Controlling which mobile devices can connect to your network is crucial to ensuring the privacy and integrity of
corporate assets and data. Despite this, virtually every network audit uncovers at least a few surprise nodes, ranging from printers and wireless APs to mobile devices carried by visitors, suppliers and employees.
To avoid the resulting embarrassment or penalty, institute a routine process for discovering all new devices that connect to your network without your knowledge. In this three-part series, we explore several readily available methods for mobile device discovery, starting with wireless transmission monitoring.
Something in the air
Many companies control on-site mobile access to the network in one of two places -- at the access point (AP) where wireless traffic is switched onto the LAN or at the captive portal or firewall where users are authenticated. These measures do a fine job of guarding the "front door" to your network -- the entrance through which everyone is expected to enter. But they ignore unguarded back doors where most security breaches tend to occur.
Specifically, many surprise devices are connected inside the wired network. From conference room APs installed by employees for convenience to laptops that bridge between a neighbor's WLAN and your Ethernet, poorly placed wireless devices can provide invisible-but-unfiltered outsider access to business systems. Even a short-range technology like Bluetooth can unwittingly expose sensitive data and permit unauthorized use of network connectivity services.
The first step toward closing any wireless back door is to find it. Clearly, you want to discover all previously unknown wireless devices that appear to be connected to your wired network. You also want to identify known devices that form unapproved wireless connections to external devices such as visitor handhelds or metro-area APs. In short, your goal is not simply to discover unknown wireless devices but to spot (and then stop) unauthorized and potentially risky wireless connections.
One popular method is to scan your office for wireless devices on a daily, weekly or monthly basis. In a small business or branch office, this can be accomplished by touring the facility with a portable wireless scanner -- often called a "stumbler" in honor of Marius Milner's original Wi-Fi NetStumbler (Figure 1).
Figure 1. Scanning for Wi-Fi APs and Ad Hocs
Scanners like NetStumbler use 802.11 probes to find Access Points and Ad Hoc (peer-to-peer) nodes. Other scanners, such as Wellenreiter, listen passively for beacons. All you need is a laptop or PDA with scanner software and a compatible Wi-Fi card. Depending on card sensitivity, antenna, and RF obstacles, a Wi-Fi scanner can usually find active APs and Ad Hocs up to 300 feet away.
Most Wi-Fi scanners don't identify client devices that connect to APs, however. For that, you need a Wi-Fi protocol analyzer that captures and decodes everything it hears. For example, Wireshark is a popular open source protocol analyzer that can use a Wi-Fi card in monitor mode to capture 802.11 packets and then list all source and destination devices (i.e., Wi-Fi APs and their clients).
Wireless scanning is not limited to Wi-Fi. For example, Bluetooth scanners like the one illustrated in Figure 2 use 802.15.1 Peer and Service Discovery protocols to detect other devices and their supported services.
Figure 2. Scanning for nearby Bluetooth devices
A Bluetooth scanner can usually find any type of Bluetooth device -- from mobile phones and headsets to printers and APs. But you need to get much closer to each device, since the most common class of Bluetooth device reaches just 30 feet. Furthermore, you will only find Bluetooth devices that are configured to participate in discovery.
If you periodically scan your office, you will probably find many wireless devices that belong to your company, your neighbors and your guests. You must maintain a list of known devices so that you can tell when a new one shows up. However, a "rogue" AP could be installed for weeks before you notice it. You will also miss the vast majority of transient mobile devices and risky connections that your own clients establish with unknown APs or Ad Hocs.
Alternatively, a Wireless Intrusion Prevention System (WIPS) provides continuous monitoring for known and unknown wireless devices. Not only is full-time monitoring less likely to miss devices, but it can alert you to potential threats within minutes.
A WIPS can usually compare each discovered device's address to a list of known/trusted devices. It may trace wired connectivity to determine whether a potential rogue AP is actually plugged into your network. A WIPS might even decide whether observed connections conform to your configured policies. This automated analysis can draw your attention to high-risk devices so that you can more efficiently ignore neighboring APs and visiting clients that never even try to connect to your network.
There are two approaches to continuous wireless monitoring: embedded WIPS and overlay WIPS. In the embedded approach (Figure 3), your APs monitor the air around them. Some just spend their spare time listening for unknown APs. Others can be configured to use one radio to handle traffic and a second radio to listen for APs. Some switches can even convert an ordinary AP into a full-time monitor, as needed.
Figure 3. Embedded rogue detection
In this case, rogue AP discovery is just one of many things that your WLAN does for you. An embedded WIPS will spot more devices, faster, than you could ever hope to spot with periodic scans. If you have a large distributed network, this approach will also be far less labor intensive than scans, but an embedded WIPS usually stops with discovery – it's up to you to investigate and remediate each new device.
Or you could deploy an overlay WIPS that uses dedicated sensors instead of APs to monitor the airwaves. Those sensors, installed throughout your offices, report back to a dedicated WIPS server that automatically investigates and responds to detected threats. For example, most overlay WIPS can use a sensor near a rogue AP to break any connections that it might form with your own clients (Figure 4). A WIPS can also combine multiple sensor observations to approximate an AP or client's location so that unauthorized devices can be removed without extensive searching.
Figure 4. Overlay WIPS prevention
All of these discovery methods monitor wireless traffic to spot new unknown devices, but they vary greatly in terms of cost, simplicity, efficiency and effectiveness. Many small businesses rely exclusively on periodic scanning, while most large enterprises invest in embedded or overlay WIPS for more comprehensive, efficient discovery. In fact, the line between embedded and overlay WIPS has become blurred by OEM partnerships between WLAN infrastructure and security vendors. Ultimately, the best approach for your business will depend on the size of the area to be monitored, the security policy you need to enforce, and your level of risk tolerance.
Of course, watching the airwaves is only one way to discover unknown devices. In my next tip, I will explore other methods that use your wired network to detect off-site and non-wireless devices that just might be connecting without your permission.
About the author: Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.