Rogue detection is a two step process starting with discovering the presence of an Access Point in the network and then
proceeding to identify whether it is a rogue or not. Some of the very commonly used techniques for AP discovery are:
! RF scanning
! AP scanning
! Using wired side inputs
RF scanning: Most WLAN IDS vendors follow this technique. Re-purposed access points that do only packet capture and analysis (a.k.a RF sensors) will be plugged all over the wired network. These sensors will be quick to detect any wireless device operating in the area and can alert the WLAN administrator. But the draw back of these sensors is the possibility of dead zones, which are not covered by the sensors. If a rogue Access Point finds its place in any of these dead zones, it might go unnoticed till more sensors are added.
AP Scanning: Few Access Point vendors have this functionality of detecting neighbouring Access Points. If you deploy such Access Points in your WLAN it will automatically discover APs operating in the nearby area and expose the data through its web interface as well as its MIBs. Though it is a very useful the ability of the AP to scan neighbouring devices is limited to a very short range. Rogue APs operating outside this coverage area will go unnoticed. Moreover this works only for those who deploy APs with such functionality.
Wired Side Inputs: Most network management software use this technique to discover Access Points. This software use multiple protocols to detect devices connected in the LAN, including SNMP, Telnet, CDP (Cisco Discovery Protocol – specific to Cisco devices) etc. This approach is very reliable and proven as it can detect an AP anywhere in the LAN irrespective of its physical location. Moreover, wireless NMSs can not only discover the AP but also constantly monitor it for health and availability. The bandwidth utilization of the AP over a period of time can be obtained and plotted in a graphical format. For ease of troubleshooting the operator can set thresholds on various AP parameters to get notified prior to the occurrence of a fault. The limitation with this method is that any AP that doesn’t support SNMP/Telnet etc. will go unnoticed by the
network management software.
No comments:
Post a Comment