decrypting myths
Evil twin APs will
mimic legitimate
APs, spoofing SSIDs
and usually MAC
addresses as well.
impossible to keep an eye on everyone
there. It’s feasible for someone to jump
into the wire closet and plug in the
cheapest AP they could get.
Now they can gain access to the
company’s private secure network and
hijack POS systems to reveal credit card
numbers or access building controls
like door locks, alarms and cameras.
Wi-Fi systems need to detect if a signal
in the air is being broadcast from an AP
physically connected to the authorised
network. If so, it needs to be able to
prevent the Rogue AP from gaining
access to the LAN, which is typically
done via ARP poisoning. It should also
be able to prevent Wi-Fi clients from
associating to it, usually via a surgical
flood of de-authentication frames.
2. Evil twin APs
Evil twin APs will mimic legitimate
APs, spoofing SSIDs and usually MAC
addresses as well. Attackers can then
intercept traffic as the man-in-the-
middle (MitM). How exactly does this
work? Once a victim is connected,
the attacker can steal credentials,
inject malicious code into the victim’s
browsers, redirect the victim to a
malware site and so much more.
A Wi-Fi security system must not
interfere with clients not administered by
the authorised network, but at the same
time must detect when evil twin APs
are attempting to get authorised clients
connected to them and prevent this
association with de-authentication floods
and other techniques.
68
3. Neighbour APs
This threat occurs when an authorised,
company-managed client connects
to a guest or external access point,
bypassing the company’s perimeter
security and getting around security
restrictions set by the firewall. There’s
actually no super-secret hacker trick to
this one. Any employee could be (and
probably is) doing this right now.
Wi-Fi solutions must be able to
automatically classify client devices
managed by the company as authorised
clients and prevent them from connecting
to any other SSID than the ones IT
administrators have defined. Prevention
techniques for this threat again include
surgical de-authentication floods.
4. Rogue clients
Any client previously connected to
a rogue AP or other malicious AP
within the range of a private network is
considered a rogue client. A client that
connected to a rogue AP could have
Issue 14
|
www.intelligentciso.com