IBM tool to detect rogue wireless LAN access points

IBM Corp. has developed a rogue wireless LAN access-point (AP) detection tool that can automatically detect the presence of unauthorized APs on large-scale, enterprise networks, the company announced.

Rogue wireless LAN APs are often installed without the knowledge of enterprise information systems departments by employees seeking inexpensive mobility (costing less than US$200) within an office. Analysts estimate that thousands of such devices are installed each month. But detecting them has been difficult because, until recently, network managers had to install wireless LAN sniffer software on a laptop or handheld computer and then physically walk or drive around the building.

IBM's Distributed Wireless Security Auditor uses authorized wireless clients as sensors to detect rogue or unauthorized APs, according to Dave Safford, manager of global security analysis labs at IBM Research. Each client runs a small Linux program that sniffs and detects all access points, reporting their Internet Protocol and Media Access Control (MAC) addresses to a central database.

That database contains the MAC and IP addresses of all authorized APs, making it easy to automatically determine whether a device is a rogue. The auditor package also includes triangulation software, allowing network managers to pinpoint the physical location of unauthorized APs. Safford said the tool could be scaled to monitor large networks from a central point, such as the wireless LANs used in hundreds of facilities operated by a multinational corporation.

The distributed auditor is still undergoing evaluation at IBM's research organization, but a commercial product is expected to be offered within a matter of months. Last year, IBM Research developed a wireless LAN sniffer and fielded it in months, Safford said.

Earlier this month, Alpharetta, Ga.-based AirDefense Inc. introduced a similar rogue AP detection tool coupled with an intrusion-detection system that requires installation of extra APs to act as sensors. Safford said the IBM approach could save companies hardware costs by using wireless clients as the sensors.

Scott Hrastar, chief technology officer of AirDefense, viewed that as a non-issue, saying his company sold an enterprise security system that offers users a "multidimensional intrusion-detection system" that also detects rogue APs. According to Safford, the IBM auditor could also be used as an intrusion detection tool, but its primary focus was on detecting rogue APs.

Craig Mathias, an analyst at Farpoint Group in Ashland, Mass., said that wireless LAN security -- especially the ability to detect rogue APs -- has "become a hot area" and called IBM's approach "interesting."

"But in security, nothing is perfect," he said. "Companies need a comprehensive security framework."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about AshlandFarpoint GroupIBM Australia

Show Comments