|
Spoofing a rogue AP, De-authenticating Clients & Legitimate APs
|
Q:
|
Which form of Cisco wireless networking allows you to spoof a rogue AP and de-authenticate clients from a rogue AP in an effort to encourage the client to move to a legitimate access point?
A) Centralized B) Autonomous C) Both A and B
|
|
A:
|
The answer is A) Centralized. Rogue APs are a problem. A solution is Cisco’s centralized wireless architecture where rogue APs are automatically identified and tested to see if it is physically on the network. How does this work? The controller that detects the rogue constantly monitors all the APs connected to it and instructs one AP to act as if it’s a client seeking association. Once the AP is associated to the rogue AP, it will try sending an ARP packet. If the packet reaches the controller, then we know the rogue is on the physical network. Next, the controller can be programmed to notify an administrator of the rogue’s presence. If that has not been done, the administrator can find data in either the controller or in WCS. Either way, the administrator has to instruct the controller to perform a containment on the rogue AP in which the admin selects between one and three APs that can hear the rogue. These APs will spoof the MAC address of the rogue and send de-authentication packets to clients associated to the rogue. This forces the clients to disassociate from the rogue and encourages them to find other APs to connect to -- hopefully valid APs on the network.
You ask, “Why isn’t the containment automatic?” Automatic containment could cause serious problems for neighboring wireless networks. For instance, if a network is next to a coffee house offering a Wi-Fi hotspot, a controller-based network set to automatic containment will detect AP’s next door as rogues. It contains them. Within minutes the network at the coffee shop is forcefully shut down – no wireless traffic occurs because the only other wireless network is yours and unauthorized users cannot connect to your network. And, what if the neighbor is a hospital? Instead of people being unable to access the Internet or email, more crucial wireless communications could be interrupted. This is why containment requires the admin to make sure the potential rogue is really on their network before a human decision is made to contain the rogue. It helps make sure we evaluate what we contain and doing so limits liabilities and the possible damage created.
|
|
To learn more, contact GigaWave Technologies at 210.375.0085 or info@giga-wave.com
|
|
