Handling Rogue Access Points

Rouge Access Point

Handling Rogue Access Points – Rogue access points have become a sort of hot-button issue. Rogue access points are any wireless access points that exist on your network without the consent of the business. Even “secure” rogue access points that are connected to your network can pose a security risk. Preventing rogue access points can be a little tricky, although not impossible. Not only is it critical for you to find and remove rogue access points from your network, but it can actually be pretty fun!

Rogue wireless networks have received so much attention that some compliance standards require businesses to specifically address them. For example, the Payment Card Industry (PCI) Data Security Standard, which is the security standard that companies that process credit card information must comply with, has the following requirement:

Even though your organization might not have to comply with PCI, this is still a great process to adopt.

Preventing Rogue Wireless Networks

There are actually very reliable ways to prevent rogue wireless networks from working on your network. You should note that I didn’t say “prevent them from being plugged into your network.” There’s really no way to truly prevent rogue wireless devices from being plugged into your network. The best you can do is educate your users on the dangers of plugging rogue devices into your network and back up the policy with administrative discipline if users don’t comply. As far as preventing outsiders from placing rogue devices on your network for malicious purposes, you have to rely on your physical security to do this. In addition, you should educate your users to notify the IT department if they notice anything plugged into a network jack that doesn’t look like it belongs there.

Therefore, if you can’t rely on preventing the devices from being plugged into your network, you should focus on preventing them from functioning properly once they are plugged in. Here are your best solutions for preventing them from operating:

● 802.1x (Port-Based Access Control)
● Network Access Control
● Port Security

802.1x Port-Based Access Control

Yes, good old 802.1x. You should be very familiar with it at this point. Remember that 802.1x does not allow a device to communicate past the authenticator (in this case, a network switch) until after the device has authenticated.

Just as with 802.1x for wireless networks, we have the flexibility to authenticate against a variety of backend systems. you can see we’re authenticating to a RADIUS server, which authenticates the user against Active Directory. The same restrictions we covered in previous chapters can be configured here—restrictions based on user, group, or even time of day to grant or deny access to the network.

If you configure your switches to require 802.1x authentication, how will this prevent an unauthorized wireless network from operating on your network? The first and most important point is that an attacker should not have valid credentials for your network. Even if an attacker plugs a device with an 802.1x supplicant (client software) into your network, he won’t be able to authenticate, and therefore the port will be useless to the attacker.

Network Access Control

Network Access Control is a terrific technology that operates similarly to 802.1x and really expands on the idea of authenticating endpoints before they’re allowed to use your network. NAC builds on 802.1x by allowing you to examine endpoints and make sure they are compliant with certain technical policies configured. These technical policies can include verifying that the endpoint has up-to-date antivirus software installed, up-to-date operating system patches or service packs, and even specific registry settings and configuration options and many other options.

In the event a user plugs an unauthorized access point into your network that is restricted by NAC, you would have a similar situation to the one previously described with 802.1x. A lot of this ultimately depends on exactly how you’ve configured your NAC policies. For example, some NAC solutions allow you to quarantine unauthenticated devices into a restricted VLAN. This restricted VLAN could give these devices access to only specific resources, such as the Internet, or nothing at all.

Now, this isn’t to say that you should go out and deploy NAC to combat the risk of rogue wireless networks. However, if you already have NAC or are considering deploying NAC, it’s good to know that it can also mitigate the risk from rogue access points. There are many choices for NAC solutions and an insane number of ways to configure them.

Port Security

Port security allows you to configure MAC address restrictions on physical switch ports. The restrictions can limit the total number of MAC addresses allowed to come into a particular port or the port can be restricted to allow only specific MAC addresses. You can also configure the action taken if either of these restrictions is violated. The action can be to disable the port and /or alert an administrator. Alternatively, you can drop any packets that are not from an allowed source MAC address. If you configure port security to disable the port, an administrator would have to manually enable the port to return it to a functional state.

You need to understand the operation and limitations of port security if you’re going to use it. Typically, you won’t want to enable port security on uplinks between switches. To support our goal of preventing rogue wireless access points, we’ll want to configure port security only on “edge” ports, or ports that connect to end devices. Let’s look at a few simple scenarios. First, we’ll configure our switch to only allow one MAC address on the port:

Sw1# configure terminal
Sw1(config)# interface fastethernet0/10
Sw1(config-if)# switchport mode access
Sw1(config-if)# switchport port-security
Sw1(config-if)# end

In the preceding example, you can see that the only command we need to enable port security on interface FastEthernet0/10 is the switchport port-security command. This uses the default configuration of only allowing one dynamically learned MAC address on the port. If more than one MAC address is learned on the port, the interface will be disabled.

We could also choose to only allow specific MAC addresses to enter the switch through the configured ports. The MAC addresses that are allowed on a specific port are referred to as secure MAC addresses. You can either manually define the MAC addresses allowed on a port, learn them dynamically, or a combination of the two.

Port security actually has many more configuration options. We’ve covered a few of the most common scenarios for configuring port security. For a more in depth look at the configuration options available, check out the Cisco website.

Hope You Like This Information For More Blog Like This Click Here

Related posts

Leave a Comment