Cisco Systems quick start About Rogue Access Points, 26/05 Rogue Access Points OL-7426-03

About Rogue Access Points

Because they are inexpensive and readily available, employees are plugging unauthorized rogue access points into existing LANs and building ad hoc wireless networks without IT department knowledge or consent.

These rogue access points can be a serious breach of network security, because they can be plugged into a network port behind the corporate firewall. Because employees generally do not enable any security settings on the rogue access point, it is easy for unauthorized users to use the access point to intercept network traffic and hijack client sessions. Even more alarming, wireless users and war chalkers frequently publish unsecure access point locations, increasing the odds of having the enter- prise security breached.

Rather than using a person with a scanner to manually detect rogue access point, the Cisco WLAN Solution automatically collects information on rogue access point detected by its managed Cisco 1000 Series Lightweight Access Points, by MAC and IP Address, and allows the system operator to locate, tag and monitor them as described in the Detecting and Locating Rogue Access Points section. The Operating System can also be used to discourage rogue access point clients by sending them deauthen- ticate and disassociate messages from one to four Cisco 1000 Series lightweight access points. Finally, the Operating System can be used to automatically discourage all clients attempting to authenticate with all rogue access point on the enterprise subnet. Because this real-time detection is automated, it saves labor costs used for detecting and monitoring rogue access point while vastly improving LAN security.

Note that the peer-to-peer, or ad-hoc, clients can also be considered rogue access point.

See also Rogue Access Point Location, Tagging and Containment.

Rogue Access Point Location, Tagging and Containment

This built-in detection, tagging, monitoring and containment capability allows system administrators to take required actions:

•Locate rogue access point as described in Detecting and Locating Rogue Access Points.

•Receive new rogue access point notifications, eliminating hallway scans.

•Monitor unknown rogue access point until they are eliminated or acknowledged.

•Determine the closest authorized Cisco 1000 Series Lightweight Access Points, making directed scans faster and more effective.

•Contain rogue access points by sending their clients deauthenticate and disassociate messages from one to four Cisco 1000 Series lightweight access points. This containment can be done for individual rogue access points by MAC address, or can be mandated for all rogue access points connected to the enterprise subnet.

•Tag rogue access point:

-Acknowledge rogue access point when they are outside of the LAN and do not compromise the LAN or WLAN security.

-Accept rogue access point when they do not compromise the LAN or WLAN security.

-Tag rogue access point as unknown until they are eliminated or acknowledged.

-Tag rogue access point as contained and discourage clients from associating with the rogue access point by having between one and four Cisco 1000 Series lightweight access points transmit deauthenticate and disassociate messages to all rogue access point clients. This function contains all active channels on the same rogue access point.

Rogue Detector mode detects whether or not a rogue access point is on a trusted network. It does not provide RF service of any kind, but rather receives periodic rogue access point reports from the Cisco