How do you prevent rogue wireless access points on a network?

  • Depending on what type of traffic is going over the network, it's often not feasible that an employee brings a wireless router and sets it up into your network. This is because often, they are not or poorly secured and present a backdoor into the network. What can you do to prevent rogue wireless access points being introduced into your network?

  • Lucas's answer above is a bit of a starting point. There are however two or three other things that must be considered. These end up being somewhat outside the scope of network engineering, but certainly have impacts for network engineering and security so here they go.

    1. You probably want some way of preventing wireless cards in company laptops from being switched into ad hoc mode. Assuming the laptops are running Windows, you probably want to use a GPO to set to infrastructure mode only. For Linux, it is harder to fully restrict, but there are ways to do this too.

    2. Enforcing IPSec is also a good idea, particularly with good key management and trusted enforcement. For example if you can go to X509 certs for key management this can keep unauthorized devices from communicating with the rest of your network directly. Consider key management as a core part of the infrastructure here. If you use a proxy server you may even be able to block unauthorized devices from accessing the internet.

    3. Note the limitations of your efforts. None of these prevents a person from setting up an unsecured wireless access point connected to a USB NIC, for sole purposes of communicating with their computer, especially if the SSID is hidden (i.e. not broadcast).

    Not sure how to further contain problems or if further paranoia is well past the point of insufficient returns.....

    +1 for disabling Ad-hoc mode, it's easy to miss that your own managed devices can be turned into rogue APs.

    @MDMoore313: An Ad-Hoc STA is not an AP.

    @BatchyX that's true, my mistake.

    I don't think one can run an AP on Windows also. One can on Linux if the wireless card and driver support it though. So that's one more thing on the Linux checklist.....

    @ChrisTravers: Yes you can, works well too. See http://virtualrouter.codeplex.com/, among others

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM