Tell rogue Wi-Fi APs from neighbours

Wi-Fi intrusion detection systems can shut down unauthorised APs. But what if it's a legimitate network run by the coffee shop next door?


For optimum security and scalability, it’s desirable to automate the process of disabling rogue Wi-Fi devices discovered by your wireless intrusion detection/prevention (WIDP) system. However, you also must avoid unlawful disruption of other operators’ Wi-Fi networks. Striking a balance can be tricky, particularly in multi-tenant office buildings and other crowded environments.

For example, many WIDPs have the ability to identify what your corporate policy deems a rogue and automatically disable it. However, depending on how smart your WIDP system is, entirely automating this process could shut down a legitimate access point (AP) in a neighbouring network.

Wi-Fi runs in licence-esempt spectrum round the world, with equal access afforded to all network operators. In the US, the FCC says you could be legally responsible if you knowingly infringe on someone else’s network. So how your company defines a rogue is important. Are all unauthorised APs rogues, for example? Or should the definition be reserved for unauthorised APs that are plugged into an Ethernet port in your wired network? Some WIDPs can tell if the AP is connected; others can’t.

The University of Portland learned this when it built its first official campuswide wireless LAN last year. It operates two Cisco 4400 (formerly Airespace) WLAN controllers and about 85 Cisco lightweight APs. The school is using the Cisco centralised Wireless Control System (WCS) for intrusion prevention and other RF capabilities.

Initially, says Bryon Fessler, the university’s VP for information services and CIO, the system was configured to automatically disassociate APs that the WCS identified as rogue. However, the WCS system classifies any unauthorised AP as rogue, regardless of whether or not it is connected to the wired network. So nearby business and residential APs were at risk of getting shut down by the school’s WCS.

As a result, Fessler says, Cisco changed the WCS design such that a warning appears on the WCS management screen and asks the administrator whether or not to proceed with the disablement. Alerts like these in the WCS and other WIDP systems help to keep you from intruding on other networks.

On the other hand, having to “yay” or “nay” the disablement decision with the discovery of every unauthorised device makes the process much more manual, says Fessler. “And on a campus, we deal with lots and lots of rogues,” he says.

Find your next job with computerworld UK jobs