One of the most common wireless security threats is the rogue access point—it is used in many attacks, both DoS and data theft. Many other rogue access points, however, are deployed by employees wanting unfettered wireless access—these access points are called soft access points. Other rogues are located in neighboring companies using your network for free access. Typically low-cost and consumer-grade, these access points often do not broadcast their presence over the wire and can only be detected over-the-air. Because they are typically installed in their default mode, authentication and encryption are not enabled, thereby creating a security hazard. Because wireless LAN signals can traverse building walls, an open access point connected to the corporate network the perfect target for war driving. Any client that connects to a rogue access point must be considered a rogue client because it is bypassing the authorized security procedures put in place by the IT department. Show
This topic includes the following: What is a Rogue Access Point?A rogue access point is a device not sanctioned by an administrator, but is operating on the network anyway. This could be an access point set up by either an employee or by an intruder. The access point could also belong to a nearby company. These are some reasons to suspect that an access point is a rogue:
How Are Rogue Access Points and Rogue Clients Identified By Controllers?Wireless radios automatically scan the RF spectrum for other access points transmitting in the same spectrum. The RF scans discover third-party transmitters in addition to other Juniper radios. Controllers consider all non-Juniper transmitters to be suspects (potential rogues) by default. If the device is a Juniper device, but the MAC address is not in the appropriate database, a series of rules determine whether that device is a rogue. Once an access point is declared a rogue, it is reported by MSS:
How are Rogue access points and Rogue Clients Classified as Rogue?Controllers use a set of rules, illustrated in Figure 1, in order to classify unknown access points as either members, neighbors, suspects, or rogues. Figure 1: How Scanned Information is Used to Classify Access PointsThe definition of each classification-–member, neighbor, suspect, or rogue—is listed in Table 1. Table 1: Classifications Define a Rogue
You Can Change Some Rogue Classification RulesClassification rules are either built-in or selected by you from a set of pre-defined rules. Built-in rules are constant and cannot be changed. User rules are the rules that let you configure certain classification behaviors. Notice that the first classification rule eliminates access points in the rogue list and cannot be altered. Two configurable rules default to rogue classification and you can set a third to classify the default condition as rogue.
What Harm Can a Rogue Access Point Do?Rogue access points and their clients undermine the security of an enterprise network by potentially allowing unchallenged access to the network by any wireless user or client in the physical vicinity. Rogue access points can also interfere with the operation of your enterprise network. Rogue access points can do the following damage:
What Can I do To Prevent Rogue Access Points?There are a number of actions you can take that make it more difficult for a rogue to penetrate your network. See Table 2 for details. Table 2: Preventing Rogue Access Points
How Do I Prevent a Benign Access Point From Being Classified as a Rogue?access points belonging to your mobility domain are never classified as rogues. Presence of third-party access points on a permitted SSID list or OUI list does not guarantee that the device will not be classified as a rogue for other reasons. The only sure way to be sure a non-mobility domain device is not classified as a rogue is to add the device or vendor to the neighbor list. Neighbors are devices known to be part of a neighboring network and non-threatening. Vendors can also be added to the neighbor list, so that all of the devices from that vendor become neighbors. Which term refers to a type of an attack where an attacker spoofs addresses and inserts their packets in the middle of an existing connection?SAN Security
A session hijacking attack involves an attacker intercepting packets between two components on a SAN and taking control of the session between them by inserting their own packets onto the SAN.
Which of the following attacks involves impersonation of an access point?An evil twin attack is a rogue Wi-Fi access point (AP) that masquerades as a legitimate one, enabling an attacker to gain access to sensitive information without the end user's knowledge.
How does Krack attack work?KRACK is a severe replay attack on Wi-Fi Protected Access protocol (WPA2), which secures your Wi-Fi connection. Hackers use KRACK to exploit a vulnerability in WPA2. When in close range of a potential victim, attackers can access and read encrypted data using KRACK.
Does Krack attack still work?Fortunately, security experts discovered the KRACK vulnerability before attackers started using it, so there aren't currently any reports of KRACK attacks in the wild. Even so, operating systems have been patching the vulnerability to ensure it isn't used against their devices.
|