Wireless Access Point
Configuring the Wireless AP 375
About Blocking Rogue APs
If you classify a rogue AP as blocked (see “Rogue Control List” on page 263), then
the AP will take measures to prevent stations from staying associated to the
rogue. When the monitor radio is scanning, any time it hears a beacon from a
blocked rogue it sends out a broadcast “deauth” signal using the rogue's BSSID
and source address. This has the effect of disconnecting all of a rogue AP’s clients
approximately every 5 to 10 seconds, which is enough to make the rogue
frustratingly unusable.
The Intrusion Detection window allows you to set up Auto Block parameters so
that unknown APs get the same treatment as explicitly blocked APs. This is
basically a “shoot first and ask questions later” mode. By default, auto blocking is
turned off. Auto blocking provides two parameters for qualifying blocking so that
APs must meet certain criteria before being blocked. This keeps the AP from
blocking every AP that it detects. You may:
Set a minimum RSSI value for the AP — for example, if an AP has an RSSI
value of -90, it is probably a harmless AP belonging to a neighbor and not
in your building.
Block based on encryption level.
Block based on whether the AP is part of an ad hoc network or
infrastructure network.
Specify channels to be whitelisted. Rogues discovered on these channels
are excluded from auto blocking. This allows specified channels to be
freely used by customer or guests for their APs.
Sequence
number anomaly
A sender may use an Add Block Address request (ADDBA
- part of the Block ACK mechanism) to specify a sequence
number range for packets that the receiver can accept.
An attacker spoofs an ADDBA request, asking the receiver
to reset its sequence number window to a new range. This
causes the receiver to drop legitimate frames, since their
sequence numbers will not fall in that range.
Type of Attack Description
To Next Page
Loading...
