Configuring wlan ids, Terminology, Rogue detection – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 149: Detecting rogue devices
137
Configuring WLAN IDS
802.11 networks are susceptible to a wide array of threats such as unauthorized access points and clients,
ad hoc networks, and Denial of Service (DoS) attacks. Rogue devices are a serious threat to enterprise
security. Wireless intrusion detection system (WIDS) is used for the early detection of malicious attacks
and intrusions on a wireless network. Wireless intrusion prevention system (WIPS) helps to protect
enterprise networks and users from unauthorized wireless access. The Rogue detection feature is a part
of the WIDS/WIPS solution, which detects the presence of rogue devices in a WLAN network and takes
countermeasures to prevent rogue devices operation.
Terminology
•
WLAN intrusion detection system—WLAN IDS is designed to be deployed in an area that an
existing wireless network covers. It aids in the detection of malicious outsider attacks and intrusions
via the wireless network.
•
Rogue AP—An unauthorized or malicious access point on the network, such as an employee setup
AP, misconfigured AP, neighbor AP or an attacker operated AP. As it is not authorized, if any
vulnerability occurs on the AP, the hacker will have chance to compromise your network security.
•
Rogue client—An unauthorized or malicious client on the network.
•
Rogue wireless bridge—Unauthorized wireless bridge on the network.
•
Monitor AP—An AP that scans or listens to 802.11 frames to detect wireless attacks in the network.
•
Ad hoc mode—Sets the working mode of a wireless client to ad hoc. An ad hoc terminal can
directly communicate with other stations without support from any other device.
•
Passive scanning—In passive scanning, a monitor AP listens to all the 802.11 frames over the air in
that channel.
•
Active scanning—In active scanning, a monitor AP, besides listening to all 802.11 frames, sends a
broadcast probe request and receives all probe response messages on that channel. Each AP in the
vicinity of the monitor AP will reply to the probe request. This helps identify all authorized and
unauthorized APs by processing probe response frames. The monitor AP masquerades as a client
when sending the probe request.
Rogue detection
Detecting rogue devices
Rogue detection is applicable to large wireless networks. It detects the presence of rogue devices in a
WLAN network based on the pre-configured rules.
Rogue detection can detect different types of devices in a WLAN network, for example, rogue APs, rogue
clients, rogue wireless bridges, and ad-hoc terminals.
Taking countermeasures against rogue device attacks
You can enable the countermeasures function on a monitor AP. The monitor AP downloads an attack list
from the AC and takes countermeasures against the rogue devices based on the configured
countermeasures mode.