Keeping rogue devices off the network is an important security policy. In this video, you’ll learn about rogue DHCP servers, rogue access points, and evil twins.
When most people connect to a network, their device is assigned an IP address from an existing DHCP, or Dynamic Host Configuration Protocol server. This DHCP process happens every time someone connects to the network, and it allows the network administrator to automatically assign these IP addresses, instead of manually going to every single device and setting up all of those IP addresses statically. However, there’s no security built into DHCP. That means that an attacker could create their own DHCP server and start handing out IP addresses from an attacker instead of IP addresses from the legitimate network administrator.
If the attacker is using IP addresses that overlap with the existing DHCP server, then there could be invalid or duplicate addresses being handed out to other people’s workstations and they would either have intermittent connectivity or no connectivity at all. The way to avoid a rogue DHCP server is to constantly monitor for unauthorized DHCP communication and block that traffic at the switch. This is called DHCP snooping on most switches, and it automatically will find these rogue servers and prevent them from communicating.
If you’re on a Microsoft network, you can also authorize DHCP servers and active directory so that your add configuration knows exactly what the legitimate DHCP servers are. If you do find a rogue DHCP server that’s been handing out IP addresses, you’ll need to disable the interface that DHCP server is on and have all of your devices release and renew their IP leases. Another type of rogue device is a rogue access point.
This is when someone wants to gain wireless access onto your network. This could be an employee within your organization or it may be an attacker. This means that someone could be installing this rogue access point for their own personal reasons and not as something that might be malicious, but either way, it is a significant potential security issue and could allow unauthorized access onto your network.
One of the challenges for the security professional is that it’s very easy to install or create a rogue access point. You can purchase access points relatively inexpensively and simply plug them into an existing network connection or maybe just turn on wireless sharing inside of an operating system, and now your Windows computer becomes its own access point. In many organizations, the security team will perform periodic surveys that’ll examine the type of wireless communication in your area and see if anyone is communicating to an access point that they were not previously aware of.
One way to prevent any type of rogue access point is to enable 802.1X, or network access control on your network. 802.1X requires that anyone connecting to the network authenticate properly before they are allowed access onto the rest of the network. A wireless evil twin has a similar function to a rogue access point, but a wireless evil twin is intentionally malicious.
They’re trying to get you to connect to this wireless network in an effort to either gather details from your computer or phish you for information. This is commonly accomplished by creating a new access point but configuring that access point to look very similar to the existing access points on that network. So it might have the same or a similar SSID and the security settings may look very similar to what already exists on your network. If this wireless evil twin has a very strong radio signal, it could even overpower the existing access points, effectively becoming the primary access for wireless connectivity.
Wireless evil twins can be very easy to implement on open networks, especially open Wi-Fi hotspots or other public areas. If you do make the mistake of connecting to a wireless evil twin, you could still prevent it from gathering any information from your system by encrypting all of the communication. This means that you should always be connected on a wireless network through a virtual private network, or at the very minimum, make sure that you’re always using HTTPS.