The ‘gotcha’ in automating rogue containment

* Wi-Fi intrusion prevention: Balancing security, scalability, and spectrum rules

For optimum security and scalability, it’s desirable to automate the process of disabling rogue Wi-Fi devices discovered by your wireless intrusion detection/prevention (WIDP) system. However, you also must avoid unlawful disruption of other operators’ Wi-Fi networks. Striking a balance can be tricky, particularly in multi-tenant office buildings and other crowded environments.

For example, many WIDPs have the ability to identify what your corporate policy deems a rogue and automatically disable it. However, depending on how smart your WIDP system is, entirely automating this process could shut down a legitimate access point (AP) in a neighboring network.

Because Wi-Fi runs in unlicensed spectra, with equal access afforded to all network operators, the FCC says you could be legally responsible if you knowingly infringe on someone else’s network. So how your company defines a rogue is important. Are all unauthorized APs rogues, for example? Or should the definition be reserved for unauthorized APs that are plugged into an Ethernet port in your wired network? Some WIDPs can tell if the AP is connected; others can’t.

The University of Portland learned this when it built its first official campuswide wireless LAN last year. It operates two Cisco 4400 WLAN controllers and about 85 Cisco lightweight APs. The school is using the Cisco centralized Wireless Control System (WCS) for intrusion prevention and other RF capabilities.

Initially, says Bryon Fessler, the university’s VP for information services and CIO, the system was configured to automatically disassociate APs that the WCS identified as rogue. However, the WCS system classifies any unauthorized AP as rogue, regardless of whether or not it is connected to the wired network. So nearby business and residential APs were at risk for getting shut down by the school’s WCS.

As a result, Fessler says, Cisco changed the WCS design such that a warning appears on the WCS management screen and asks the administrator whether or not to proceed with the disablement. Alerts like these in the WCS and other WIDP systems help to keep you from intruding on other networks.

On the other hand, having to “yay” or “nay” the disablement decision with the discovery of every unauthorized device makes the process much more manual, says Fessler. “And on a campus, we deal with lots and lots of rogues,” he says.

Copyright © 2006 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022