SonicPoint > RF Monitoring
415
SonicOS Enhanced 4.0 Administrator Guide
Ad-Hoc Station Detection - Ad-Hoc stations are nodes which provide access to wireless
clients by acting as a bridge between the actual access point and the user. Wireless users
are often tricked into connecting to an Ad-Hoc station instead of the actual access point, as
they may have the same SSID. This allows the Ad-Hoc station to intercept any wireless
traffic that connected clients send to or receive from the access point.
Unassociated Station - Because a wireless station attempts to authenticate prior to
associating with an access point, the unassociated station can create a DoS by sending a
flood of authentication requests to the access point while still unassociated.
EAPOL Packet Flood - Extensible Authentication Protocol over LAN (EAPOL) packets are
used in WPA and WPA2 authentication mechanisms. Since these packets, like other
authentication request packets, are received openly by wireless access points, a flood of
these packets can result in DoS to your wireless network.
Weak WEP IV - WEP security mechanism uses your WEP key along with a randomly
chosen 24-bit number known as an Initialization Vector (IV) to encrypt data. Network
attackers often target this type of encryption because some of the random IV numbers are
weaker than others, making it easier to decrypt your WEP key.
Practical RF Monitoring Field Applications
This section provides an overview of practical uses for collected RF Monitoring data in
detecting Wi-Fi threat sources. Practical RF Monitoring Field Applications are provided as
general common-sense suggestions for using RF Monitoring data.
This section contains the following sub-sections:
“Before Reading this Section” section on page 415
“Using Sensor ID to Determine RF Threat Location” section on page 415
“Using RSSI to Determine RF Threat Proximity” section on page 417

Before Reading this Section

When using RF data to locate threats, keep in mind that wireless signals are affected by many
factors. Before continuing, take note of the following:
Signal strength is not always a good indicator of distance - Obstructions such as walls,
wireless interference, device power output, and even ambient humidity and temperature
can affect the signal strength of a wireless device.
A MAC Address is not always permanent - While a MAC address is generally a good
indicator of device type and manufacturer, this address is susceptible to change and can
be spoofed. Likewise, originators of RF threats may have more than one hardware device
at their disposal.

Using Sensor ID to Determine RF Threat Location

In the Discovered RF Threat Stations list, the Sensor field indicates which Sonic Point is
detecting the particular threat. Using the sensor ID and MAC address of the SonicPoint allows
you to easily determine the location of the SonicPoint that is detecting the threat.