|
Enterprises that delay in deploying 802.11 wireless LANs are facing increasing risks of employees installing their own rogue wireless LANs to the enterprise network. Driven by the desire for mobility and fueled by the decreasing prices of wireless LAN hardware, these employees circumvent an enterprise's investment in IT security by plugging a $60 wireless LAN access point into an Ethernet jack and connecting a $50 wireless access card to a station.
These rogue wireless LANs are easy to install and provide the mobility that employees seek. However, the end result is a wide-open entry point to the greater enterprise network. A rogue wireless LAN effectively extends an Ethernet connection to anyone inside and outside the building. Enterprises that have decided not to deploy wireless LANs must first set a policy banning employees from installing their own networks and then determine how to enforce that policy.
This paper provides an overview of risks organizations are facing due to proliferation of rogue wireless LANs and describes multiple approaches to detecting and terminating rogue networks.
To understand the risks of rogue wireless LANs, one must first understand the security vulnerabilities of all wireless LANs. Wireless LANs face all of the security challenges of any wired networks in addition to the new risks introduced by the wireless medium that connects stations and access points.
First the medium in which a wireless LAN operates is the air. Additionally, wireless devices self deploy and have the capability to connect to strangers. Due to the growth of wireless LAN-enabled laptops and the increasingly wireless-friendly Windows XP Operating System, laptops in the default setting automatically search for an access point in which to connect. Lastly, wireless devices are transient in the way they connect. If a wireless device picks up a strong signal, it may connect with the new access point even if the AP is the laptop of an intruder in the parking lot.
Any wireless access point attached to a wired network essentially broadcasts an Ethernet connection and is a ramp to the entire enterprise network. Layer 1 and Layer 2 of a network is typically protected by the CAT5 wire within a building in a traditional wired network but is exposed in a wireless LAN.
Without proper security measures for authentication and encryption, any laptop with a wireless card can connect with the network or stealthily eavesdrop on all network traffic across that access point from any area within the colored areas on the map.
Most rogue wireless LANs are deployed with consumer-grade hardware in defaults settings that lack basic security measures of encryption, personalized Service Set Identifiers (SSIDs), and Media Access Control (MAC) address filtering. However, even these basic steps of wireless LAN security provided by consumer-grade vendors are not sufficient to secure enterprise wireless LANs, which require encryption beyond WEP, additional access control filtering, intrusion detection, and 24x7 monitoring.
Just as employees first brought personal computers to the office in the 1980s for their many benefits, employees are installing their own wireless LANs to corporate networks when IT departments are slow to adopt the new technology.
Even enterprises that are deploying wireless LANs must tackle the problem of rogue wireless LANs from employees who do not have wireless access, vendors operating within the office, or potential espionage.
Wireless LANs are comprised of access points that are attached to the enterprise network and wireless LAN access cards for laptops, hand-held devices, and desktop computers. Both unauthorized access points and unauthorized activity from wireless LAN access cards can pose significant security risks.
Rogue Access Points
Rogue wireless LANs most commonly refer to rogue access points that when attached to the corporate network broadcast a network connection. A rogue access point is any access point unsanctioned by network administrators. Most rogue access points are improperly secured with default configurations that are designed to function right out of the box with no security features turned on. Employees or even business units seeking to enhance their productivity deploy rogue access points innocently without comprehending overall security risks.
Laptops with Built-in Wireless LAN Access Cards Major computer vendors are selling increasing number of laptops with built-in wireless LAN access cards.
|
