Filter
Top Products
Detecting Rogue APs
The most important WIP functionality is the ability to classify an AP as a potential security threat. An AP is
considered to be a rogue AP if it is both unauthorized and plugged into the wired side of the network. An AP is
considered to be an interfering AP if it is seen in the RF environment but is not connected to the wired network.
While the interfering AP can potentially cause RF interference, it is not considered a direct security threat since it is
not connected to the wired network. However, an interfering AP may be reclassified as a rogue AP.
Understanding Classification Terminology
APs and clients are discovered during scanning of the wireless medium, and they are classified into various groups.
The AP and client classification definitions are in Table 103 and Table 104.
Classification Description
Valid AP An AP that is part of the enterprise providing WLAN service.
Interfering AP An AP that is seen in the RF environment but is not connected to the wired network. An
interfering AP is not considered a direct security threat since it is not connected to the wired
network. For example, an interfering AP can be an AP that belongs to a neighboring office’s
WLAN but is not part of your WLAN network.
Neighbor AP A neighboring AP is when the BSSIDs are known. Once classified, a neighboring AP does not
change its state.
Rogue AP An unauthorized AP that is plugged into the wired side of the network.
Suspected-Rogue AP A suspected rogue AP is an unauthorized AP that may be plugged into the wired side of the
network.
Manually-contained AP An AP for which DoS is enabled manually.
Table 103:
AP Classification Definition
Classification Description
Valid Client Any client that successfully authenticates with a valid AP and passes encrypted traffic is
classified as a valid client.
Manually-contained Client Any clients for which DoS is enabled manually.
Interfering Client A client associated to any AP and is not valid.
Table 104:
Client Classification Definitions
Understanding Classification Methodology
A discovered AP is classified as a rogue or a suspected rogue by the following methods:
l Internal heuristics
l AP classification rules
l Manually by the user
The internal heuristics works by checking if the discovered AP is communicating with a wired device on the
customer network. This is done by matching the MAC address of devices that are on the discovered AP’s network
DellPowerConnectW-SeriesArubaOS6.2 | User Guide WirelessIntrusion Prevention | 368