Couple of comments / questions.. If you have a valid AP that is capable of scanning other channels for rogues, it can take 5-7 minutes to find the rogue if there is minimal traffic on the device. This is a simple factor of the scan interval and channel dwell time. FB> It would frighten me if it actually took a WLAN infrastructure vendor 5-7 minutes to find a rogue AP, even if their 'sensor' was an AP acting in both modes. Most of the WIDPS vendors identified rogues in seconds, with Network Chemistry and AirTight generally being the fastest. AirMagnet can have a several-minute delay depending on when the sensor submits it's batch to the server. >>> If there is no traffic on the AP, you cant guarantee that the AP is on the LAN. You will see the AP "immediately" but you cannot make a positive determination that it's connected until there is traffic. That's all I'm saying. In mixed mode, you can only stay off channel for brief amount of time. These scanning intervals are generally configurable. For instance, you can configure scanning to occur every x seconds and for x amount of milliseconds. Vendors should have the ability to not go off-channel and stop scanning if there is certain types of traffic present on the APs set channel (extended ACL, VoIP, gold queue, etc). FB> It would be ideal if WLAN customers didn't have to worry about it. Most of the time defaults are OK. It's true that time-sensitive wireless traffic can be affected by the scan settings, and WLAN vendors are doing a better job of mitigating and working around that, but it's still not perfect. >>>Defaults are usually good but I do like control.. Finding a rogue: so lets say an AP that is serving clients is on channel 1 and during the scan interval, they found a rogue on channel 13 (people try to hide rogues on international channels). What do you want the AP to do? If you disassociate clients attached to the rogue over the air, this takes time away from the users being served on channel 1. A rogue AP can act as a DoS attack on valid APs. The valid AP is spending all of its time deauthing and not serving clients. This to should be a configurable option. killing rogues at the expense of valid clients, or kill the rogues during your scan interval. If a rogue comes up on channel 1, the AP can easily kill the rogue and continue serving its clients but that is rarely the case! Dedicated rogue killers: if you have a few dedicated AP acting as rogue killers, then you can happily kill rogues all day and do all kinds of other kool stuff. A rogue killer AP only needs to hear and txmit at the 1-2mbps range to kill rogues over vast distances so you can spread them out thin. FB> At the end of the day, if you want best in class capabilities you need to set asides units to act solely as sensor or air monitors. LAN based rogue killing: Some Wireless infrastructure can kill rogues from the LAN by looking at MAC forwarding tables and shutting down ports on a switch. Some vendors will do an ARP-poison attack in conjunction with what is going on out in the air.. FB> Bridge APs, as mentioned earlier, can be nearly invisible. Fortunately, they aren't very popular in retail stores. >>>> What do you mean by bridge APs? Something that is NATting? (Those can be detected pretty easily actually... ) conclusion: If you have some dedicated resources (APs) to kill rogues, do it.
________________________________ From: ktaillon [mailto:[EMAIL PROTECTED] Sent: Thursday, April 12, 2007 11:54 AM To: [EMAIL PROTECTED] Subject: Re: [WIRELESS-LAN] Rogue AP's Will you be using the Containment option in the WCS? Or hunting down the units and removing them from the Network. Could someone point out some of the pro's and con's to using containment.. ________________________________ From: Lee H Badman [mailto:[EMAIL PROTECTED] Sent: Thursday, April 12, 2007 11:40 AM To: [EMAIL PROTECTED] Subject: Re: [WIRELESS-LAN] Rogue AP's With wireless rolling out on a much larger scale on our campus, we are revising our policy and attitude to be a bit more restrictive in both philosophy and practice when it comes to UNCOORDINATED rogues... We are also taking a stab at coordinating not just APs, but also ANY wireless system- classroom response systems, wireless AV, etc.- trying to keep the environment somewhat under control as more wireless technologies hit. Not always restrictive per se, but more coordinated. Lee H. Badman Wireless/Network Engineer KC2IYK, CWNA/CWSP Information Technology and Services Syracuse University 315 443-3003 ________________________________ From: M. Sjulstad [mailto:[EMAIL PROTECTED] Sent: Thursday, April 12, 2007 11:32 AM To: [EMAIL PROTECTED] Subject: Re: [WIRELESS-LAN] Rogue AP's We too have the policy of no rogues, but I admit I don't go looking for them. I know we have them, probably a lot more than I know of, but as long as they aren't causing problems, I don't really care. Worst things I've seen are mis-configured APs that want to be a DHCP server and try handing out IPs on the wired side. Mike _________________________________ M. Sjulstad Network/Electronics Engineer - IIT Dept. St. Olaf College Northfield, MN 55057 _____________ 1-507-786-3835 [EMAIL PROTECTED] www.stolaf.edu/people/sjulstad On Apr 12, 2007, at 9:33 AM, Brian J David wrote: I just wanted to here from other schools on what they are doing about Rogues. Is your policy not to allow them but don't do too much to prevent them. Do you let the dorms be the wild wild west? Or are you actively finding them and removing them through one means or another. We are an Aruba networks shop and have some great capabilities for Rogue detection and prevention and wanted to get a feel what other schools process is concerning them. Also any horror stories that you would like to share? Brian J David Network Systems Engineer Boston College ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
