Home » ZyXEL Manuals » Networking » ZyXEL NWA-3163 » Manual Viewer

ZyXEL NWA-3163 User Guide - Page 192

What You Can Do in the Rogue AP Screen, What You Need To Know About Rogue AP

Get ZyXEL NWA-3163 PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 192 highlights

Chapter 15 Rogue AP Detection In the example above, a corporate network's security is compromised by a rogue AP (R) set up by an employee at his workstation in order to allow him to connect his notebook computer wirelessly (A). The company's legitimate wireless network (the dashed ellipse B) is well-secured, but the rogue AP uses inferior security that is easily broken by an attacker (X) running readily available encryption-cracking software. In this example, the attacker now has access to the company network, including sensitive data stored on the file server (C). 15.1.1 What You Can Do in the Rogue AP Screen • Use the Rogue AP > Configuration screen (see Section 15.2 on page 194) to enable your NWA's Rogue AP detection settings. You can choose to scan for rogue APs manually, or to have the NWA scan automatically at pre-defined intervals. • Use the Rogue AP > Friendly AP screen (see Section 15.2.1 on page 195) to specify APs as trusted. • Use the Rogue AP > Rogue AP screen (see Section 15.2.2 on page 196) to display details of all IEEE 802.11a/b/g/n wireless access points within the NWA's coverage area, except for the NWA itself and the access points included in the friendly AP list. 15.1.2 What You Need To Know About Rogue AP The following terms and concepts may help as you read through this chapter. You can configure the NWA to detect rogue IEEE 802.11a/n (5 GHz) and IEEE 802.11b/g (2.4 GHz) APs. You can also set the NWA to e-mail you immediately when a rogue AP is detected (see Chapter 19 on page 242 for information on how to set up e-mail logs). You can set how often you want the NWA to scan for rogue APs in the ROGUE AP > Configuration screen (see Section 15.2 on page 194). Friendly APs If you have more than one AP in your wireless network, you can configure a list of "friendly" APs. Friendly APs are other wireless access points, aside from the NWA, that are detected in your network, as well as any others that you know are not a threat (those from neighboring networks, for example). It is recommended that you export (save) your list of friendly APs often, especially if you have a network with a large number of access points. If you do not add them to the friendly AP list, these access points will appear in the Rogue AP list each time the NWA scans. 192 NWA-3160 Series User's Guide

