Ask any kind of IT professional what their greatest challenge is and they will probably answer with “uncertainty.” Uncertainty can be caused by many things. Predicting employee behavior is nearly impossible. Often times, the biggest security vulnerabilities are caused by someone inside the firm who meant well, but implemented a solution without understanding the risks involved. Uncertainty is closely tied with visibility. Not being able to see a problem until it reveals itself can lead to major organizational security vulnerabilities.
Rogue APs are a serious problem
A common example of employee mistakes leading to uncertainty is the damage caused by a rogue access point. Rogue APs often go undetected until a security breach occurs via that device. Typically, this device is a simple, cheap router that was improperly installed into a network without alerting anyone in management about it. Positive intent says an employee put it there to extend a wireless signal or to help other employees in the area connect their personal devices to the network wirelessly. However, a rogue AP isn’t always the product of a well-meaning employee. It can also be installed by a malicious actor with the knowledge that this router could be an access point at a later date. Here’s how a typical scenario plays out.
An employee brings their own router in and connects an ethernet cable so that it can access the network. The router is not actually configured in any kind of meaningful way. Access to the router, and therefore the larger network, is completely open with no security protocols put in place like they would have been done by IT team. Because the employee doesn’t know why IT would have to be alerted to the router as long as it works, this glaring security vulnerability goes undetected until someone with the knowledge of how to exploit it comes along and does so. Now you have an attack on your hands of a seemingly unknown origin. All of this has happened because the rogue AP wasn’t detected on time.
Detection is key
In the typical office setting, there are dozens of devices connected to a network. Everything from employee laptops to smartphones, even small routers that probably wouldn’t be noticed by anyone unless you were specifically looking for them are all looking for access. Unless you’ve installed every piece of WiFi equipment yourself and constantly walk around to physically take inventory of it, it’s nearly impossible to tell if a router is actually a rogue access point. Rogue APs must be discovered through a detection workflow. Software will need to be leveraged to find this unauthorized router.
Establishing the right kinds of protocols to properly identify rogue APs and save time doing so can be difficult. Additionally, IT managers have to decide just how much software they are willing to invest in order to meet their security needs. All challenges can be solved nicely through Genian NAC.
Smart visibility to control rogue APs
Bascially, Genian NAC can map wireless connectivity information with wired connectivity information by extending wireless visibility. Also, you can create groups using various conditions to detect the security status of APs and identify who is accessing through external, rogue, misconfigured, and no security enabled APs. Additionally, you can detect internal APs offering multiple SSIDs.
Once these devices are detected, you can control access to unauthorized APs and manage WiFi enabled devices accessing multiple SSIDs. You can also block unauthorized AP connected to wired network and block endpoint devices trying to access unauthorized APs.
Genian NAC also can integrate with your existing wireless network infrastructure without bogging down your system.
Brett is a Cisco CCNP and has over 25 years of experience in networking. During the last 15 years he has specialized as an SME in Designing and Deploying Network Access Control solutions. Prior to focusing on NAC, Brett served as a Cryptologic Technician in the U.S. Navy as well as providing network consulting services such as Enterprise-scale WAN projects for financial institutions and data center BGP connectivity to Service Providers.