Rogue access point: Difference between revisions
→See also: add mac spoofing link Tags: Mobile edit Mobile web edit |
|||
| (17 intermediate revisions by 14 users not shown) | |||
| Line 1: | Line 1: | ||
{{Short description|Unauthorized wireless access point}} |
|||
| ⚫ | A '''rogue access point''' is a [[wireless access point]] that has been installed on a secure network without explicit authorization from a [[local network]] administrator,<ref>{{cite web|title=Identifying Rogue Access Points|url=http://www.wi-fiplanet.com/tutorials/article.php/1564431|publisher=wi-fiplanet.com|accessdate= |
||
{{More citations needed|date=August 2019}} |
|||
| ⚫ | A '''rogue access point''' is a [[wireless access point]] that has been installed on a secure network without explicit authorization from a [[local network]] administrator,<ref>{{cite web|title=Identifying Rogue Access Points|url=http://www.wi-fiplanet.com/tutorials/article.php/1564431|archive-url=https://web.archive.org/web/20171005152418/http://www.wi-fiplanet.com/tutorials/article.php/1564431|archive-date=2017-10-05|publisher=wi-fiplanet.com|accessdate=2020-02-18}}</ref> whether added by a well-meaning employee or by a malicious attacker. |
||
==Dangers== |
==Dangers== |
||
Although it is technically easy for a well-meaning employee to install a "[[ |
Although it is technically easy for a well-meaning employee to install a "[[Rogue access point#Soft access point|soft access point]]" or an inexpensive [[wireless router]]—perhaps to make access from mobile devices easier—it is likely that they will configure this as "open", or with poor security, and potentially allow access to unauthorized parties. |
||
If an attacker installs an access point they are able to run various types of [[vulnerability scanner]]s, and rather than having to be physically inside the organization, can attack |
If an attacker installs an access point they are able to run various types of [[vulnerability scanner]]s, and rather than having to be physically inside the organization, can attack remotely—perhaps from a reception area, adjacent building, car park, or with a [[Directional antenna|high gain antenna]], even from several miles away. When a victim connects, the attacker can use network sniffing tools to steal and monitor data packets and possibly find out credentials from the malicious connection. |
||
==Prevention and detection== |
==Prevention and detection== |
||
To prevent the installation of rogue access points, organizations can install [[wireless intrusion prevention system]]s to monitor the [[radio spectrum]] for unauthorized access points. |
To prevent the installation of rogue access points, organizations can install [[wireless intrusion prevention system]]s to monitor the [[radio spectrum]] for unauthorized access points. |
||
Presence of a large number of wireless access points can be sensed in airspace of a typical enterprise facility. These include managed access points in the secure network plus access points in the neighborhood. A wireless intrusion prevention system facilitates the job of auditing these access points on a continuous basis to learn whether there are any rogue access points among them. |
Presence of a large number of wireless access points can be sensed in airspace of a typical enterprise facility. These include managed access points in the secure network plus access points in the neighborhood. A wireless intrusion prevention system facilitates the job of auditing these access points on a continuous basis to learn whether there are any rogue access points among them. |
||
In order to detect rogue access points, two conditions need to be tested: |
In order to detect rogue access points, two conditions need to be tested: |
||
| Line 15: | Line 17: | ||
# whether or not it is connected to the secure network |
# whether or not it is connected to the secure network |
||
The first of the above two conditions is easy to |
The first of the above two conditions is easy to test—compare wireless MAC address (also called as BSSID) of the access point against the managed access point BSSID list. However, automated testing of the second condition can become challenging in the light of following factors: a) Need to cover different types of access point devices such as bridging, NAT (router), unencrypted wireless links, encrypted wireless links, different types of relations between wired and wireless MAC addresses of access points, and soft access points, b) necessity to determine access point connectivity with acceptable response time in large networks, and c) requirement to avoid both false positives and negatives which are described below. |
||
False positives occur when the wireless intrusion prevention system detects an access point not actually connected to the secure network as wired rogue. Frequent false positives result in wastage of administrative bandwidth spent in chasing them. Possibility of false positives also creates hindrance to enabling automated blocking of wired rogues due to the fear of blocking friendly neighborhood access point. |
False positives occur when the wireless intrusion prevention system detects an access point not actually connected to the secure network as wired rogue. Frequent false positives result in wastage of administrative bandwidth spent in chasing them. Possibility of false positives also creates hindrance to enabling automated blocking of wired rogues due to the fear of blocking friendly neighborhood access point. |
||
| Line 21: | Line 23: | ||
False negatives occur when the wireless intrusion prevention system fails to detect an access point actually connected to the secure network as wired rogue. False negatives result in security holes. |
False negatives occur when the wireless intrusion prevention system fails to detect an access point actually connected to the secure network as wired rogue. False negatives result in security holes. |
||
If an unauthorized access point is found connected to the secure network, it is the rogue access point of the first kind (also called as “wired rogue”). On the other hand, if the unauthorized access point is found not connected to the secure network, it is an external access |
If an unauthorized access point is found connected to the secure network, it is the rogue access point of the first kind (also called as “wired rogue”). On the other hand, if the unauthorized access point is found not connected to the secure network, it is an external access point. Among the external access points, if any is found to be mischievous or a potential risk (e.g., whose settings can attract or have already attracted secure network wireless clients), it is tagged as a rogue access point of the second kind, which is often called an "[[Evil twin (wireless networks)|evil twin]]". |
||
==Soft |
==Soft access point== |
