Detection of Rogue Access Points

Jimmy Hess mysidia at gmail.com
Wed Oct 17 04:33:16 UTC 2012


On 10/14/12, Karl Auer <kauer at biplane.com.au> wrote:
> No-one has said this yet, so I will - why are people working around your
> normal network policies? This is often a sign of something lacking that
> people need in their daily work. You can often reduce this sort of
While that's no reason to stop looking for rogues...
It's a good point that policy and planning there is a crucial element;
 more important than managing all network devices;  or even having
antivirus or firewalls.

Because humans are a weak point --  every enterprise has them: there
are   ways the humans can be exploited unwittingly,  humans might
sometimes follow an improper procedure,    the eventual occurrence of
an incident related to human weakness may be inevitable.

"Lacking something they need" is not likely.  If it's really true that a
forbidden thing is needed for their work -- they should be able
to persuade   their org's leadership to create a variance from the policy,
or implement a solution.

It's more likely the network user introduces rogue devices because

(1) The rule wasn't written down..   E.g.  It was actually an
unwritten policy never carefully formulated into writing, that nobody
may just plug in whatever network device wireless AP, 5 port switch,
or Linksys router, even with a "good reason" to;  the network users
had no document to follow to explain  mandatory steps required to
introduce a new device.

(2) The people don't know what the policy, standard, or directive
actually is: They haven't been administered adequate training and been
quizzed appropriately on the  relevant policies, standards, and
guidelines;  their role with regard to the policy is not understood
properly.

(3) The organization hadn't made  commitment to the pertinent IT policy clear.

For example:  The network user do not have high certainty that audit
controls and procedures will be in place will detect their infraction
and remove unauth'd equipment.     If they are made certain a
violation will be detected, and receive investigation,  the rate of
non-compliance  could be expected to decrease.


> Sometimes it's cheaper to give people what they want than to prevent
> them taking it. Maybe at least consider that as an option.

That depends on what 'they want';  and what regulations apply to the
organization.
The feds may force various organizations into saying no,  even if
network users want
it, and the org. would prefer to allow it.


If what the network users want is an  unmanaged personal device on a
corporate intranet,
there are security considerations,   which have a non-zero level of
risk, that might be judged too high.

Bandwidth and   potentially firewall user  licenses  for i-devices  to
have continuous Facebook   and Youtube access are not free.

The possibility of required incident management for potential abuse cases.
Possible SOX requirements  to archive  Twitter/Facebook   "status
update" message traffic....

etc. etc.



> Regards, K.
> Karl Auer (kauer at biplane.com.au)
--
-JH



More information about the NANOG mailing list