Section	Page
NWA-3160 Series	1
About This User's Guide	3
Document Conventions	6
Safety Warnings	8
Contents Overview	9
Table of Contents	11
Introduction	21
Introduction	23
1.1 Overview	23
1.2 Applications for the NWA	24
1.2.1 Access Point	24
1.2.2 Bridge / Repeater	25
1.2.3 AP + Bridge	28
1.2.4 MBSSID	28
1.2.5 Pre-Configured SSID Profiles	30
1.3 CAPWAP	30
1.4 Ways to Manage the NWA	31
1.5 Good Habits for Managing the NWA	31
1.6 Hardware Connections	32
1.6.1 Antennas	32
1.7 LEDs	33
The Web Configurator	35
2.1 Overview	35
2.2 Accessing the Web Configurator	35
2.3 Resetting the NWA	36
2.3.1 Methods of Restoring Factory-Defaults	36
2.4 Navigating the Web Configurator	36
Tutorials	39
3.1 Overview	39
3.2 How to Configure the Wireless LAN	39
3.2.1 Choosing the Wireless Mode	39
3.2.2 Wireless LAN Configuration Overview	40
3.2.3 Further Reading	41
3.3 How to Configure Multiple Wireless Networks	41
3.3.1 Change the Operating Mode	43
3.3.2 Configure the VoIP Network	45
3.3.3 Configure the Guest Network	48
3.3.4 Testing the Wireless Networks	52
3.4 How to Set Up and Use Rogue AP Detection	53
3.4.1 Set Up and Save a Friendly AP list	55
3.4.2 Activate Periodic Rogue AP Detection	58
3.4.3 Set Up E-mail Logs	59
3.4.4 Configure Your Other Access Points	60
3.4.5 Test the Setup	60
3.5 Using MAC Filters and L-2 Isolation Profiles	61
3.5.1 Scenario	61
3.5.2 Your Requirements	62
3.5.3 Setup	62
3.5.4 Configure the SERVER_1 Network	63
3.5.5 Configure the SERVER_2 Network	66
3.5.6 Checking your Settings and Testing the Configuration	67
3.6 How to Configure Management Modes	69
3.6.1 Scenario	69
3.6.2 Your Requirements	70
3.6.3 Setup	70
3.6.4 Configure Your NWA in Controller AP Mode	71
3.6.5 Setting Your NWA in Managed AP Mode	73
3.6.6 Configuring the Managed Access Points List	74
3.6.7 Checking your Settings and Testing the Configuration	77
The Web Configurator	79
Status Screen	81
4.1 Overview	81
4.2 The Status Screen	81
4.2.1 System Statistics Screen	84
Management Mode	87
5.1 Overview	87
5.2 About CAPWAP	87
5.2.1 CAPWAP Discovery and Management	88
5.2.2 CAPWAP and DHCP	88
5.2.3 CAPWAP and IP Subnets	88
5.2.4 Notes on CAPWAP	89
5.3 The Management Mode Screen	89
AP Controller Mode	93
6.1 Overview	93
6.1.1 What You Can Do in AP Controller Mode	93
6.1.2 What You Need to Know	93
6.1.3 Before You Begin	94
6.2 Controller AP Navigation Menu	94
6.3 Controller AP Status Screen	95
6.4 AP Lists Screen	97
6.4.1 The AP Lists Edit Screen	100
6.5 Configuration Screen	101
6.6 Redundancy Screen	102
6.7 The Profile Edit Screens	103
6.7.1 The Radio Profile Screen	103
6.7.2 The Radio Profile Edit Screen	104
System Screens	109
7.1 Overview	109
7.1.1 What You Can Do in the System Screens	109
7.1.2 What You Need To Know About the System Screens	110
7.2 General Screen	111
7.3 Password Screen	113
7.4 Time Setting Screen	115
7.5 Technical Reference	117
7.5.1 Administrator Authentication on RADIUS	117
7.5.2 Pre-defined NTP Time Servers List	117
Wireless Screen	119
8.1 Overview	119
8.1.1 What You Can Do in the Wireless Screen	119
8.1.2 What You Need To Know About the Wireless Screen	120
8.2 The Wireless Screen	123
8.2.1 Access Point Mode	123
8.2.2 Bridge / Repeater Mode	127
8.2.3 AP + Bridge Mode	133
8.2.4 MBSSID Mode	139
8.3 Technical Reference	143
8.3.1 Spanning Tree Protocol (STP)	144
8.3.2 DFS	145
8.3.3 Roaming	146
SSID Screen	149
9.1 Overview	149
9.1.1 What You Can Do in the SSID Screen	149
9.1.2 What You Need To Know About SSID	150
9.2 The SSID Screen	151
9.2.1 Configuring SSID	152
9.3 Technical Reference	153
9.3.1 WMM QoS	153
9.3.2 ATC	154
9.3.3 ATC+WMM	155
9.3.4 Type Of Service (ToS)	156
Wireless Security Screen	159
10.1 Overview	159
10.1.1 What You Can Do in the Wireless Security Screen	159
10.1.2 What You Need To Know About Wireless Security	160
10.2 The Security Screen	161
10.2.1 Security: WEP	163
10.2.2 Security: 802.1x Only	165
10.2.3 Security: 802.1x Static 64-bit, 802.1x Static 128-bit	166
10.2.4 Security: WPA	167
10.2.5 Security: WPA2 or WPA2-MIX	168
10.2.6 Security: WPA-PSK, WPA2-PSK, WPA2-PSK-MIX	170
10.3 Technical Reference	171
RADIUS Screen	173
11.1 Overview	173
11.1.1 What You Can Do in the RADIUS Screen	174
11.1.2 What You Need To Know About RADIUS	174
11.2 The RADIUS Screen	175
Layer-2 Isolation Screen	177
12.1 Overview	177
12.1.1 What You Can Do in the Layer-2 Isolation Screen	178
12.1.2 What You Need To Know About Layer-2 Isolation	178
12.2 The Layer-2 Isolation Screen	179
12.2.1 Configuring Layer-2 Isolation	180
12.3 Technical Reference	181
MAC Filter Screen	183
13.1 Overview	183
13.1.1 What You Can Do in the MAC Filter Screen	183