||
A "soft access point" (soft AP) can be set up on a Wi-Fi adapter using for example Windows' virtual Wi-Fi or Intel's My WiFi. This makes it possible, without the need of a physical Wi-Fi router, to share the wired network access of one computer with wireless clients connected to that soft AP. If an employee sets up such a soft AP on their machine without coordinating with the IT department and shares the corporate network through it, then this soft AP becomes a rogue AP.<ref>{{cite web|url=http://www.infosecurity-us.com/view/8500/comment-security-risk-exposure-increases-due-to-windows-7-virtual-wifi-capability/|title=Security risk exposure increases due to windows 7 virtual WiFi capability|accessdate=2010-04-01}}</ref> |
A "soft access point" (soft AP) can be set up on a Wi-Fi adapter using for example Windows' virtual Wi-Fi or Intel's My WiFi. This makes it possible, without the need of a physical Wi-Fi router, to share the wired network access of one computer with wireless clients connected to that soft AP. If an employee sets up such a soft AP on their machine without coordinating with the IT department and shares the corporate network through it, then this soft AP becomes a rogue AP.<ref>{{cite web|url=http://www.infosecurity-us.com/view/8500/comment-security-risk-exposure-increases-due-to-windows-7-virtual-wifi-capability/|title=Security risk exposure increases due to windows 7 virtual WiFi capability|date=April 2010 |accessdate=2010-04-01}}</ref> |
||
==See also== |
==See also== |
||
| Line 38: | Line 40: | ||
==External links== |
==External links== |
||
* [http://hotspotid.com/ HotspotID - Crowd sourced WiFi security to detect rogue access points] |
|||
* [http://sourceforge.net/projects/roguescanner/ Roguescanner - Open source network based rogue access point detection] |
* [http://sourceforge.net/projects/roguescanner/ Roguescanner - Open source network based rogue access point detection] |
||
* {{dmoz|Computers/Data_Communications/Wireless/Security/|Wireless security}} |
|||
[[Category:Wireless networking]] |
[[Category:Wireless networking]] |
||
Latest revision as of 04:44, 19 October 2024
 | This article needs additional citations for verification. (August 2019) |
A rogue access point is a wireless access point that has been installed on a secure network without explicit authorization from a local network administrator,[1] whether added by a well-meaning employee or by a malicious attacker.
Dangers
[edit]Although it is technically easy for a well-meaning employee to install a "soft access point" or an inexpensive wireless router—perhaps to make access from mobile devices easier—it is likely that they will configure this as "open", or with poor security, and potentially allow access to unauthorized parties.
If an attacker installs an access point they are able to run various types of vulnerability scanners, and rather than having to be physically inside the organization, can attack remotely—perhaps from a reception area, adjacent building, car park, or with a high gain antenna, even from several miles away. When a victim connects, the attacker can use network sniffing tools to steal and monitor data packets and possibly find out credentials from the malicious connection.
Prevention and detection
[edit]To prevent the installation of rogue access points, organizations can install wireless intrusion prevention systems to monitor the radio spectrum for unauthorized access points.
Presence of a large number of wireless access points can be sensed in airspace of a typical enterprise facility. These include managed access points in the secure network plus access points in the neighborhood. A wireless intrusion prevention system facilitates the job of auditing these access points on a continuous basis to learn whether there are any rogue access points among them.
In order to detect rogue access points, two conditions need to be tested:
- whether or not the access point is in the managed access point list
- whether or not it is connected to the secure network
The first of the above two conditions is easy to test—compare wireless MAC address (also called as BSSID) of the access point against the managed access point BSSID list. However, automated testing of the second condition can become challenging in the light of following factors: a) Need to cover different types of access point devices such as bridging, NAT (router), unencrypted wireless links, encrypted wireless links, different types of relations between wired and wireless MAC addresses of access points, and soft access points, b) necessity to determine access point connectivity with acceptable response time in large networks, and c) requirement to avoid both false positives and negatives which are described below.
False positives occur when the wireless intrusion prevention system detects an access point not actually connected to the secure network as wired rogue. Frequent false positives result in wastage of administrative bandwidth spent in chasing them. Possibility of false positives also creates hindrance to enabling automated blocking of wired rogues due to the fear of blocking friendly neighborhood access point.
False negatives occur when the wireless intrusion prevention system fails to detect an access point actually connected to the secure network as wired rogue. False negatives result in security holes.
If an unauthorized access point is found connected to the secure network, it is the rogue access point of the first kind (also called as “wired rogue”). On the other hand, if the unauthorized access point is found not connected to the secure network, it is an external access point. Among the external access points, if any is found to be mischievous or a potential risk (e.g., whose settings can attract or have already attracted secure network wireless clients), it is tagged as a rogue access point of the second kind, which is often called an "evil twin".
Soft access point
[edit]A "soft access point" (soft AP) can be set up on a Wi-Fi adapter using for example Windows' virtual Wi-Fi or Intel's My WiFi. This makes it possible, without the need of a physical Wi-Fi router, to share the wired network access of one computer with wireless clients connected to that soft AP. If an employee sets up such a soft AP on their machine without coordinating with the IT department and shares the corporate network through it, then this soft AP becomes a rogue AP.[2]
See also
[edit]- Man-in-the-middle attack
- Wireless intrusion prevention system
- MAC spoofing
- Wireless LAN
- Wireless security
- Legality of piggybacking
References
[edit]- ^ "Identifying Rogue Access Points". wi-fiplanet.com. Archived from the original on 2017-10-05. Retrieved 2020-02-18.
- ^ "Security risk exposure increases due to windows 7 virtual WiFi capability". April 2010. Retrieved 2010-04-01.