D-Link DWS-4026 User Manual page 526

D-Link Unified Access System
Field
AP without an SSID
Fake managed AP on an invalid
channel
Managed SSID detected with incorrect
security
Invalid SSID from a managed AP
AP is operating on an illegal channel
Standalone AP with unexpected
configuration
Unexpected WDS device detected on
network
Unmanaged AP detected on wired
network
Page 526 Configuring Advanced Settings
Table 340: WIDS AP Configuration
Description
SSID is an optional field in beacon frames. To avoid detection a hacker may
set up an AP with the managed network SSID, but disable SSID transmission
in the beacon frames. The AP would still send probe responses to clients that
send probe requests for the managed SSID fooling the clients into associating
with the hacker's AP.
This test detects and flags APs that transmit beacons without the SSID field.
The test is automatically disabled if any of the radios in the profiles are
configured not to send SSID field, which is not recommended because it does
not provide any real security and disables this test.
This test detects rogue APs that transmit beacons from the source MAC
address of one of the managed APs, but on different channel from which the
AP is supposed to be operating.
During RF Scan the AP examines beacon frames received from other APs
and determines whether the detected AP is advertising an open network,
WEP, or WPA.
If the SSID reported in the RF Scan is one of the managed networks and its
configured security not match the detected security then this test marks the
AP as rogue.
This test checks whether a known managed AP is sending an unexpected
SSID. The SSID reported in the RF Scan is compared to the list of all
configured SSIDs that are used by the profile assigned to the managed AP. If
the detected SSID doesn't match any configured SSID then the AP is marked
as rogue.
The purpose of this test is to detect hackers or incorrectly configured devices
that are operating on channels that are not legal in the country where the
wireless system is set up.
Note: In order for the wireless system to detect this threat, the wireless
network must contain one or more radios that operate in sentry mode.
If the AP is classified as a known standalone AP, then the switch checks
whether the AP is operating with the expected configuration parameters. You
configure the expected parameters for the standalone AP in the local or
RADIUS Valid AP database.
This test may detect network misconfiguration as well as potential intrusion
attempts.The following parameters are checked:
• Channel Number
• SSID
• Security Mode
• WDS Mode.
• Presence on a wired network.
If the AP is classified as a Managed or Unknown AP and wireless distribution
system (WDS) traffic is detected on the AP, then the AP is considered to be
Rogue.
Only stand-alone APs that are explicitly allowed to operate in WDS mode are
not reported as rogues by this test.
This test checks whether the AP is detected on the wired network. If the AP
state is Unknown, then the test changes the AP state to Rogue. The flag
indicating whether AP is detected on the wired network is reported as part of
the RF Scan report. If AP is managed and is detected on the network then the
switch simply reports this fact and doesn't change the AP state to Rogue.
In order for the wireless system to detect this threat, the wireless network must
contain one or more radios that operate in sentry mode.
Software User Manual
Document 34CSFP6XXUWS-SWUM100-D7
12/10/09