IBM develops tool to detect rogue wireless LAN access points

Computerworld - IBM has developed a rogue wireless LAN access-point detection tool that can automatically detect the presence of unauthorized access points on large-scale, enterprise networks, the company announced.
Rogue wireless LAN access points are often installed without the knowledge of enterprise information systems departments by employees seeking inexpensive mobility (costing less than $200) within an office. Analysts estimate that thousands of such devices are installed each month. But detecting them has been difficult because, until recently, network managers had to install wireless LAN sniffer software on a laptop or handheld computer and then walk or drive around the building.
IBM's Distributed Wireless Security Auditor uses authorized wireless clients as sensors to detect rogue or unauthorized access points, according to Dave Safford, manager of global security analysis labs at IBM Research. Each client runs a small Linux program that sniffs and detects all access points, reporting their Internet Protocol and Media Access Control (MAC) addresses to a central database.
That database contains the MAC and IP addresses of all authorized access points, making it easy to automatically determine whether a device is a rogue. The auditor package also includes triangulation software, allowing network managers to pinpoint the physical location of unauthorized access points. Safford said the tool could be scaled to monitor large networks from a central point, such as the wireless LANs used in hundreds of facilities operated by a multinational corporation.
The distributed auditor is still undergoing evaluation at IBM's research organization, but a commercial product is expected to be offered within a matter of months. Last year, IBM Research developed a wireless LAN sniffer and fielded it in months, Safford said.
Earlier this month, Alpharetta, Ga.-based AirDefense Inc. introduced a similar rogue access-point detection tool coupled with an intrusion-detection system that requires installation of extra APs to act as sensors (see story). Safford said the IBM approach could save companies hardware costs by using wireless clients as the sensors.
Scott Hrastar, chief technology officer of AirDefense, viewed that as a non-issue, saying his company sold an enterprise security system that offers users a "multidimensional intrusion-detection system" that also detects rogue access points. According to Safford, the IBM auditor could also be used as an intrusion-detection tool, but its primary focus was on detecting rogue access points.
Craig Mathias, an analyst at Farpoint Group in Ashland, Mass., said that wireless LAN security -- especially the ability to detect rogue access points -- has "become a hot area" and called IBM's approach "interesting."
"But in security, nothing is perfect," he said."Companies need a comprehensive security framework."