Specifications

ManualsBrandsADTRAN ManualsComputer equipmentBlueSecure Controller

251

252

253

254

255

256

257

258

259

260

Configuring RF Alarms

BlueSecure™ Controller Setup and Administration Guide 13-3

• Rogue - This station is not authorized to be on the network and an alarm will be

generated if it is detected.

• Neighbor - This station is not part of the internal network, but is always present.

• Unknown - The origin and or identity of this station is unknown at this time.

Saving the

settings

Click Save to save the RF station settings to the BSC database.

Configuring RF Alarms

By default, the BSC is configured to issue alarms on over 22 different WLAN security

threats detected by BSAPs (operating in sensor mode) under its control. You can configure

how the BSC processes these alarms by selectively disabling alarms and setting the

severity level associated with the alarm.

Available

Sensor Alarms

The following table describes the BSAP sensor alarms that are configurable with this

release of the BSC system software. The Mode column is interpreted as follows: S

indicates this alert is only reliable in sensor mode; D indicates the alert is reliable in dual

and sensor mode

)

Note: When an AP is in AP-only mode, only the following alarms will be generated and

only during the SetOnceAndHold or Calibrate Dynamic RF periods: Rogue AP, Rogue Ad-

Hoc Client, WEP Disabled, Rogue Client, Client Association Change, Client Limit,

Authorized AP Down, Rogue Client to AP, Client to Rogue AP.

Table 13-1: BSAP Sensor Alarms

Alarm Description

Dual/

Sensor

Mode

AirJack Attack Airjack is a toolset that allows attackers to inject fake 802.11 packets in order to gain network access

or create a DoS attack. Informationalrmation on the tool and its variant (wlan-jack, monkey-jack, essid-

jack, cracker-jack) can be found here: http://sourceforge.net/projects/airjack/

AP Broadcasting Multiple SSID The AP is broadcasting multiple SSIDs. This can indicate a spoof attempt S

AP Channel Change The Access Point has changed channels. D

AP Denied Association An authorized AP denied an association request from client. D

AP Denied Authentication An authorized AP denied client access due to authentication failure. D

AP Down The AP is down. S

AP in WDS Mode AP is operating in WDS (bridge) mode. D

AP Low Signal Strength An AP with low signal strength is detected by BAP sensor. S

AP Overloaded An overloaded AP refuses new clients from associating with it. D

AP Restarted The AP has restarted. S

AP SSID Changed An AP has changed its SSID, if this was not authorized then there is a possible spoof in progress. D

ASLEAP Attack ASLEAP is a tool that exploits a weakness in CISCO proprietary LEAP protocol. S

Authorized AP Down An authorized Access Point can no longer be heard by the sensor. This may indicate that the AP has

failed or been Removed from service.

Broadcast Attack Many attacks use broadcast disassociate or deauthenticate frames to disconnect all users on the

network, either to redirect them to a fake network or to cause a Denial of Service attack or disclose a

cloaked SSID.

Client Association Change Client has changed its association to a different Access Point. This might be due to a Rogue AP in the

vicinity.