Rogue Detection and Classification
Aruba Central supports rogue detection and classification feature that enables your Aruba Central administrators to detect intrusion events and classify rogue devices. Rogue devices refer to the unauthorized devices in your WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. network. With Aruba Central, you can create a detailed definition of what constitutes a rogue device, and quickly act on a rogue AP for investigation, restrictive action, or both. Once rogue devices are discovered, Aruba Central sends alerts to your network administrators about the possible threat and provides essential information needed to locate and manage the threat.
Aruba Central discovers unauthorized devices in your WLAN network using APs. It uses polling routers and switches to locate, identify, and classify unknown APs.
The Rogue AP detection module referred to as RAPIDSRogue Access Point identification and Detection System. An AMP module that is designed to identify and locate wireless threats by making use of all of the information available from your existing infrastructure. in previous releases of Aruba Central supports the following features:
Automatic detection of unauthorized wireless devices.
Wireless detection, using authorized wireless APs to report other devices within range to calculate and display rogue location on a VisualRF map.
Wired network detection of rogue APs located beyond the range of authorized APs and sensors, routers, and switches. It also identifies the switch port to which a rogue device is connected.
Important Considerations
Note the following important points:
Users with the admin role of can see all rogue AP devices.
Each rogue device frequently has multiple discovery methods, all of which are listed.
Configuring IDS Parameters and Rules
In the current release, Aruba Central supports rogue detection and classification based on the default rules pre-defined on the device. However, the administrators can set IDSIntrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. parameters only for the APs.
Monitoring Rogue Devices
The tab provides a summary of the rogue APs, interfering APs, and the total number of wireless attacks detected for a given duration.
The following menu options in tab provide information on the potential threats discovered in the network:
Rogues
The > page displays the following details:
Rogues doughnut chart—shows the percentage of rogues and suspected rogue devices detected in the network.
Rogue table—shows the total number of devices classified as rogues and potential rogues.
Intrusion Detection
The > page displays the following information:
Top 5 detectors of Infrastructure attacks—Displays the number of infrastructure attacks detected in the network.
Top 5 detectors of Client attacks—Displays the number of client attacks detected in the network.
IDS attacks detected—Displays the number of IDS Attacks detected in the network.
WIDS Events
The > page provides the following information:
|
Page/Tab |
Description |
|
|
Displays the following information: Name—Name of the rogue device detected in the network. To view the rogue device details, click the link. Classification—Classification of the rogue device (Instant AP) as Suspect Rogue, Rogue, or Interfering. Last Seen—The time relative to the current moment, for example, 6 minutes; an hour, at which the rogue device was last detected in the network. Last Discovering Device—Device that last detected the rogue device in the network. To view more details, click the link. First Seen—The time relative to the current moment (for example, 6 minutes; an hour) at which the rogue device was detected in the network. First Discovering Device—Device that first detected the rogue device in the network. To view more details, click the link. SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.—The SSID broadcast by the rogue device. Encryption—The type of encryption used by the device that detected the rogue; for example, WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption., Open. Generally, this field alone does not provide enough information to determine if a device is a rogue, but it is a useful attribute. If a rogue is not running any encryption method, you have a wider security hole than with an AP that is using encryption. BSSIDBasic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly.—The BSSIDs broadcast by the rogue device. Signal—The signal strength of the AP that detected the rogue device. |
| Rogue Details |
To view the details of a rogue, click the link to the rogue device in the column under the tab. The page displays a summary of the rogue device details. If the device is seen on the wire, the Rogue Details page shows the switch port for easy isolation. The table on the Rogue Details page displays the following information: Name—Name of the rogue device detected in the network. Detecting Device—Name of the device that detects the rogue device in the network. To view the AP details, click the link. BSSID—The BSSID broadcast by the rogue device. SSID—The SSID broadcast by the rogue device. Time—The date and time stamp of rogue device detection. Channel—Number of radio channels detected on the rogue device. Signal—The signal strength of the detected Instant AP. SNRSignal-to-Noise Ratio. SNR is used for comparing the level of a desired signal with the level of background noise.—The signal-to-noise ratio of the detected Instant AP. Encryption—The type of encryption used by the detected Instant APAP, for example, WPA, Open. Radio—Radio bandBand refers to a specified range of frequencies of electromagnetic radiation. on which the interference was detected (2.4 or 5). |
|
Infrastructure Attacks Client Attacks |
The and sections display the following information: Type—The type of the interference or attack detected. Level—The level of the interference or attack detected. Date/Time—Date and time of the interference or attack. Description—Description of the attack. Detecting Device—The MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the device that detected the interference or attack. Virtual Controller—The VC name of the IAP cluster in which the interference or attack was detected. Station MAC—MAC address of the station Radio—Radio band on which the interference was detected. |
Generating Reports for Rogue Devices
To generate reports for rogue devices, complete the following steps:
1. In the Configure Reports section, click .
2. In the Report(s) page, under the section, perform the following steps:
For creating RAPIDS report, you need not select the Groups or Labels option. Also, you need not select the Device Groups name or Labels name from the Device Groups or Labels drop-down lists, respectively.
a. In the text box, enter a report title.
b. From the drop-down list, select .
c. From the drop-down list, select a timeline for which the report is to be generated .
The following options are available in the list: Last day, Last week, Last month, and Custom range. If you selected Custom range, you need to select the Start Date and End Date from the respective calendars to specify the custom timeline of the report.
d. For , select the option or the option.
If you selected , you need to select a date and time from the calendar and time drop-down list, respectively, to set a schedule for the report.
e. In the drop-down list, select the frequency at which you want to run the RAPIDS report.
You can select one of the following options: One Time, Daily Interval, Weekly Interval, and Monthly Interval.
f. In the box, enter the email account(s) to which the report is to be sent.
g. Click .
