LOCATE ROGUE WIRELESS ACCESS POINTS

The explosion of wireless technology into the hands of end users is one of the biggest challenges facing IT security officers and network administrators. With their transparent bridging, today's wireless access points are easy to set up and even easier to misconfigure, which leaves your network vulnerable to hackers.

There are two basic approaches for locating rogue access points: beaconing--or requesting a beacon--and network sniffing--or looking for packets in the air. These methods use different features of the IEEE's 802.11b wireless standard as an exploit to discover weaknesses and access points on your network.

REQUESTING A BEACON

The IEEE's 802.11b standard is designed to enable a wireless device to see the SSIDs (Service Set Identifiers) used by nearby wireless access points. When the wireless device sees the SSID, it can configure itself to connect to the wireless network. To make this work, an 802.11b-compliant network card transmits a packet--a beacon--that causes all of the access points in the vicinity to announce their availability.

This is an effective method because it doesn't require any current traffic. The problem with this mechanism is that the access point must be configured to respond to these beacon requests. Most enterprise-class access points let you turn this setting off. Because of this, the beaconing mechanism isn't completely effective at finding all wireless access points.

However, some users may not be aware that they should disable this feature when they deploy their wireless access points. Likewise, inexpensive wireless access points intended for home use don't normally allow you to disable the beaconing mechanism. Because they're inexpensive, they are the type of device most likely to be smuggled in and connected to your network without your knowledge.

SNIFFING FOR PACKETS

"Sniffing" is another mechanism for detecting a wireless network's presence. It involves turning on the receiver on the wireless card and allowing the receiver to passively capture packets out of the air. When the receiver finds information that looks like a packet, it can record the information, allowing the hacker to deconstruct the packets. Using the deconstructed information, the hacker can find a way to access your network.

The problem with the sniffing mechanism is that currently you must select a specific channel to monitor. Given that 802.11b can operate on 12 channels, it's difficult to constantly switch between channels to monitor packets. So it's technically feasible to detect an access point by sniffing traffic, but it's impractical at present.

Another problem with sniffing is that there must be traffic on the network for this method to work. If no one is using the rogue access point, there's no traffic to monitor. The access point could be right next to you, but if it's not in use, your monitor will never find it.

Beyond these limitations, sniffing wireless packets is a useful way to determine who's using the wireless access point after it's been
identified.

Once you find the rogue points on your network, you need to determine a course of action. You can confront the user who has deployed the port and then either secure the port or eliminate it. You can also use a wireless sniffer to determine the type of traffic using the port to see if a spy or hacker is trying to access your network.

Now, you'll have the information you need to help law enforcement apprehend the culprit.