Fixed Wireless Technology

Wireless LAN Tools Part 3: Discovery and Planning — continued

by Lisa Phifer VP Core Competence, Inc. [August 10, 2004]

Investigating rogue WLANs
What can you do with this stumbler output? If you don't have an authorized WLAN, these results may be sufficient to find and eliminate or ignore existing APs. For example:

• APs with very weak signal and no apparent traffic may belong to neighbors that are distant enough to be discounted as a significant risk.
• APs with strong signal and no 802.11 security create risk of accidental associations by Wi-Fi capable stations within your facility. You may want to warn employees about these SSIDs and teach them how to configure their stations to use only known APs when working at home or at a public hotspot.
• APs with strong signal and active traffic may be unauthorized APs installed by neighbors, naïve employees, or malicious attackers. You'll need to track down the physical location of each AP to determine whether they belong to friend or foe.

Conducting an exhaustive search and determining whether these unknown APs are in fact connecting to your users and/or network requires more advanced tools. Capabilities vary, but many stumblers scan just a fixed set of channels, listening only for AP beacons. Full-featured WLAN analyzers can hear all kinds of 802.11 frames, transmitted by both APs and stations, by listening to configurable channels, SSIDs, and senders/receivers.

If you have a WLAN analyzer at your disposal, use the analyzer's wireless site survey and network monitoring tools to assist with rogue detection and investigation:

1. Start by passively scanning all channels in both 2.4 and 5 GHz bands, including those not defined for use in your country and proprietary modes. (For example, see the TamoSoft CommView options panel at right.) Keep in mind that scanning is only sampling traffic; while tuned briefly to each channel, you are missing traffic sent on all other channels.
   
   
2. To investigate a suspicious device discovered while scanning, configure your analyzer to monitor or capture traffic on individual channels or SSIDs. In monitor mode, analyzers process and discard received packets for real-time display. In capture mode, analyzers record packets for offline analysis (see sample screen shot at right). Monitor for awhile to decide where to focus your capture(s).
   
   
3. Narrow your investigation by defining filters to capture traffic from/to suspicious device MAC address(es). Style and complexity varies quite a bit, but all WLAN analyzers have capture and/or display filters. For example, this Network Instruments Observer filter screen shot shows how the software selects only packets exchanged between a single AP and any station. Built-in filters may be included to detect known problems or attacks; we'll revisit filters in Part 4 of this series.
   
   
4. Examine captured traffic to determine whether stations are connecting to suspicious APs, and whether traffic is being sent to or through IP addresses that belong to your network. Network maps or peer graphs help you visualize whether this is happening. For example, this pair of WildPackets AiroPeekNX peer maps show not only APs, but stations, adjacent devices, observed IP addresses, and even protocols used.
   
   
5. Finally, use GPS-reported latitude/longitude, relative signal strength, and location-finding tools to physically track down suspicious devices that warrant action. For example, this AirMagnet Find tool can be used to walk in the direction of increasing signal strength for any detected AP or station. The Geiger Counter panel in BVS Yellowjacket can also help you find a signal source.