Best practices for Wi-Fi rogue containment

* Considerations for wireless intrusion prevention

It’s critical to scan the 2.4 GHz and 5 GHz airwaves across all 802.11a/b/g Wi-Fi channels (both local and international ones) to detect “rogue” devices in your Wi-Fi network. Among the situations you will likely want to quash:

* Unauthorized Wi-Fi access points (AP) connected to your network.

* Authorized Wi-Fi client devices mistakenly associating to an unauthorized AP.

* Unauthorized Wi-Fi clients connecting to your own authorized APs.

With a wireless intrusion detection and prevention system (WIDP), you define a rogue by your own organization’s policy and program the system how to treat one if discovered. The various available WIDP systems can detect differing variables about devices in your airspace.

Some considerations:

* Does your WIDP system classify clients? If not, it will be difficult to spot and fix one of your authorized client devices associating to a rogue AP.

* Can your WIDP system tell if an unauthorized device is attached to your wired network? Those from AirDefense, AirTight Networks, Aruba Wireless Networks and Network Chemistry are among those that can. There are others that detect all APs and report any unknown ones as rogue (connected or not). It isn’t necessarily sound policy to auto-contain these devices, as they could belong to another legitimate operator.

* In many enterprises, APs supporting “Draft 802.11n” technology will be considered rogue until a standard is ratified. Can your WIDP system identify and categorize them?

Other tips:

* Security staffs should work with their internal legal counsel to set up wireless intrusion policies, says Brian de Haaff, vice president of marketing at Network Chemistry. “Make sure you have a written policy on what [devices] you will shield and what you won’t. Make that policy well-known through the organization.”

* Find out whether your WIDP system ships with auto-containment enabled or disabled. From there, determine how or if to tweak the default settings to match your policy. Mike Puglia, Bluesocket senior director of product marketing, discourages automatically blocking rogues. Bluesocket and Network Chemistry WIDPs are among those that ship with auto-containment off.

* Determine what to do with devices that have been detected but are as yet uncategorized. Sri Sundarilingam, director of product management at AirTight, says the many minutes it can take to categorize an active device could present a security risk. Some AirTight defense customers in fairly isolated locations automatically disable not only devices proven to be violating policy but those uncategorized as well. The probability is high that these uncategorized devices will prove to be rogue, he says. However, the same assumptions shouldn’t be made in a multi-tenant or other crowded setting.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2006 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)