstacles or proper access point placement may leave you with vulnerable areas. The bonus of a rouge wireless detection system delivered properly is the capability to enable wireless using the same hardware if wireless access is desired in the future.