Cease and desist

A rogue, according to the Oxford dictionary, is a person who is dishonest and unprincipled.

In the wireless industry Rogue Access Points (APs) are unauthorised wireless devices that are either connected to your internal network infrastructure (this is the part where you turn white) or are performing some malicious activity against your network.

Since a rogue is a security threat to the business, how do we find them?  And if we find them, how do we stop them?

Enter the Wireless Intrusion Detection System (WIDS) or Intrusion Prevention System (WIPS).  A WIDS/WIPS takes time to setup and burn in but done right it can be a valuable asset to minimise the threat of Rogue APs.

WIDS and WIPS are easy to explain.  WIDS is a monitor, detect-only system; basically it will discover a problem and alert you to it.  WIPS will go a step further and depending on how it is configured, either begin an automated or a manual action to contain the threat.

Most enterprise wireless security offerings these days provide a combined WIDS/WIPS solution.  These commercial solutions provide reporting and an audit trail than can be useful for management and if required, legal purposes.

It is worth considering installing dedicated sensors in your network. Sensor Access Points are normal APs, but configured as ‘listen-only’ or ‘monitor-mode’.  This way they can spend 100% of their time scanning for threats (or mitigating them) and they do not interfere with the production wireless network.

Sensor APs provide a great service to the production WiFi system in two areas: they offload the task of scanning and they offload the task of containment/mitigation.  Relieving your primary, production wireless system of these tasks means it can be left alone to fulfil its primary purpose in life: service the user community.

One other useful advantage to sensor APs is that if they are of the same model as the production APs; they can be rapidly converted to production use should a production Access Point fail.

To finish up, which would you believe to be the most common Rogue AP threat to businesses out of:
a) Hackers
b) Internal staff
c) Contractors

The answer is, overwhelmingly, internal staff.  Who have no malicious intent and are probably trying to be more productive when they connect a personal AP to the internal network.

But when this happens, out the window goes the company security policies and you are left with another entry/exit point to your internal network. One that for potentially months at a time, no-one will be any the wiser.