Chapter 3: Rogue Access Point Detection - Extreme Networks Summit WM Technical Reference Manual

3 Rogue Access Point Detection
The rogue AP detection feature, Summit WM series Spy, provides capabilities to Summit WM
Controllers that allow Wireless APs to periodically scan the RF space and report suspect devices. With
this capability, Wireless APs can multitask as scan devices as well as access points. This allows rogue
detection to occur without installing overlay sensor networks. Summit WM Controllers Rogue detection
system is comprised of two major components; the Data Collector and the Analysis Engine.
The Data Collector runs on every Summit WM Controller and is responsible for initiating the rogue
scans and compiling information received from all Wireless APs under its control.
NOTE
The rogue AP detection feature is only supported for use with Altitude 350-1 and 350-2d models.
The Analysis Engine is the brains of this feature and runs on one Summit WM Controller in the
network. It polls all Data Collectors periodically (default is every 5 seconds) and analyzes the polled
data to identify new devices. It also uses the polled data to build a table of known "friendly" Wireless
APs and 3rd Party Access Points. On subsequent scans, new devices are identified and compared to the
"friendly" list and differences are flagged as potential Rogues. The Analysis Engine also includes a GUI
to allow users to manually add or remove devices from the system or redefine a device identified as a
potential rogue into a "friendly" if the proper designation of a device is determined.
A Wireless AP is assigned to a "scan group" that has a particular set of "scan parameters. Different
groups can be defined so that the administrator can assign Wireless AP's to logical groups to address
either different geographic needs (that is, only scan certain buildings at certain times) or coverage issues
(only scan with half of the Wireless APs in a given area at a given time). A Wireless AP can only be
assigned to one group. The algorithms and mechanisms for RF scanning have been designed to
minimize the impact on user data. Also, the GUI provides the ability for an administrator to configure
the frequency at which the Wireless AP's within a scan group will initiate a scan (minimum 10 minutes,
and maximum 120 minutes)
Upon completion of the scan, the Wireless AP will send back the results to the Summit WM Controller
and then wait for the next "scan interval" to repeat the process.
If a problem is found, an event is logged and an SNMP trap is generated indicating one of the following
conditions has been identified:
1 Unknown AP with an invalid SSID – Critical Alarm
A new device has been identified
2 Unknown AP with a valid SSID – Critical Alarm
Someone may be trying to attract users by broadcasting a known SSID.
3 Known AP with an invalid SSID – Critical Alarm
A Rogue may be spoofing a know MAC address.
4 Known Wireless AP with an invalid SSID– Major Alarm
A Rogue may be spoofing a Wireless AP using a known MAC address.
5 Device that is in ad-hoc mode (IBSS) – Major Alarm
Summit WM Technical Reference Guide, Software Version 5.1
29