Rogue scan – Proxim ORiNOCO AP-700 User Manual

Performing Advanced Configuration

AP-700 User Guide

Alarms

74

Rogue Scan

The Rogue Scan feature provides an additional security level for wireless LAN deployments. Rogue Scan uses the selected wireless
interface(s) for scanning its coverage area for Access Points and clients.
A centralized Network Manager receives MAC address information from the AP on all wireless clients detected by the AP. The Network
Manager then queries all wired switches to find out the inbound switch/port of these wireless clients. If the switch/port does not have a valid
Access Point connected to it as per a pre-configured database, the Network Manager proceeds to block that switch/port and prevent the
Rogue AP from connecting to the wired network.

Figure 4-24 Preventing Rogue AP Attacks

The figure above shows Client 1 connected to a Trusted AP and Client 2 connected to a Rogue AP. The Trusted AP scans the networks,
detects Client 2, and notifies the Network Manager. The Network Manager uses SNMP/CLI to query the wired switch to find the inbound
switch port of Client 2’s packets. The Network Manager verifies that this switch/router and port does not have a valid Access Point as per the
administrator’s database. Thus it labels Client 2’s AP as a Rogue AP and proceeds to prevent the Rogue AP attack by blocking this switch’s
port.

Multi-Band Scanning

Rogue Scan detects Rogue stations in all bands (i.e., 2.4 GHz and 5 GHz for interfaces that support 802.11a/g multi-band operation. During
Rogue Scan the AP scans every channel in its configured regulatory domain; the AP scans both the 2.4 GHz and 5 GHz bands for wireless
interfaces supporting 802.11a/g multi-band operation.
APs can be detected either by active scanning using 802.11 probe request frames and passively by detecting periodic beacons. Wireless
clients are detected by monitoring 802.11 connection establishment messages such as association/authentication messages or data traffic to
or from the wireless clients.
There are two scanning mode available per wireless interface: continuous scanning mode and background scanning mode.

Continuous Scanning Mode

The continuous scanning mode is a dedicated scanning mode where the wireless interface performs scanning alone and does not perform
the normal AP operation of servicing client traffic.
In continuous scanning mode the AP scans each channel for a channel scan time of one second and then moves to the next channel in the
scan channel list. With a channel scan time of one second, the scan cycle time will take less than a minute (one second per channel). Once
the entire scan channel list has been scanned the AP restarts scanning from the beginning of the scan channel list.

Background Scanning Mode

In background scanning mode the AP performs background scanning while performing normal AP operations on the wireless interface.
You can configure the scan cycle time between 1-1440 minutes (24 hours). The scan cycle time indicates how frequently a channel is
sampled and defines the minimum attack period that can go unnoticed.
In background scanning mode the AP will scan one channel then wait for a time known as channel scan time. The channel scan time affects
the amount of data collected during scanning and defines the maximum number of samples (possible detections) in one scan. This is
increased to improve scanning efficiency; the tradeoff is that it decreases throughput. The optimum value for this parameter during
background scanning mode is 20ms.The channel scan time is calculated from the scan cycle time parameter and the number of channels in
the scan channel list as follows:

channel scan time = (scan cycle time - (channel scan time * number of channels in the scan list))/number of channels in the scan list.