Detection of Rogue Access Points

Tue Oct 16 00:44:16 UTC 2012

On Mon, Oct 15, 2012 at 4:06 PM, Sean Harlow <sean at seanharlow.info> wrote:
> On Mon, Oct 15, 2012 at 12:00 PM, Joe Hamelin <joe at nethead.com> wrote:
>
>>
>> Maybe because he has 130 sites and 130 truck rolls is not cheap.  Also
>> company policy says no.
>>
>>
> You are correct that deploying to a number of sites isn't cheap, but the
> actual relevant question is how does this cost compare to the cost of the
> original request to detect these things.  In this case almost all forms of
> detection/prevention except possibly looking at TTL will require new
> equipment to be deployed at the site(s) anyways based on the information we
> have, negating much of the extra cost.  Any active detection on the RF side
> of things is generally done using WAPs in a managed network or standalone
> devices that are pretty much repurposed WAP hardware anyways, but cost a
> lot more.
>
> Both of those costs must then be compared to the cost of doing nothing.
> What happens if a user takes things in to their own hands and either leaves
> the AP open or uses some useless form of security (MAC filtering, WEP, WPA2
> w/ WDS, WPA2 w/ weak password and a common SSID, etc.) allowing an attacker
> in to the network?
>
> If company policy says no, maybe company policy should be re-evaluated if
> enforcing said policy would cost more than the other options.  Policy isn't
> supposed to be written in stone, it should adapt to the realities of the
> world as they change.
>
> Obviously this depends on the situation.  Small business that uses mostly
> "cloud" services and doesn't have much if any local content to secure?
>  Probably not worth doing anything.  Three-letter agency?  Worth every
> penny to detect and lock out unauthorized devices.  Most will be somewhere
> in between, you have to evaluate the actual choices and decide the best
> path.

This solution - the "don't care" solution - almost fails the
negligence test for certain security regimes including PCI (credit
cards) and possibly SOX for retail data locations (and HIPPA for
hospitals / medical locations, etc).

That is not to say that there aren't still large numbers of poorly
configured branch offices or retail locations out there at any number
of retailers that fail those tests.  Reality is painful.  But if
someone sticks in a WAP, starts sniffing credit card #s floating by,
and your business finds itself on the arse end of a large painful data
breach, you will regret not paying more attention beforehand.

Not all networks are public networks.

That said, adding another DSL line and router and public WAP just so
that the store employees and the public's smartphones are happy is a
perfectly reasonable service to offer.  Separate from the
security-critical data, or with really good firewalling / tunneling /
whatever.

-- 
-george william herbert
george.herbert at gmail.com