Rogue Access Point
detection is a two step process starting with discovering
the presence of an Access Point in the network and then proceeding
to identify whether it is a rogue or not.
Step 1: Discovering the AP
Some of the very commonly used techniques for AP discovery
are:
- RF scanning
- AP scanning
- Using wired side inputs
RF scanning: Most WLAN IDS vendors follow this technique.
Re-purposed access points that do only packet capture and
analysis (a.k.a RF sensors) will be plugged all over the wired
network. These sensors will be quick to detect any wireless
device operating in the area and can alert the WLAN administrator.
But the draw back of these sensors is the possibility of dead
zones, which are not covered by the sensors. If a rogue Access
Point finds its place in any of these dead zones, it might
go unnoticed till more sensors are added.
AP Scanning: Few Access Point vendors have this functionality
of detecting neighboring Access Points. If you deploy such
Access Points in your WLAN it will automatically discover
APs operating in the nearby area and expose the data through
its web interface as well as its MIBs. Though it is a very
useful the ability of the AP to scan neighboring devices is
limited to a very short range. Rogue APs operating outside
this coverage area will go unnoticed. Moreover this works
only for those who deploy APs with such functionality.
Wired Side Inputs: Most network management software
use this technique to discover Access Points. These software
use multiple protocols to detect devices connected in the
LAN, including SNMP, Telnet, CDP (Cisco Discovery Protocol
– specific to Cisco devices) etc. This approach is very
reliable and proven as it can detect an AP anywhere in the
LAN irrespective of its physical location. Moreover, wireless
NMSs can not only discover the AP but also constantly monitor
it for health and availability. The bandwidth utilization
of the AP over a period of time can be obtained and plotted
in a graphical format. For ease of troubleshooting the operator
can set thresholds on various AP parameters to get notified
prior to the occurrence of a fault. The limitation with this
method is that any AP that doesn’t support SNMP/Telnet
etc., will go unnoticed by the network management software.
| AP Discovery Method |
WLAN IDS Systems |
WLAN NMS |
| RF Scan |
 |
 |
| AP Scan |
|
|
| Wired Inputs |
|
|
Step 2: Identifying whether the discovered AP is a rogue
access point or not
Once an AP is discovered, the next step is to identify whether
it is a rogue access point
or not. One way to do this is to use pre-configured authorized
list of APs. Any newly detected AP that falls outside the
authorized list would be tagged rogue. Some of the different
ways in which IT managers can populate the authorized list
are:
- Authorized MAC
- Authorized SSID
- Authorized Vendor
- Authorized Media Type
- Authorized Channel
Authorized MAC: IT administrators can import ACL settings
to WiFi Manager or type in the MAC address of authorized Access
Points in the network. This enables the rogue detection tool
to alert WLAN administrators whenever AP with a different
MAC is detected.
Authorized SSIDs: Enterprises would in most cases
standardize on the authorized SSIDs that needs to be used.
These SSIDs can be fed to the rogue detection tool so that
it alerts WLAN administrators whenever an AP with a different
SSID is detected.
Authorized Vendor: Many enterprises standardize their
WLAN gear and prefer to add only those vendor devices as they
grow. This enables the rogue detection tool to alert WLAN
administrators whenever AP from a vendor other than the one
standardized is detected.
Authorized Radio Media Type: Enterprises sometimes
standardize on 802.11 a,b,g, or bg Access Points. This enables
the rogue detection tool to alert WLAN administrators whenever
AP with different radio media type is detected.
Authorized Channel: Sometimes enterprises may want
their APs to operate on select channels. This enables the
rogue detection tool to alert WLAN administrators whenever
AP operating in a different channel is detected.
|
