How to detect rogue devices: NetAlly explains

Detecting rogue devices on the network sounds straightforward, but it is a multifaceted problem that demands multiple layers of defense. This blog steps you through the critical aspects of rogue device detection and the tools that promise to detect them.

Why rogue devices are a security concern

Rogue devices that transmit, whether over the air or on a wire, use network resources, subtracting from the resources available to legitimate devices. While this degradation of network performance can have a significant business impact, rogue devices substantially increase the risk of a security breach.

A critical concern is that rogue devices may not conform to the organization’s security policies, such as running the latest anti-virus software or supporting the preferred authentication method. Non-compliant devices on the network increase the chance of malware or other nefarious software entering the organization’s network and may open a backdoor for malicious devices to join the network. Rogue devices may also result in the unauthorized transmission and storage of data, which increases the risk of a data breach and could violate compliance regulations.

Organizations must implement measures to detect rogue devices and take the appropriate remedial actions to ensure that only authorized devices can access the network.

Defining a rogue device is surprisingly complex

Most IT professionals think of rogue devices as being specific to Wi-Fi networks. They might align with Aruba HPE’s viewpoint: “Rogue devices refer to the unauthorized devices in your WLAN network.” [1] This definition covers devices such as:

  • Rogue access points.
  • Evil twin access points.
  • Rogue wireless clients.

The National Institute of Standards and Technology (NIST) takes a broad perspective by defining a rogue device as “An unauthorized node on a network.” [2]  This extends the definition of rogue to include both wired and wireless devices, encompassing:

  • Unauthorized hubs and switches.
  • Unauthorized network printers.
  • Network nodes with unauthorized configurations.

The NIST definition also implies that rogue devices are connected to the network. Cisco, however, extends this further by stating, “Any device that shares your spectrum and is not managed by you can be considered a rogue.” [3] This last definition encompasses devices that could interfere with normal operations of the organization’s wireless network, including:

  • RF jammers
  • Ad hoc Wi-Fi networks
  • Unauthorized repeaters

Some organizations further refine the definition of rogue devices to include intent. For example, SolarWinds’ viewpoint is, “By definition, rogue devices are just plain malicious in nature.” [4] Rogue devices are often personal devices that users unwittingly connect to the enterprise network. It is essential to educate users so that they are aware of potential risks.

Establishing permissions is essential for rogue device detection

All these definitions have one thing in common: a rogue device does not have permission. It is, therefore, only possible to detect a rogue device by first defining what devices are approved to access the network. Permissions are defined in the organization’s network access security policy. This policy typically includes:

  • Approval criteria for granting access to the network, such as the authentication method, use of digital certificates, and password complexity.
  • Device requirements include anti-virus software, firewall settings, and operating system updates.
  • The device approval process includes registering the device and accepting a terms and conditions agreement.
  • Remediation actions if a device is not approved, such as quarantine the device.
  • Regulatory compliance requirements are the standards and practices that must be adhered to.

Any device not meeting your organization’s definition of an approved device can be considered a rogue device.

First line of defense against rogue devices

The first line of defense against rogue devices is Network Access Control (NAC) systems. NAC functionality may include:

  • Device authentication and authorization that verifies the device type, identity, and software compliance status.
  • Role-based access control, where access is granted based on the device function; for example, barcode readers are only permitted in the warehouse.
  • Network segmentation to limit access, such as unauthorized devices can only access the device registration portal.

NAC systems authentication and predefined policies are critical to preventing unauthorized devices from accessing network resources. However, it may not protect against unauthorized access from compromised devices or hackers trying to evade the NAC defenses. To enhance network security, organizations need to implement a multi-layered approach.

 Second line of defense against rogue devices

Several monitoring and alerting tools promise rogue device detection as one of their key features. These tools are the second line of defense when the NAC system fails to detect and prevent the rogue device from accessing the network. Table 1 shows the different monitoring and alerting tools that look for patterns and abnormalities to help identify unauthorized and unknown devices.

