Table of Contents
Advertisement
•
Rogue - This station is not authorized to be on the network and an alarm will be
generated if it is detected.
•
Neighbor - This station is not part of the internal network, but is always present.
•
Unknown - The origin and or identity of this station is unknown at this time.
Saving the
Click Save to save the RF station settings to the BSC database.
settings
Configuring RF Alarms
By default, the BSC is configured to issue alarms on over 22 different WLAN security
threats detected by BSAPs (operating in sensor mode) under its control. You can configure
how the BSC processes these alarms by selectively disabling alarms and setting the
severity level associated with the alarm.
Available
The following table describes the BSAP sensor alarms that are configurable with this
Sensor Alarms
release of the BSC system software. The Mode column is interpreted as follows: S
indicates this alert is only reliable in sensor mode; D indicates the alert is reliable in dual
and sensor mode
Note: When an AP is in AP-only mode, only the following alarms will be generated and
only during the SetOnceAndHold or Calibrate Dynamic RF periods: Rogue AP, Rogue Ad-
Hoc Client, WEP Disabled, Rogue Client, Client Association Change, Client Limit,
Authorized AP Down, Rogue Client to AP, Client to Rogue AP.
Alarm
AirJack Attack
AP Broadcasting Multiple SSID
AP Channel Change
AP Denied Association
AP Denied Authentication
AP Down
AP in WDS Mode
AP Low Signal Strength
AP Overloaded
AP Restarted
AP SSID Changed
ASLEAP Attack
Authorized AP Down
Broadcast Attack
Client Association Change
BlueSecure™ Controller Setup and Administration Guide
Table 13-1: BSAP Sensor Alarms
Airjack is a toolset that allows attackers to inject fake 802.11 packets in order to gain network access
or create a DoS attack. Informationalrmation on the tool and its variant (wlan-jack, monkey-jack, essid-
jack, cracker-jack) can be found here: http://sourceforge.net/projects/airjack/
The AP is broadcasting multiple SSIDs. This can indicate a spoof attempt
The Access Point has changed channels.
An authorized AP denied an association request from client.
An authorized AP denied client access due to authentication failure.
The AP is down.
AP is operating in WDS (bridge) mode.
An AP with low signal strength is detected by BAP sensor.
An overloaded AP refuses new clients from associating with it.
The AP has restarted.
An AP has changed its SSID, if this was not authorized then there is a possible spoof in progress.
ASLEAP is a tool that exploits a weakness in CISCO proprietary LEAP protocol.
An authorized Access Point can no longer be heard by the sensor. This may indicate that the AP has
failed or been Removed from service.
Many attacks use broadcast disassociate or deauthenticate frames to disconnect all users on the
network, either to redirect them to a fake network or to cause a Denial of Service attack or disclose a
cloaked SSID.
Client has changed its association to a different Access Point. This might be due to a Rogue AP in the
vicinity.
Description
Configuring RF Alarms
Dual/
Sensor
Mode
S
S
D
D
D
S
D
S
D
S
D
S
D
S
D
13-3
Advertisement
Table of Contents
