Rogue AP detected

Rogue AP detected

This alarm is raised whenever Rogue APs are detected by WiFi Manager in a wireless network.

What are Rogue APs?

Any unauthorized Access point plugged into the LAN is a rogue AP. Generally rogue AP refer to cheap Access points costing around $50 to $60, plugged into the corporate LAN by trusted employees to experience the freedom of wireless in their work environment unaware of the security issues that it poses. Since they are cheap and are meant for Home Users they generally lack advanced security features and usually left with default configurations thus throwing open the entire corporate LAN for hackers.

How does WiFi Manager detect the rogue APs?

WiFi Manager uses both wired side scanning and RF scanning to discover the Access points in the LAN. Once an Access point is discovered it is mapped against a set of criteria (listed below), if any one of the criteria fails then it is categorized as a rogue AP.

Criterias used to categorize an Access point as rogue -

Authorized MAC Address : WLAN administrators can import the list of authorized AP's MAC address into WiFi Manager. If the MAC address of the discovered Access point is in the list of authorized MAC, then the Access point is marked as a trusted. If the MAC address is not in the trusted list then other criterias are checked to determine whether it is rogue or not.

Authorized SSIDs: WLAN administrators can import the list of authorized SSIDs into WiFi Manager. If the discovered Access point uses an SSID that is not in the authorized list then it is marked as rogue.

Authorized vendor: If an enterprise standardizes on vendor for APs, then WLAN administrators can import the list of allowed vendors into WiFi Manager. If the discovered Access point is a vendor not in the allowed list then it is marked as rogue Access point.

Authorised channel: If an enterprise standardizes on channels to be used by the Access point, then the same can be configured in WiFi Manager. Upon discovery of the Access point, its current channel is compared with the configured list and if it is not in the list, then it is marked as rogue.

Authorised 802.11 mode: If an enterprise standardizes on the 802.11 mode, then the same can be configured in WiFi Manager. Upon discovery of the Access point, the mode in which the Access point is operating in is compared with the configured list and if it is not in the list, then it is marked as rogue.

What should the system Administrators do?

When WiFi Manager raises the Alarm that a Rogue AP is detected, the administrators should immediately analyze the reason for the alarm and take appropriate steps. He can take one of the below mentioned steps -

1. If the Access point is really a rogue Access point then he has to immediately block the Access point to avoid any adverse impact on the network. WiFi Manager helps Administrators to block the Access point from its user interface. WiFi Manager helps identify the switch and its port to which the Access point is connected and help block the same, thus throwing the Access point out of the corporate LAN.

Switch Port Blocking

2. If the Access point is not a rogue device then the Administrator can add it to the trusted list. Further he/she can analyze the reason for the alarm and can do appropriate configuration changes in WiFi Manager.