Rogue APs (unauthorized access points plugged into your wired network or APs not on your wired network masquerading as YOUR APs) are considered one of the most prolific security holes in a Wi-Fi network.

At minimum, they can interfere with client access to your wireless LAN (WLAN). Worse yet, rogue APs installed with malicious intent can masquerade as legitimate APs to hijack client sessions (interestingly, this isn’t just a wireless problem; rogue APs can be a threat in an unsecured Ethernet environment as long as there are wireless client devices present).

Today, all respectable WLAN systems include rogue AP detection capabilities. If an AP is detected that isn’t supposed to be there, a notification is sent to the security admin with a general location of the AP. This allows the admin to pull the plug on the offending AP.

But for some, that wasn’t enough. They took it to the next level with rogue AP containment. A WIPS (Wireless Intrusion Prevention System) not only detects and notifies, it will perform a DoS (Denial of Service) attack on any client device associated to a rogue AP. The DoS is performed by sending deauthentication or disassociation frames spoofed to look like they are coming from the rogue AP to prevent client devices from connecting to it.

Rogue AP containment is a nifty feature for companies that have rights to an air space such as some government organizations as well as businesses that have complete control of certain airspace due to physical constructions or geographic isolation. Otherwise, automatic and indiscriminant rogue AP containment can cause outages for legitimate neighbor Wi-Fi networks which, if implemented willfully, constitutes an FCC offense.

And this actually happens. A customer recently complained of client disconnects and performance problems which is unusual for us. Taking pride in our radio designs and systems performance, we sent an RF SWAT team experts to investigate. What we found we surprising, even to us.

Another legitimate nearby Wi-Fi network was disconnectinng our customer’s clients.The rogue AP containment feature was so thoughtlessly designed and configured that any time it saw a device connecting to a foreign AP, regardless of whether the connecting device is heard from an external network or if the foreign AP has been advertising someone else’s SSID, the brain-dead Wi-Fi network would send deauth frames to the client.

This essentially became a DoS attack on our customer’s legitimate network. The neighbor that enabled this feature had no idea that its own Wi-Fi implementation is wracking havoc. While some WLAN systems provide the ability to classify APs as foreign, rogue or authorized, many times this classification process isn’t performed.

The lesson learned? The best Wi-Fi defense is to physically remove unauthorized APs on your network. Period. Don’t ever turn on active rogue prevention if there is even the slightest chance a neighboring system could hear it.

Unless you’re explicitly installing Wi-Fi for the DoD features, don’t turn it on at all. If a rogue AP is detected, take a walk with your favorite stumbler and find the unwanted AP. More often than not, a rogue AP to you is a legitimate AP to your neighbor and a mutually agreeable resolution (such as exchanging AP MAC address lists) is available.

Food for thought.