IBM tool to detect rogue wireless LAN access points

IBM has developed a rogue wireless LAN access-point (AP) detection tool that can automatically detect the presence of...

IBM has developed a rogue wireless LAN access-point (AP) detection tool that can automatically detect the presence of unauthorised APs on large-scale, enterprise networks.

Rogue wireless LAN APs are often installed without the knowledge of enterprise information systems departments by employees seeking inexpensive mobility (costing less than $200) within an office.

Analysts estimate that thousands of such devices are installed each month. But detecting them has been difficult because, until recently, network managers had to install wireless LAN sniffer software on a laptop or handheld computer and then walk or drive around the building.

IBM's Distributed Wireless Security Auditor uses authorised wireless clients as sensors to detect rogue or unauthorised APs, according to Dave Safford, manager of global security analysis labs at IBM Research. Each client runs a small Linux program that sniffs and detects all access points, reporting their Internet Protocol and Media Access Control (MAC) addresses to a central database.

That database contains the MAC and IP addresses of all authorised APs, making it easy to determine whether a device is a rogue. The auditor package also includes triangulation software, allowing network managers to pinpoint the physical location of unauthorised APs.

Safford said the tool could be scaled to monitor large networks from a central point, such as the wireless LANs used in hundreds of facilities operated by a multinational corporation.

The distributed auditor is still undergoing evaluation at IBM's research organisation, but a commercial product is expected to be offered within a matter of months. Last year, IBM Research developed a wireless LAN sniffer and fielded it in months, Safford said.

Earlier this month, AirDefense introduced a similar rogue AP detection tool coupled with an intrusion-detection system that requires installation of extra APs to act as sensors. Safford said the IBM approach could save companies hardware costs by using wireless clients as the sensors.

Scott Hrastar, chief technology officer of AirDefense, viewed that as a non-issue, saying his company sold an enterprise security system that offers users a "multidimensional intrusion-detection system" that also detects rogue APs. According to Safford, the IBM auditor could also be used as an intrusion detection tool, but its primary focus was on detecting rogue APs.

Craig Mathias, an analyst at Farpoint Group said that wireless LAN security - especially the ability to detect rogue APs -- has "become a hot area" and called IBM's approach "interesting".

"But in security, nothing is perfect," he said. "Companies need a comprehensive security framework."

Read more on Wireless networking