Mobile & Wireless UPDATE reader Jimmy Tharel recently inquired whether automatically detecting rogue Access Points (APs) in an enterprise wireless LAN (WLAN) environment is possible. In past columns, I've written about using scanning solutions such as NetStumbler to detect rogue APs. Such software is fine for a small office/home office (SOHO) user like me, or even for a small branch office, but not for an enterprise administrator who might be dealing with multiple locations.
In such a scenario, the ideal solution would be software that inspects the data that your APs and routers (and possibly the wireless devices themselves) provide, then issues an automatic alert should an unauthorized AP turn up. Several software vendors have already addressed this need.
AirDefense offers a product called RogueWatch, the specific purpose of which is to detect wireless APs. The product performs its job completely automatically, in conjunction with AirDefense's proprietary wireless Intrusion Detection System (IDS). For more information about RogueWatch, go to http://www.airdefense.net/products/roguewatch.shtm .
AirWave offers optional wireless rogue AP detection modules as part of its AirWave Management Platform. The wireless modules work only with certain APs. For more information about these modules, go to http://www.airwave.com/marketing_docs/airwave_rogue_detection.pdf .
Wavelink provides rogue AP detection as part of its Wavelink Mobile Manager product. Wavelink's approach generates a report of all APs within each mobile device's range, then compares this report against a list of known APs. For more information about this functionality, go to http://www.wavelink.com/downloads/pdf/wlmobilemanager_hiw_1002.pdf .
Probably the most interesting development in this area--and the reason I decided to devote this commentary to the subject--involves Cisco Systems. As we go to press, the 800-pound gorilla of the networking arena has announced that it will offer rogue AP detection in fourth quarter 2003 as part of its Structured Wireless-Aware Network initiative. According to a Cisco press release, features will include "active detection, blocking, and graphical depiction of the location of rogue APs \[and\] alerts on security policy deviations." These features will be available in a firmware upgrade for Cisco Aironet 1100 and Cisco Aironet 1200 series routers. To read the press release, go to http://newsroom.cisco.com/dlls/prod_060203.html .
The fact that Cisco is taking the rogue AP problem seriously is a reflection of the explosive rise of wireless products in the enterprise space. And you can see the value of enterprise administrators using 24 x 7 monitoring software rather than wandering through their campus with a scanner. (However, I'd still recommend a periodic check to make sure the monitoring software isn't missing anything.)
I'm extremely interested in hearing from any readers who are using these (or other) automated solutions for rogue AP detection. I doubt Tharel is the only enterprise IT manager looking for a solution to this problem. As always, you can write to me at [email protected].
