IBM has developed a rogue wireless LAN access-point (AP) detection
tool that can automatically detect the presence of unauthorised APs
on large-scale, enterprise networks.
Rogue wireless LAN APs are often installed without the knowledge of
enterprise information systems departments by employees seeking
inexpensive mobility (costing less than $200) within an office.
Analysts estimate that thousands of such devices are installed each
month. But detecting them has been difficult because, until
recently, network managers had to install wireless LAN sniffer
software on a laptop or handheld computer and then walk or drive
around the building.
IBM's Distributed Wireless Security Auditor uses authorised
wireless clients as sensors to detect rogue or unauthorised APs,
according to Dave Safford, manager of global security analysis labs
at IBM Research. Each client runs a small Linux program that sniffs
and detects all access points, reporting their Internet Protocol
and Media Access Control (MAC) addresses to a central database.
That database contains the MAC and IP addresses of all authorised
APs, making it easy to determine whether a device is a rogue. The
auditor package also includes triangulation software, allowing
network managers to pinpoint the physical location of unauthorised
APs.
Safford said the tool could be scaled to monitor large networks
from a central point, such as the wireless LANs used in hundreds of
facilities operated by a multinational corporation.
The distributed auditor is still undergoing evaluation at IBM's
research organisation, but a commercial product is expected to be
offered within a matter of months. Last year, IBM Research
developed a wireless LAN sniffer and fielded it in months, Safford
said.
Earlier this month, AirDefense introduced a similar rogue AP
detection tool coupled with an intrusion-detection system that
requires installation of extra APs to act as sensors. Safford said
the IBM approach could save companies hardware costs by using
wireless clients as the sensors.
Scott Hrastar, chief technology officer of AirDefense, viewed that
as a non-issue, saying his company sold an enterprise security
system that offers users a "multidimensional intrusion-detection
system" that also detects rogue APs. According to Safford, the IBM
auditor could also be used as an intrusion detection tool, but its
primary focus was on detecting rogue APs.
Craig Mathias, an analyst at Farpoint Group said that wireless LAN
security - especially the ability to detect rogue APs -- has
"become a hot area" and called IBM's approach "interesting".
"But in security, nothing is perfect," he said. "Companies need a
comprehensive security framework."