Just because we can’t really prevent unauthorized WAPs from being implemented on the network doesn’t mean we can’t detect and remove them. It just means that we need to get a little creative in how we approach the problem.
You have two primary methods of detecting unauthorized WAPs on your network. The first method attempts to detect them wirelessly. The second method attempts to detect them from the wired network.
Detecting Unauthorized WAPs Wirelessly
The most effective method of detecting unauthorized WAPs is by simply using a wireless client and locating the WAPs broadcasting in your environment. A few caveats must be considered when employing this method, however:
- You have to be within range of the WAP in order to detect it.
- It is very difficult to detect a WAP that does not broadcast its SSID.
- It can be difficult to survey remote sites.
The good news is that because most unauthorized WAPs are not implemented by malicious users (and oftentimes are implemented by nontechnical users), the odds are high that the SSID broadcast has not been disabled. This leaves us with the problems of needing to be within range of the WAP to detect it and trying to survey remote sites. It is often impractical for someone in IT to spend the day walking around trying to determine if they can detect access points. One of the best solutions I have seen for this is to take advantage of someone who on a daily basis must walk around the environment—the mail delivery person. You can outfit this person with a laptop or handheld carrying extra batteries and while they make their normal rounds delivering the mail, the laptop can sit in the bottom of the mail cart quietly detecting any WAPs. A number of wireless analyzers can be used to detect the presence of unauthorized WAPs, including the following:
Netstumbler provides one of the easiest methods for detecting a rogue AP over the wireless network. Once you install Netstumbler, the program automatically begins scanning for WAPs with no configuration required on your part (other than providing the wireless NIC, of course). For example, the screen shown next depicts what I was able to capture while driving down a major freeway in the Houston area. I captured 175 WAPs, of which 113 were running no encryption whatsoever, and none of which were running WiFi Protected Access (WPA). Instead, they were all using WEP.
/ 8 
