Detection of Rogue Access Points

Mon Oct 15 23:06:23 UTC 2012

On Mon, Oct 15, 2012 at 12:00 PM, Joe Hamelin <joe at nethead.com> wrote:

>
> Maybe because he has 130 sites and 130 truck rolls is not cheap.  Also
> company policy says no.
>
>
You are correct that deploying to a number of sites isn't cheap, but the
actual relevant question is how does this cost compare to the cost of the
original request to detect these things.  In this case almost all forms of
detection/prevention except possibly looking at TTL will require new
equipment to be deployed at the site(s) anyways based on the information we
have, negating much of the extra cost.  Any active detection on the RF side
of things is generally done using WAPs in a managed network or standalone
devices that are pretty much repurposed WAP hardware anyways, but cost a
lot more.

Both of those costs must then be compared to the cost of doing nothing.
What happens if a user takes things in to their own hands and either leaves
the AP open or uses some useless form of security (MAC filtering, WEP, WPA2
w/ WDS, WPA2 w/ weak password and a common SSID, etc.) allowing an attacker
in to the network?

If company policy says no, maybe company policy should be re-evaluated if
enforcing said policy would cost more than the other options.  Policy isn't
supposed to be written in stone, it should adapt to the realities of the
world as they change.

Obviously this depends on the situation.  Small business that uses mostly
"cloud" services and doesn't have much if any local content to secure?
 Probably not worth doing anything.  Three-letter agency?  Worth every
penny to detect and lock out unauthorized devices.  Most will be somewhere
in between, you have to evaluate the actual choices and decide the best
path.