Filter
Top Products
5/26/05 Rogue Access Points
OL-7426-03
About Rogue Access PointsRogue Access Points
Because they are inexpensive and readily available, employees are plugging unauthorized rogue access
points into existing LANs and building ad hoc wireless networks without IT department knowledge or
consent.
These rogue access points can be a serious breach of network security, because they can be plugged
into a network port behind the corporate firewall. Because employees generally do not enable any
security settings on the rogue access point, it is easy for unauthorized users to use the access point to
intercept network traffic and hijack client sessions. Even more alarming, wireless users and war
chalkers frequently publish unsecure access point locations, increasing the odds of having the enter-
prise security breached.
Rather than using a person with a scanner to manually detect rogue access point, the Cisco WLAN
Solution automatically collects information on rogue access point detected by its managed Cisco 1000
Series Lightweight Access Points, by MAC and IP Address, and allows the system operator to locate, tag
and monitor them as described in the Detecting and Locating Rogue Access Points section. The
Operating System can also be used to discourage rogue access point clients by sending them deauthen-
ticate and disassociate messages from one to four Cisco 1000 Series lightweight access points. Finally,
the Operating System can be used to automatically discourage all clients attempting to authenticate
with all rogue access point on the enterprise subnet. Because this real-time detection is automated, it
saves labor costs used for detecting and monitoring rogue access point while vastly improving LAN
security.
Note that the peer-to-peer, or ad-hoc, clients can also be considered rogue access point.
See also Rogue Access Point Location, Tagging and Containment
.
Rogue Access Point Location, Tagging and ContainmentRogue Access Point Location, Tagging and Containment
This built-in detection, tagging, monitoring and containment capability allows system administrators to
take required actions:
• Locate rogue access point as described in Detecting and Locating Rogue Access Points.
• Receive new rogue access point notifications, eliminating hallway scans.
• Monitor unknown rogue access point until they are eliminated or acknowledged.
• Determine the closest authorized Cisco 1000 Series Lightweight Access Points, making directed
scans faster and more effective.
• Contain rogue access points by sending their clients deauthenticate and disassociate messages
from one to four Cisco 1000 Series lightweight access points. This containment can be done for
individual rogue access points by MAC address, or can be mandated for all rogue access points
connected to the enterprise subnet.
• Tag rogue access point:
- Acknowledge rogue access point when they are outside of the LAN and do not
compromise the LAN or WLAN security.
- Accept rogue access point when they do not compromise the LAN or WLAN security.
- Tag rogue access point as unknown until they are eliminated or acknowledged.
- Tag rogue access point as contained and discourage clients from associating with the
rogue access point by having between one and four Cisco 1000 Series lightweight
access points transmit deauthenticate and disassociate messages to all rogue access
point clients. This function contains all active channels on the same rogue access point.
Rogue Detector mode detects whether or not a rogue access point is on a trusted network. It does not
provide RF service of any kind, but rather receives periodic rogue access point reports from the Cisco