Problem solve Get help with specific problems with your technologies, process and projects.

Guilt by 'accidental association': The distinctions between rogue and unapproved access points

Companies want their laptops to associate only with approved and secure wireless access points, but making sure that happens is a lot trickier than you might think.

One of the more interesting and unusual aspects of being a mobile and wireless consultant is that people think nothing of asking you for a quick bit of advice or guidance.

It's unusual because these same people probably would not ask a surgeon they bumped into on the street to perform a quick operation, or a barber in a hotel elevator to take a little of the top, or a car mechanic at a party to provide a quick fix for that annoying rattle under the hood of their late-model automobile. It's interesting, however, because we learn a lot when an end user (or even a vendor) tells us about their problems.

Recently, at a wireless security seminar, we were approached by an IT executive in charge of IT and wireless networking for a rather large insurance company, who wanted to know if there was any way they could beef up their current security measures. The company's mobile workforce frequently made use of 802.11 Wi-Fi hot spots to transmit data and update central information resources. Specifically, she wanted to know if there were any technology tricks, beyond the standard virtual VPNs and secure tunneling techniques, that would allow her company to actually apply some control and management functions to remote and independent wireless access points (APs).

The truth is that nothing can be done to control outside wireless access points like those installed in your local Starbucks, nearby hotel lobby or local library. This is a problem for many companies since mobile workers rely on these Wi-Fi hotpots to connect to the Internet and send e-mail or access corporate files. Obviously, the hosts of these systems have no compelling reason to track users and ensure security beyond your basic passwords and IDs.

The IT executive then asked if management and control systems could be implemented if they installed and serviced the wireless system, perhaps within the drive-through damage appraisal bay of a garage or service station. In this case, additional security measures could be added and user access monitored, although it might wind up being more trouble than it's worth. Also, since the operational area of the wireless network is a shared space, you could run into some legal issues over the misuse of the Wi-Fi airways should there be some kind of unauthorized access.

The problem of managing remote wireless airways becomes even more complicated as the number of these wireless systems increases. As if internal wireless security were not enough of a concern for IT and network managers, now they must also worry about such things as "accidental associations" and foreign yet friendly wireless networks. Operating systems such as Windows XP, for example, are designed to sniff out and lock onto the strongest wireless signal when trying to establish a wireless connection. Most wireless systems require some kind of SSID code in order to let you in the front door, although there are those that will allow general access without such formalities. This is when problems might arise, since users may assume they are logged onto a trusted company wireless network, when in fact they are accidentally exchanging potentially sensitive e-mail and access data over an unknown (but not necessarily "rogue" wireless access point).

Accidental associations happen more often than most companies are willing to admit, and will be an increasing problem as more and more wireless systems light up the business landscape. If you want a dramatic demonstration of just how many wireless networks are broadcasting in and around your business check out, a Web site that collects information on wireless access points and constantly maps out their location. The site not only offers a graphical representation of active wireless APs, but also details the MAC address and broadcast channel of these sites -- often more information than most people can easily get from their own network administrator!

Fortunately, you can do something about preventing employees within your building from accidentally associating with the wireless AP at the Starbucks down the street or the financial institution next door. There are technologies available that can instantly notify a network administrator if a user is internally accessing a 'non-approved' AP. Once alerted, that user can be identified and told to take measures to avoid automatically connecting to that outside AP.

It does get a little tricky, though, when it comes down to preventing the broadcast signal of that outside AP from creating a wireless target for the automatic sniffing capabilities of Windows XP. If the AP resided within your corporate walls, you could essentially lock it out and even shut it down until it is recognized or approved. But, if you do that -- either accidentally or purposely -- to a 'friendly' but non-approved AP that sits in the financial institution next door, you could be liable for damages or guilty of obstructing their business operations.

Later this year, at least one wireless security company plans to unveil a technology aimed at limiting or to some extent controlling "accidental associations" with outside wireless access points. But, as the executives of this company point out, doing so is tricky at best.

Tim Scannell is the president and chief analyst with Shoreline Research, a Quincy, Mass.-based consulting company specializing in mobile and wireless technology and initiatives. Shoreline works with end users, looking to implement mobile solutions, and vendors, developing new products and seeking business and customer opportunities. The company also specializes in training and strategic planning projects. For more information on Shoreline Research and the company's strategic services please go to

Dig Deeper on Enterprise mobility strategy and policy

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.