Understanding Ad-Hoc Networks

Ad hoc is Latin and means for this purpose. An ad hoc network is one that is formed directly between two client
devices for a specific reason. An ad-hoc network might not be an intentionally
malicious attack on the network, but it poses a threat to the enterprise
because the security checks imposed by the infrastructure are bypassed,
and it steals bandwidth from your infrastructure users.

Why Are Ad-Hoc Networks a Security Risk?

There are two common attacks that can be launched from ad-hoc
clients on your network. Fake SSIDs can be sent from ad-hoc networks
advertising attractive SSIDs such as free Internet connectivity. Once
a user connects, the fake SSID is added to the client’s wireless
configuration and the client begins to broadcast the fake SSID, thereby
infecting other clients. Also, ad-hoc clients are capable of forwarding
data by flooding in addition to the classic routing technique—this
forwarding can be used for flood attacks.

How Do I Detect an Ad-Hoc Network?

MSS detects and reports ad-hoc networks. In Network Director,
the fault Adhoc User Detected appears in the
RF Detect category of faults (see Alarms by Category Monitor, Alarm Detail Monitor, Understanding the Fault Mode Tasks Pane, and Alarm Summary Report.)

In Network Director, configure an ad-hoc network policy from Creating and Managing RF Detection Profiles.

Are All Ad-Hoc Networks Malicious?

Most ad-hoc networks are not created with malicious intentions.
Laptops, PDA’s, and printers with wireless enabled are simply attempting
to connect to each other without using an access point—this
is also called peer-to-peer networking. The security hole provided
by ad-hoc networking is not the ad-hoc network itself, but the bridge
it provides into other networks. One of the common scenarios is an
employee who brings in a wireless-enabled laptop, plugs it into a
wired port at work, and leaves the wireless interface enabled. In
this scenario, a hacker in a neighboring area could connect directly
to the client, creating a security threat. The hacker at this point
could look for information on the employee’s client device,
and potentially gain access to the corporate network through the simultaneous
wireless and wired interfaces. This situation might place the enterprise
in violation of regulatory policies for its industry.

How Do I Know Whether an Ad-Hoc Network Is Malicious?

Does the access point have characteristics of a benign device
or characteristics of a threatening device? Check the characteristics
in Table 1 for information.

Table 1: Characteristics
of Benign Rogues and Threatening Rogues

Benign rogues tend to be:

Threatening rogues tend to be:

off of the network

on the network

secured

not secured

using a foreign SSID

using your SSID. Access points masquerading your SSID are rogue
by default, but this is configurable. See Creating and Managing RF Detection Profiles.

using weak RSSI

using strong RSSI

without clients

attracting clients

associating only with untrusted stations

actively associated with your stations—this indicates
a man-in-the-middle attack

consuming some bandwidth

consuming a lot of bandwidth—this indicates a DoS flood
or port scan