Filter
Top Products
130
SONICWALL SONICOS ENHANCED 2.5 ADMINISTRATOR’S GUIDE
C
HAPTER
22:
Using and Configuring IDS
Access Point IDS
When the Radio Role of the SonicWALL PRO 5060 is set to Access Point mode, all three types of
WIDS services are available, but Rogue Access Point detection, by default, acts in a passive mode
(passively listening to other Access Point Beacon frames only on the selected channel of operation).
Selecting Scan Now momentarily changes the Radio Role to allow the PRO 5060 to perform an
active scan, and may cause a brief loss of connectivity for associated wireless clients. While in
Access Point mode, the Scan Now function should only be used if no clients are actively associated,
or if the possibility of client interruption is acceptable.
Rogue Access Point Detection
Rogue Access Points have emerged as one of the most serious and insidious threats to wireless
security. In general terms, an access point is considered rogue when it has not been authorized for
use on a network. The convenience, affordability and availability of non-secure access points, and the
ease with which they can be added to a network creates a easy environment for introducing rogue
access points. Specifically, the real threat emerges in a number of different ways, including
unintentional and unwitting connections to the rogue device, transmission of sensitive data over non-
secure channels, and unwanted access to LAN resources. So while this doesn't represent a
deficiency in the security of a specific wireless device, it is a weakness to the overall security of
wireless networks.
The PRO 5060 can alleviate this weakness by recognizing rogue access points potentially attempting
to gain access to your network. It accomplishes this in two ways: active scanning for access points on
all 802.11a and 802.11g channels, and passive scanning (while in Access Point mode) for beaconing
access points on a single channel of operation.
Active scanning occurs when the PRO 5060 starts up, and at any time Scan Now is clicked on the
Wireless > IDS page. When the PRO 5060 is operating in a Bridge Mode, the Scan Now feature
does not cause any interruption to the bridged connectivity. When the PRO 5060 is operating in
Access Point Mode, however, a temporary interruption of wireless clients occurs for no more than a
few seconds. This interruption manifests itself as follows:
• Non-persistent, stateless protocols (such as HTTP) should not exhibit any ill-effects.
• Persistent connections (protocols such as FTP) are impaired or severed.
• WiFiSec connections should automatically re-establish and resume with no noticeable interruption
to the client.
S
Alert: If service disruption is a concern, it is recommended that the Scan Now feature not be used
while the PRO 5060 is in Access Point mode until such a time that no clients are active, or the
potential for disruption becomes acceptable.
Authorizing Access Points on Your Network
Access Points detected by the PRO 5060 are regarded as rogues until they are identified to the PRO
5060 as authorized for operation. To authorize an access point, it can be manually added to the
Authorized Access Points list by clicking Add and specifying its MAC address (BSSID) along with
an optional comment. Alternatively, if an access point is discovered by the PRO 5060 scanning
feature, it can be added to the list by clicking the Authorize icon.