Locating Rogue 802.11n and Legacy Wireless Access Points
“An unauthorized, rogue access point can compromise the security of a wireless network by exposing the com- panyâ€™s network to the outside world. A draft 802.11n home wireless router is an example of a rogue device that a network manager encounters. To remove this security vulnerability, the network manager must first detect the presence of a rogue AP on his network and then locate it.
The two most common search methods to find the physical location of a rogue AP are the omnidirectional method and the unidirectional method. Each method has its advantages and each requires different tools. An understanding of these methods will assist the network manager in his task of keeping his wireless network secure.”
The omnidirectional/convergence method of locating rogue access points make use of an omnidirectional antenna and WiFi signal meter. The user starts in one corner and moves to 3 other corners noting the RSSI at each location and the process is repeated for a smaller area until the device is located.
“The omnidirectional method is most appropriate when your search tool consists of a radio card with an omnidirectional antenna. An omnidirec- tional antenna radiates or receives equally well in all directions. It is also called a â€œnon-directionalâ€ antenna because it does not favor any particular direction. Figure 1 shows the pattern for an omnidirectional antenna.
A standard wireless LAN radio card for a notebook PC uses an omnidi- rectional antenna. In this application, an omnidirectional antenna is convenient since the signal strength will remain the same regardless of the direction you point your PC.”
Unidirectional Antenna/Vector Method
The other method for locating rogue access points uses a directional antenna. The number of data measurements is the same as the omnidirectional method but less walking is required and the directional antenna can be used to determine if the device is on a floor above/below.
“The number of segmentations and measurements were the same for both omnidirectional and unidirectional searches. What should be obvious is that the omnidirectional method requires much more walking about from corner, to corner, to corner making measurements. Such walking slows the rogue hunting process. A more subtle difference between methods is searching for an access point in a multi-floor environment. For example, you suspect there is a rogue AP on the second floor of your four-story office building. Using the omnidirectional method, you identify the location with the strongest signal strength, but you cannot find the AP. Do not blame the measurements â€“ the access point may be on another floor. On the other hand, using the unidirectional method, you can rotate the antenna Â± 180Â° in the vertical axis to gain additional insight into which floor the rogue AP resides.”
The above excerpts are from a great white paper by Fluke Networks detailing the two methods for locating a rogue 802.11n or legacy access points.