Types of monitoring & alerting toolsHow rogue devices are detected
Wireless Intrusion Detection Systems (WIDS)They collect and analyze information from sensors deployed throughout the organization and create alerts if rogue access points or other unauthorized devices are detected.
Wireless Intrusion Prevention Systems (WIPS)It extends the WIDS capability and adds automated remediating actions, such as de-authenticating a connected rogue device.
Advanced FirewallsExtend the functionality of a traditional firewall to include Intrusion Detection and Prevention Systems (IDS/IPS), which allows the firewall to look for patterns that indicate rogue devices.
Endpoint Detection and Response (EDR)It monitors each endpoint’s activities and traffic to detect security weaknesses. Abnormal behavior and discrepancies can indicate rogue devices.
Security Information and Management (SIEM)Collates and analyzes network data such as log files. This data detects security events and abnormalities that may indicate a rogue device is connected to the network.
Table 1: Monitoring and alerting tools that facilitate rogue device detection

Today, monitoring and alerting tools use Machine Learning (ML) and real-time data feeds on known attacks to detect and mitigate security threats. Although these are powerful tools, they may not be sufficient to detect all rogue devices. Hackers use sophisticated evasion techniques, employees may use valid credentials, and the monitoring and alerting tools may not have visibility across the entire network. Organizations may need to increase their security further.

Third line of defense against rogue devices

When monitoring and alerting tools fail to detect rogue devices or are cost-prohibitive, handheld spectrum and network analyzers provide another line of defense. The benefits of a handheld can include:

  • Portability allows the detection of rogue devices to be done anywhere, from central warehouses to remote offices.
  • Easily deployed with no complex configuration or network integration requirements.
  • Provides real-time detection of an extensive range of devices, including Wi-Fi, BT, and IoT radios.
  • Connects to edge network nodes, such as wireless access points and switches, to further enhance rogue device detection.
  • Physically locates rogue devices using signal strength measurements and allows security staff to mitigate threats immediately.

Handheld analyzers typically have a wide range of features and capabilities. Table 2 outlines the functionality commonly found in handheld analyzers. Additionally, they may include wireless connectivity, data capture, and upload to cloud services to facilitate analysis and team collaboration.

FunctionalityHow devices are detected
Network scanners such as NMAPThese tools detect active network devices using techniques such as ping and ARP sweeps.
Protocol analyzersExamines inside packets traversing the network and analyzes specific protocols. This information can be used to determine the type of device connected to the network.
Packet analyzersMonitors and analyzes network traffic. This information can identify devices on the network and the switch port or wireless access point they are connected to.
Spectrum analyzersExamines the physical layer characteristics of transmitted signals to identify device types, detect sources of interference, and physically locate transmitting devices.
Table 2: Functionality commonly found in handheld devices

What you should do next

Detecting rogue devices is more complex than it initially seems. Network Access Control systems, monitoring and alerting tools, and handheld analyzers are distinct tools that detect rogue devices differently. The best way for your organization to detect rogue devices depends on several factors, including budgetary restrictions and perceived security risks. However, a layered approach maximizes your ability to detect and remove rogue devices from your network.

To help you better understand your organization’s defense against rogue devices, research answers to the following questions:

  • What is your organization’s definition of rogue devices?
  • What actions does your NAC take when rogue devices are found?
  • Is your organization leveraging monitoring and alerting tools to detect network patterns and anomalies that indicate rogue devices?
  • Are portable network and spectrum analyzers being utilized for localized rogue device detection?

Once you understand how your organization should protect itself from rogue devices, ensure that your organization’s security policy includes remedial actions, for example:

  • Block all traffic to and from the device.
  • Restrict to a specific network segment.
  • Send alerts to the network administrative staff.
  • Physically locate the device and remove it.
  • Do nothing.

How CyberScope can help with rogue device detection

As the world’s first portable, handheld network scanner with Nmap integration CyberScope® can serve as another layer of defense at the edge to detect unauthorized devices. The advanced, comprehensive discovery makes rogue device detection fast, while path analysis and the directional antenna ensures physical locating the device a breeze.

[1] https://www.arubanetworks.com/techdocs/centralonprem/2.5.3/content/nms-on-prem/access-points/rogue-ap-mgmt/rapids.htm
[2] https://csrc.nist.rip/glossary/term/Rogue_Device
[3] https://csrc.nist.rip/glossary/term/Rogue_Device
[4] https://www.solarwinds.com/assets/solarwinds/swdcv2/licensed-products/user-device-tracker/resources/whitepaper/udt_wp_detect_prevent_rogue_devices.pdf

Author Bio –
Author and public speaker

Dr. Avril Salter is an author and acclaimed public speaker with over 20 years of in-depth technical and executive experience working in wireless and network security. She holds senior business and technical architect positions with a history of success in setting direction in major corporations and start-ups. She has an exceptional breadth of technical expertise in wireless standards and network security protocols and is a strategic thinker with a solid understanding of the IT and telecommunications industries.

More Posts