The Danger of Rogue Access Points and BYON

The Danger of Rogue Access Points and BYON

When the CIO of the Department of Transportation (DOT) launched a project to implement Microsoft Office 365, he quickly discovered a big problem. No one had ever really designed the department’s network — end-users simply installed networking equipment as needed. Most of these devices were consumer-grade, purchased at electronics stores without the approval of IT. Hundreds of them were in use across the department, creating an unmanageable patchwork system and enormous security risk.

The “consumerization of IT” has led end-users in many organizations to install their own equipment and software. Cloud-based applications are an obvious manifestation of this “shadow IT” environment, but the Bring Your Own Network (BYON) phenomenon is more common than you might think.

BYON refers to a situation in which employees bring their own access points (APs) to the workplace to create their own wireless networks. Employees will typically tether their cellphone to a laptop or other device or bring a small wireless router to the office, creating a separate, unmanaged network.

Many employees who set up these personal wireless hotspots are simply trying to access applications such as Facebook, Twitter or YouTube that may be blocked by the corporate network. But they can also run corporate applications and access sensitive information undetected through these rogue APs, inadvertently or not.

BYON allows sensitive corporate data to potentially escape through an insecure public network, and opens a virtual door for targeted attacks from hackers. Corporate firewalls, antivirus software and other security mechanisms are powerless to protect the BYON environment.

Rogue APs can also lead to regulatory compliance issues. In order to maintain Payment Card Industry (PCI) compliance, for example, organizations are required to perform regular scans to detect and identify unauthorized APs. Various operational procedures and methods for conducting these tests are suggested, including wireless network scans, physical inspections of IT infrastructure, and wired-side port scanning.

However, these methods only provide a snapshot of a particular point in time. Security threats are constant and require constant monitoring.

Stopping rogue APs requires a multipronged approach. As a first step, organizations should establish policies prohibiting users from installing network equipment, and implement procedures and security tools for enforcing policies and controlling access to data. The DOT had such policies in place but users were ignoring them, so ongoing enforcement is critical.

Next, organizations should ensure that the network infrastructure is well designed and capable of supporting user needs and business initiatives. In particular, organizations need a wireless network that provides adequate coverage, capacity and security. Some organizations have created multiple secure wireless networks to limit access to corporate data while allowing employees to use social media platforms and other nonessential apps.

Finally, organizations should conduct ongoing monitoring to detect and shut down rogue APs and other unauthorized network equipment. The WachGuard Wireless Intrusion Prevention System (WIPS) provides 24x7 protection with almost no false positives. WatchGuard’s patented Marker Packet technology can detect whether a device is authorized, unauthorized or external, automatically blocking unauthorized equipment without disrupting the network of the business across the hall.

The DOT found out what happens when a poorly designed network isn’t monitored, managed and secured. Let Verteks help you develop and implement a network and security strategy that reduces the risk of BYON without compromising performance.


Just released our free eBook, 20 Signs That Your Business is Ready for Managed ServicesDownload
+