Understanding Ad-Hoc Networks
Ad hoc is Latin and means for this purpose. An ad hoc network is one that is formed directly between two client devices for a specific reason. An ad-hoc network might not be an intentionally malicious attack on the network, but it poses a threat to the enterprise because the security checks imposed by the infrastructure are bypassed, and it steals bandwidth from your infrastructure users.
Why Are Ad-Hoc Networks a Security Risk?
There are two common attacks that can be launched from ad-hoc clients on your network. Fake SSIDs can be sent from ad-hoc networks advertising attractive SSIDs such as free Internet connectivity. Once a user connects, the fake SSID is added to the client’s wireless configuration and the client begins to broadcast the fake SSID, thereby infecting other clients. Also, ad-hoc clients are capable of forwarding data by flooding in addition to the classic routing technique—this forwarding can be used for flood attacks.
How Do I Detect an Ad-Hoc Network?
MSS detects and reports ad-hoc networks. In Network Director, the fault Adhoc User Detected appears in the RF Detect category of faults (see Alarms by Category Monitor, Alarm Detail Monitor, Understanding the Fault Mode Tasks Pane, and Alarm Summary Report.)
In Network Director, configure an ad-hoc network policy from Creating and Managing RF Detection Profiles.
Are All Ad-Hoc Networks Malicious?
Most ad-hoc networks are not created with malicious intentions. Laptops, PDA's, and printers with wireless enabled are simply attempting to connect to each other without using an access point—this is also called peer-to-peer networking. The security hole provided by ad-hoc networking is not the ad-hoc network itself, but the bridge it provides into other networks. One of the common scenarios is an employee who brings in a wireless-enabled laptop, plugs it into a wired port at work, and leaves the wireless interface enabled. In this scenario, a hacker in a neighboring area could connect directly to the client, creating a security threat. The hacker at this point could look for information on the employee’s client device, and potentially gain access to the corporate network through the simultaneous wireless and wired interfaces. This situation might place the enterprise in violation of regulatory policies for its industry.
How Do I Know Whether an Ad-Hoc Network Is Malicious?
Does the access point have characteristics of a benign device or characteristics of a threatening device? Check the characteristics in Table 1 for information.
Table 1: Characteristics of Benign Rogues and Threatening Rogues
Benign rogues tend to be:
Threatening rogues tend to be:
off of the network
on the network
using a foreign SSID
using your SSID. Access points masquerading your SSID are rogue by default, but this is configurable. See Creating and Managing RF Detection Profiles.
using weak RSSI
using strong RSSI
associating only with untrusted stations
actively associated with your stations—this indicates a man-in-the-middle attack
consuming some bandwidth
consuming a lot of bandwidth—this indicates a DoS flood or port scan