Oct 31 2006

Rogue Access Points Pose Major Threat to IT Security on Campus

Intrusion detection systems can pinpoint wireless security holes and protect campus networks from becoming havens for hackers and bandwidth poachers.

Network security has become one of the most important focal areas throughout university IT departments as ubiquitous wireless access has gained prominence. Although encryption and authentication will protect data transmitted wirelessly, intrusion detection systems (IDSs) offer another important means to pinpoint the origin of attacks and also aid IT decision-makers in managing college wireless networks.

Imagine the following scenario: Your network team sets up a wireless network with authentication and encryption key settings within common areas in campus buildings. Is that enough? Not really. A rogue agent could enter the network through an unsecured access point (AP).

Unsecured or rogue APs present one of the biggest challenges to securing a wireless network. Some of the ways hackers can break into an institution's network include man-in -the-middle (using fake APs to intercept security credentials), encryption key monitoring (passively monitoring, then computing wired equivalent privacy keys) or dictionary attacks (a brute-force attack that uses common words as possible passwords).

Perhaps the most deadly threat on campus is the rogue AP. In this method, an end user or faculty member purchases a wireless card and access point, then accesses your network. All the viruses and spyware on that unauthorized computer can sap your bandwidth.

IDS Solutions

Several products on the market address intrusion detection. Three best-in-class products that offer an extra measure of safety are CiscoWorks Wireless LAN (local area network) Solution Engine, WildPackets AiroPeek NX and AirMagnet Enterprise.

CiscoWorks Wireless LAN Solution Engine

If a college is deploying a homogeneous Cisco infrastructure for its wireless network, CiscoWorks Wireless LAN Solution Engine (WLSE) may meet its needs. This server-based IDS application centrally manages all Cisco wireless APs. It can be set up to view AP performance and will send alerts about any potential problems.

WLSE provides eight security and performance alerts. It has built-in rogue access point detection, which uses active Cisco APs on the network to find and triangulate rogue APs. CiscoWorks WLSE also allows the network manager to set up and assign profiles to various APs, which will send alerts when WLSE senses an attack. CiscoWorks WLSE only works with Cisco's Structured Wireless-Aware Network.

WildPackets AiroPeek NX

WildPackets offers a line of wired network security products and also provides security for wireless networks. AiroPeek NX provides constantly updated security and performance alerts. The NX version detects attacks and offers packet decoding features based on wireless data packet type.

AiroPeek NX uses a distributed system with dedicated hardware sensors the network manager must place in the range of the wireless network to constantly collect data, which is sent to the central server. Unlike CiscoWorks WLSE, AiroPeek NX is a dedicated IDS system for totally monitoring and troubleshooting your wireless infrastructure.

AirMagnet Enterprise

AirMagnet provides software that enables a wireless card to act as an IDS sensor, which gets louder as the notebook PC approaches a rogue AP signal. It provides more than 135 security and performance alerts across all channels on the wireless network.

AirMagnet Enterprise is a distributed system, which uses hardware sensors to collect data and send it to a central server. The server can also be linked to a Structured Query Language database to generate reports and monitor trends. AirMagnet Enterprise supports Active Directory and Lightweight Directory Access Protocol.

A Strong Defense

Security for wireless networks is not just tightly locking down and finding intruders. It's also about fending off bandwidth poachers, quarantining infected systems, and getting students and faculty on board with your wireless access policy. The following approaches should help protect the network.

1. QUARANTINE: “Over the summer, the students' computers are all getting infected through their ISPs [Internet service providers],” says Michael Dickson, a network analyst at the University of Massachusetts (UM) Amherst. “The university is their first experience of being monitored. The ISPs don't care about viruses and will just throw more bandwidth at the problem. Bandwidth for us is an expensive commodity that costs us money, so we have to protect it.”

When an infected computer attempts to log on to the UM Amherst network, the system immediately scans the computer and sends infected machines to a quarantine area, Dickson says. That keeps viruses from infecting the network and makes fixing the problem the responsibility of the computer's owner.

UM Amherst used to shut off access, but then it couldn't send e-mails to the user. Leaving a voice message on the student's campus phone didn't work either, since most students now use only cell phones.

Says Dickson, “Now we put infected machines into a walled garden with a redirect page, and we tell them, ‘Everything is fine. Here's why you are here and how you can get back on quickly.'”

2. HOMEMADE HONEYPOTS: The homemade honeypot is an effective means to get poachers and hackers out of the shadows and into a place where you can address the problem. By setting up a honeypot–a seemingly open AP or port–the network administrator can capture the address from scanning the computer, says Alexander Bordetsky, associate professor of information sciences at the Naval Postgraduate School in Monterey, Calif.

If it's a student's or faculty member's machine, you can send these poachers to a walled garden. Most IDS products will provide the option of redirecting or taking action.

3. FLEXIBILITY: Not every rogue AP warrants shutting down. Sometimes faculty need immediate access and just can't or won't wait to get wireless installed by the IT staff. If an IDS system detects rogue APs in a building with wireless only in common areas, it might not be possible to shut them down, particularly if the network port that has the rogue AP cannot be located.

A wireless airspace policy approved by faculty may offer some leverage, but if the department offers a good academic reason or business case for immediately needing wireless capability, flexibility may be the best option. In these instances, get permission to configure the APs to system settings and track them for replacement when wireless support extends to that building or department.

Yuan Wang is a freelance writer and network engineer based in Irvine, Calif. Additional reporting by Lee Copeland.