Mar 29 2007

Rounding Up Rogue Devices

Learn how Michigan detects and brings unmanaged systems in line before hackers or viruses can find and exploit them.

Rounding Up Rogue Devices
Learn how Michigan detects and brings unmanaged systems in line before hackers or viruses can find and exploit them.

Rogue APs provide anyone within range easy access to network resources even when users set them up for legitimate reasons, Michigan Director of Infrastructure Services Patrick Hale says.

Every good network administrator knows exactly what devices are connected to the network. But what if your network has 20,000 nodes and is spread over a large county or state? As networks grow, they become more complex and potentially harder to secure. State and local governments tend to have some of the largest networks in the country.

In that environment, rogue servers — unauthorized devices attached to the network that offer services to network clients — are inevitable. One facet of the problem that increases complexity and muddles solutions is that almost any desktop operating system makes it easy to open shares and install software that can then provide network services such as File Transfer Protocol or Web server.

Often, users set up rogue servers to meet specific job needs without malicious intent. Even so, “a rogue server poses a very real threat,” says Andre Muscat, director of network security products for GFI, manufacturer of the LANguard network vulnerability assessment tool.

A rogue access point is an unauthorized wireless AP attached to the wired network. An employee trying to increase productivity or an attacker looking to weasel into the wired network typically will set up these blind APs.

The rise of the $50 AP has made it easy for the typical employee to buy one on his own and connect it to the office network. “They’re a concern for us because they pop up every once in a while,” says Patrick Hale, director of infrastructure services for the state of Michigan. “Usually nothing malicious has been done,” but the fact remains that rogue APs provide anyone within range easy access to network resources, Hale says.

It’s difficult to determine how frequently these vulnerabilities occur. Most of the time, network administrators discover and shut them down without attracting attention. But if not detected, they may pose serious threats to sensitive government information.

What Is a Man-in-the-Middle Attack?

Often accomplished via a rogue server, these attacks let a perpetrator read, insert and modify, at will, messages between two parties without either party knowing the link between them is compromised.

Serving Up Trouble

Although the term server conjures images of rack-mounted big iron sitting in a climate-controlled room, operating systems can host many network services.

Almost any device, from a personal digital assistant to desktop computer, can host some kind of server software and potentially provide unauthorized services. Typically, employees adding unauthorized services don’t realize the hazard they pose.

“Anything that is rogue and uncontrolled is potentially dangerous for a network,” Muscat says. Additionally, rogue servers and applications are like open wounds because they generally don’t receive software patches and updates according to network rules and policy.

For example, a rogue Dynamic Host Configuration Protocol server can host a man-in-the-middle attack by providing false information — Internet Protocol address, default gateway, Domain Name System servers and the like — that pushes a user to a proxy server, usually without his or her knowledge. The proxy captures all traffic that flows through it and can provide an attacker with user names, passwords and more.

It’s important to know what’s on the network and how it’s configured and to track network activity. Vulnerability assessment tools, or network scanners, can perform network security audits on a scheduled basis.

These tools easily detect whether an extra IP address is in use or whether an extra Media Access Control address has been added to the network. Scanners can also discover rogue services running on end-user systems. Each rogue device or service has its own set of vulnerabilities, so it’s essential to discover these services, block them, find their origin and shut them down.

1,700 IT employees all report through a central statewide IT Department in Michigan, including a staff of 900 for infrastructure services and 30 dedicated to security.

Michigan’s Department of IT combats rogue servers and services on many fronts. Its first line of defense is a centralized department with more than 1,700 employees, including 900 in infrastructure services and 30 in security.

The department approves all IT purchases, so employees can’t use government funds to buy and install unauthorized systems. Because all technical employees take their cues from a central authority, it’s easier to create and enforce security policy uniformly, Hale says.

“Every day we benefit from the fact that we control the purchasing, the installation of servers, the patching and the network,” he says. End-point security applications running on desktop, notebook and handheld systems prevent users from opening shares and installing unauthorized software.

The department also uses intrusion detection systems to monitor all networks and, in particular, the Internet connection. The system detects and reports anomalous behavior immediately, which means Hale’s team usually can terminate a problem service or device swiftly. “We monitor our Internet link constantly, and if we see a botnet or a connection to China, we know it and begin shutting down IP addresses within minutes.”

Elusive Entrances

For many years, the only way to network was with wires. Most government agencies designed their networks using that mindset and the concept of securing the perimeter. In that scenario, IT organizations implement most security practices, such as firewalls and content filters, to protect the edge.

But in a wireless world, the perimeter is amorphous. With access points, and in particular rogue access points, the perimeter melts away; the Internet connection is no longer the only point of egress.

A rogue access point allows backdoor access to an intranet, bypassing any edge protection installed on the Internet server. A hacker could be in the parking lot, connect to a rogue AP and act as if plugged into the network.

The hacker can then launch a denial-of-service attack using a tool such as Yersinia ( An attacker can run their own vulnerability assessment tool, often the Nmap free security scanner, to discover open services, exploit them and gain access to sensitive data. In addition, anyone the hacker attacks through the network will only be able to trace it back to the authorized user.

The first step in eliminating rogue access points is to discover them. To do this, scan radio frequencies looking for wireless local area networks. Free tools are available for this such as NetStumbler ( and Kismet (

Security personnel in Michigan use AirMagnet and Fluke Networks monitoring tools to discover and hunt down rogue APs. Detecting them is the easy part, but locating them based on signal strength and removing them takes time.

“Any time you have to physically deploy a person to find an AP, spend time figuring out what’s happening, shut it down and offer a new solution, that’s a real opportunity cost. All those hours spent on such work tell us that secure wireless is a function that the state should pay for,” Hale says.

For this reason, Michigan is pilot-testing a packaged wireless network security tool that automatically detects and shuts down rogue APs. Cisco Systems, Fluke Networks, Juniper Networks and WatchGuard all provide these types of packaged applications.

User Smarts

Policy and training also can go a long way in preventing users — both government employees and contractors — from installing rogue servers and especially APs. “Wireless is a productivity tool that isn’t going away,” says Patrick Hale, director of infrastructure services for the state of Michigan. “We’ve really only encountered people installing rogue APs to help them do their work.”

One essential component to Michigan’s program is that when the IT Department shutters a rogue device, it offers a secure alternative. Knowing that they can have wireless as long as it is installed, configured and managed by a central authority prevents many employees from installing their own APs, Michigan CISO Dan Lohrmann says.

“You can’t just find a rogue AP and shut it off,” he says. “You have to figure out what the user was trying to do and help him accomplish that securely.”

Combating rogue servers and access points depends on understanding the devices and traffic that are on the network (and that use the airspace). By establishing a baseline of legitimate services and devices, an administrator can quickly determine what belongs and what doesn’t — and then remediate as needed.

Centralizing IT, and in particular IT security, helps provide services that employees can count on, Hale and Lohrmann say. It also prevents users from doing things on their own.