|
|
|
|
|
|
| ISP Resources |
| ISP-Lists ISP Glossary ISP News The List ISPCON Events Free Newsletters |
|
|
|
||
| internet.commerce | ||
|
Partner With Us |
Wireless LAN Tools Part 3: Discovery and Planning — continued
VP Core Competence, Inc. [August 10, 2004] |
 |
Continuous rogue detection
Since new APs are bound to surface over time, the process just described must
be repeated over and over. The bigger and more distributed your workplace, the
more labor-intensive this task becomes. Moreover, once you put your own WLAN
in place, you will need to differentiate between your own 802.11 devices, harmless
neighbors, and malicious rogues. You may even want to stop suspicious devices
from communicating.
Devices
discovered by WLAN analyzers can often be saved to a name table for future use.
For example, this Network General Sniffer
Wireless Auto-Discovery tool seeks out APs and stations, attempts to resolve
their IP addresses, and saves these results an Address Book. Depending on the
tool, table entries may be stored permanently or "aged out," manually or automatically.
To more easily recognize your own devices—and those you've investigated and then decided to ignore—edit name tables to add aliases, categories, and authorizations. In the preceding example, devices have been categorized based on observed traffic (i.e., APs send beacons, stations send probes). Aliases like "WAPG" have been added to improve readability.
Some tools also let you mark devices as "authorized" or "trusted" so that monitors, alarms, and reports can highlight new (unmarked) devices.
Whether
you spot-check for new devices monthly, weekly, or daily, there's a chance that
new devices will show up when you're not looking. On the other hand, continuous
traffic capture could generate massive files that would be time-consuming to
analyze manually. As an alternative, try using triggers (see image at right)—defined
conditions that kick a monitoring analyzer into capture mode and generate some
type of alarm.
If you're responsible for watching for rogues 24/7 in a large network, consider deploying a wireless intrusion detection system (IDS). For example, Network Instruments Observer can gather traffic from Remote Probes placed at strategic locations throughout your network, letting you store, view, and analyze results from a central console.
Other WLAN analyzers associated with paired sensor and IDS products include Network Chemistry, WildPackets, and AirMagnet. Dedicated WIDS engines like AirDefense can also export packet captures for review by third-party WLAN analyzers.
Once you've detected a suspicious device, a WLAN analyzer can be used to drill-down and (hopefully) find the device as described previously. But wireless devices are by definition mobile—by the time you investigate, a device could be long gone.
Automated event responses can reduce the damage done. For example, scripts may be invoked to disable switch ports, block IP addresses, reset APs, or even issue 802.11 requests to disassociate/deauthenticate stations. WLAN analyzers don't usually take actions by themselves, but can invoke scripts or relay events to management systems that do.
|
Page
3: Continuous rogue detection
|
|
|
| Best of ISP-Planet | ||
|---|---|---|
|
ISP-Planet
Guide
ISP-Planet's Principal Studies Directories:
Q3 2008 Top U.S. ISPs by Subscriber (Updated 12/02/2008)
ISP-Planet's Blogroll | ||
ISP-Planet's
RSS feed
Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia
Legal Notices, Licensing, Reprints, Permissions, Privacy Policy.
Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers