It’s critical to scan the 2.4 GHz and 5 GHz airwaves across all 802.11a/b/g Wi-Fi channels (both local and international ones) to detect “rogue” devices in your Wi-Fi network. Among the situations you will likely want to quash:

  • Unauthorised Wi-Fi access points (AP) connected to your network.
  • Authorised Wi-Fi client devices mistakenly associating to an unauthorised AP.
  • Unauthorised Wi-Fi clients connecting to your own authorised APs.

With a wireless intrusion detection and prevention system (WIDP), you define a rogue by your own organisation’s policy and program the system how to treat one if discovered. The various available WIDP systems can detect differing variables about devices in your airspace.

Some considerations

  • Does your WIDP system classify clients? If not, it will be difficult to spot and fix one of your authorised client devices associating to a rogue AP.
  • Can your WIDP system tell if an unauthorised device is attached to your wired network? Those from AirDefense, AirTight Networks, Aruba Wireless Networks and Network Chemistry are among those that can. There are others that detect all APs and report any unknown ones as rogue (connected or not). It isn’t necessarily sound policy to auto-contain these devices, as they could belong to another legitimate operator.
  • In many enterprises, APs supporting “Draft 802.11n” technology will be considered rogue until a standard is ratified. Can your WIDP system identify and categorise them?

Other tips

  • Security staffs should work with their internal legal counsel to set up wireless intrusion policies, says Brian de Haaff, vice president of marketing at Network Chemistry. “Make sure you have a written policy on what [devices] you will shield and what you won’t. Make that policy well-known through the organisation.”
  • Find out whether your WIDP system ships with auto-containment enabled or disabled. From there, determine how or if to tweak the default settings to match your policy. Mike Puglia, Bluesocket senior director of product marketing, discourages automatically blocking rogues. Bluesocket and Network Chemistry WIDPs are among those that ship with auto-containment off.
  • Determine what to do with devices that have been detected but are as yet uncategorised. Sri Sundarilingam, director of product management at AirTight, says the many minutes it can take to categorise an active device could present a security risk. Some AirTight defense customers in fairly isolated locations automatically disable not only devices proven to be violating policy but those uncategorised as well. The probability is high that these uncategorised devices will prove to be rogue, he says. However, the same assumptions shouldn’t be made in a multi-tenant building or other crowded setting.