How I Became the Owner of Two Rogue WiFi APs

Posted May 29th, 2007 by

I’ve been a bad little CISO. I should know better. But hey, how can I maintain my BOFH credentials if I don’t do something bad from time to time?

Anyway, let me explain it all.

Inside my area of responsibility (aka my job scope) there are several networks. One is a closed network that we use for management and monitoring of our customers. Another is our corporate network. A third is our guest network where all you can do is access the outside world.

So what we wanted to do was to add a wireless access point to the guest network. That way our guys can stay connected between meetings. Not all too uncommon of a use-case.

Corporate IT has a solution they roll out everywhere. If I give them a cost center, they would give us a completely wide-open WiFi AP with a essid of “guest”. It’s the only solution that they would support.

I have 20 or so customers. They have varying levels of security savvy depending on how mature the organization is. Some of them believe in “Security Through Level of Pain”–in other words, they make it so hard to ask for permission that nothing ever gets done.

Now, with some of these clients, they think that they own my building. That’s not necessarily a bad thing, but if I have a wide-open “guest” AP in my building, then they all think that I have broken their security policy which says “no WiFi”. Even though eventually I can explain how the wireless is not connected physically, logically, or even tangentially to their network, their gut reaction is to make me take it down. I have yet to lose a disagreement over things like this, but 20 customers later, they’ll wear me down to the point where I need to go home and sleep. That’s very much in the spirit of “Security Though Level of Pain”.

If I have WiFi in the building, it has to be WPA2, no questions asked. I can justify that to the government, it makes my life oh-so-much easier. I ran a waiver through my boss and his boss that documented the security controls around how I wanted the design to be.

I talked to the guy from Corporate IT. I explained to him who I was and what I wanted to do. I explained the waiver and what the risks are. His answer was that he needed approval through management. However, he wouldn’t tell me who “the management” was. The only saving grace in this conversation was the fact that he didn’t remember my name. =)

I got a forwarded email a couple of days later from the Corporate IT guy asking our data center manager who could authorize a wireless connection (I had already authorized it with a waiver, remember?). I had a quick conversation with the data center manager that went along the lines of “Yeah I know about that, it was me.”

Rather than pull teeth, I bought 2 Linksys SoHo APs and wired them to the guest network. It’s not perfect (if you go from one side of the building to the other, you lose your association and have to do stuff like reconnect via VPN), but I set it up with WPA2 and it’s on the guest network where all you can do is get to the Internet. One sits in my office, the other sits in a closet between two conference rooms. Everybody who needs to use the APs knows how to do it.

Hi, my name is “Mike” and I’m the owner of two rogue wireless access points.

I’m also a Guerilla CISO.



Similar Posts:

Posted in Technical, The Guerilla CISO | 4 Comments »

4 Responses

  1.  LonerVamp Says:

    At least you get WPA! My last job had me putting up a guest wireless network with everything wide open. Thankfully I physically separated everything.

    The only real extenuating problem came from laptop users who are on the private wired network automatically associating to and then dual-homing on the open wireless network. They then become a vector of attack for the private network. Doh… I moved on before I could truly tackle that problem (which is as much to do with the people as the technology).

    And yeah, unless you get “greater than SOHO” equipment from someplace other than Besy Buy/CompUSA, you’ll have that roaming disconnect problem. I’ve found that everyone is quite tolerant to that.

  2.  dre Says:

    is a Guerilla CISO like a Renegade Network Engineer? If so, I like you.

  3.  rybolov Says:

    Hey, it’s worth more than the users are paying for. =)

    And yes, a Guerilla CISO is like a renegade engineer plus a lot of other stuff.

  4.  Saso Says:

    What stopped you at two? That’s not how you should do it. There is no resiliency in your solution. 😉 You need at least another two in standby, and another two somewhere in the middle, so that there is no drop in coverage.

    And what about lifts? Toilets? Toilet cubicles are frequently places that people use to conduct business – there’s always someone that is answering his mobile whilst at the toilet “Yeah, yeah, I’m fine to talk now, I’m just in the toilet, no worries.”

    I love the bit about “the management”. 😉 You may be C-something-or-other, but you’re no Management. Management would never talk to mere IT guys, everyone knows that. 🙂

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.


Visitor Geolocationing Widget: