At Last, the Cavalry! (Oops, Maybe Not.)
After a couple of hours of constant scanning by Fred and Joan, a Diversified Financials Intrusion Detection System (IDS) discovered the attack. Based on signature-matching of traffic created by the Nessus scanner, the IDS sent email to the Diversified Financials Incident Response Team. Bart Smith, the head of the team, was very alarmed at such a boisterous attack being launched from within his own network. Bart worked quickly with his network and system administration team to pinpoint the source of the attack: one of those darned wireless access points! Bart knew that they were trouble, but hadn't been able to convince management to deal proactively with wireless LAN security. Well, with this active attack underway, Bart conferred with management and was able to give the order to shut off all twelve "official" DF access points immediately.
Joan and Fred noticed that their wireless access suddenly went dead. Undeterred, they turned their attention to one of the other access points they had discovered, the WEP-less one, with the default SSID of "tsunami." Sure enough, this access point gave them complete access into the Diversified Financials network as well! Even though the "official" wireless LAN infrastructure was disabled, Joan and Fred were able to get in again through a renegade access point set up by a careless employee. They resumed their scanning.
Diversified Financials didn't have a program for periodically searching for renegade wireless access points. Organizations should conduct periodic wireless LAN assessments of their own networks, using wireless LAN discovery tools such as the freeware NetStumbler or a commercial offering such as the ISS Wireless Scanner.
After shutting down the official DF access points, Bart breathed a sigh of relief. He began to write a paper describing the incident for management, as he got another page from the IDS systems. "They're back!" he grumbled. Again, he worked with his team to trace the scans through the network to the renegade access point. After searching through several offices, they managed to locate the renegade access point, set up by someone in research. They quickly pulled the plug on that access point.
As he was yelling at the researcher who implemented the renegade access point, Bart's pager went off yet again. Frustrated, Bart realized he was in a cat-and-mouse game. Bart yelled, "I shut the door, and they come in through a window. I shut the window, and they come in through another window. I'll shut that one, and they'll come down the chimney!" After another frantic search, Bart found yet another renegade access point, which he smashed against the floor in disgust.
Unfortunately, Diversified Financials didn't control renegade access points connected to their network. Due to falling prices and ease of use, many companies are finding that their employees have built their own patchwork wireless infrastructure. Every organization should have a clearly identified policy that forbids all wireless access points except those that are explicitly approved by the security organization, using corporate-approved vendor technology, configured according to corporate security standards, and subject to periodic testing by the corporate security team and auditors.