13.1.2 What You Should Know About MAC Filter	183
13.2 The MAC Filter Screen	184
13.2.1 Configuring the MAC Filter	185
IP Screen	187
14.1 Overview	187
14.1.1 What You Can Do in the IP Screen	187
14.1.2 What You Need To Know About IP	187
14.2 The IP Screen	188
14.3 Technical Reference	189
14.3.1 WAN IP Address Assignment	189
Rogue AP Detection	191
15.1 Overview	191
15.1.1 What You Can Do in the Rogue AP Screen	192
15.1.2 What You Need To Know About Rogue AP	192
15.2 Configuration Screen	194
15.2.1 Friendly AP Screen	195
15.2.2 Rogue AP Screen	196
Remote Management Screens	199
16.1 Overview	199
16.1.1 What You Can Do in the Remote Management Screens	200
16.1.2 What You Need To Know About Remote Management	200
16.2 The Telnet Screen	202
16.3 The FTP Screen	203
16.4 The WWW Screen	204
16.5 The SNMP Screen	207
16.5.1 SNMPv3 User Profile	209
16.6 Technical Reference	210
16.6.1 MIB	210
16.6.2 Supported MIBs	211
16.6.3 SNMP Traps	211
Internal RADIUS Server	213
17.1 Overview	213
17.1.1 What You Can Do in this Chapter	214
17.1.2 What You Need To Know	214
17.2 Internal RADIUS Server Setting Screen	214
17.3 The Trusted AP Screen	216
17.4 The Trusted Users Screen	217
17.5 Technical Reference	218
Certificates	221
18.1 Overview	221
18.1.1 What You Can Do in the Certificates Screen	221
18.1.2 What You Need To Know About Certificates	222
18.2 My Certificates Screen	222
18.2.1 My Certificates Import Screen	224
18.2.2 My Certificates Create Screen	226
18.2.3 My Certificates Details Screen	229
18.3 Trusted CAs Screen	232
18.3.1 Trusted CAs Import Screen	233
18.3.2 Trusted CAs Details Screen	234
18.4 Technical Reference	237
18.4.1 Private-Public Certificates	237
18.4.2 Certification Authorities	237
18.4.3 Checking the Fingerprint of a Certificate	238
Log Screens	239
19.1 Overview	239
19.1.1 What You Can Do in the Log Screens	239
19.1.2 What You Need To Know About Logs	240
19.2 The View Log Screen	240
19.3 The Log Settings Screen	242
19.4 Technical Reference	244
19.4.1 Example Log Messages	244
19.4.2 Log Commands	246
19.4.3 Configuring What You Want the NWA to Log	246
19.4.4 Displaying Logs	246
19.4.5 Log Command Example	246
VLAN	249
20.1 Overview	249
20.1.1 What You Can Do in the VLAN Screen	249
20.1.2 What You Need To Know About VLAN	250
20.2 Wireless VLAN Screen	251
20.2.1 RADIUS VLAN Screen	252
20.3 Technical Reference	254
20.3.1 VLAN Tagging	254
20.3.2 Configuring Management VLAN Example	254
20.3.3 Configuring Microsoft’s IAS Server Example	257
20.3.4 Second Rx VLAN ID Example	267
Load Balancing	269
21.1 Overview	269
21.1.1 What You Need to Know About Load Balancing	269
21.2 The Load Balancing Screen	271
21.2.1 Disassociating and Delaying Connections	272
Dynamic Channel Selection	275
22.1 Overview	275
22.2 The DCS Screen	276
Maintenance	279
23.1 Overview	279
23.1.1 What You Can Do in the Maintenance Screens	279
23.1.2 What You Need To Know	279
23.2 Association List Screen	280
23.3 Channel Usage Screen	281
23.4 F/W Upload Screen	282
23.5 Configuration Screen	284
23.5.1 Backup Configuration	284
23.5.2 Restore Configuration	285
23.5.3 Back to Factory Defaults	286
23.6 Restart Screen	286
Appendices and Index	287
Troubleshooting	289
24.1 Overview	289
24.2 Power, Hardware Connections, and LEDs	289
24.3 NWA Access and Login	290
24.4 AP Management Modes	292
24.5 Internet Access	294
24.6 Wireless Router/AP Troubleshooting	295
Product Specifications	297
25.1 Wall-Mounting Instructions	300
Wireless LANs	303
Pop-up Windows, JavaScripts and Java Permissions	319
IP Addresses and Subnetting	327
Text File Based Auto Configuration	349
How to Access and Use the CLI	357
Legal Information	363

Match case Limit results 1 per page

Chapter 15 Rogue AP Detection

NWA-3160 Series User’s Guide

192

In the example above, a corporate network’s security is compromised by a rogue

AP (

) set up by an employee at his workstation in order to allow him to connect

his notebook computer wirelessly (

). The company’s legitimate wireless network

(the dashed ellipse

) is well-secured, but the rogue AP uses inferior security that

is easily broken by an attacker (

) running readily available encryption-cracking

software. In this example, the attacker now has access to the company network,

including sensitive data stored on the file server (

15.1.1

What You Can Do in the Rogue AP Screen

•

Use the

Rogue AP

Configuration

screen (see

Section 15.2 on page 194

) to

enable your NWA’s Rogue AP detection settings. You can choose to scan for

rogue APs manually, or to have the NWA scan automatically at pre-defined

intervals.

•

Use the

Rogue AP

Friendly AP

screen (see

Section 15.2.1 on page 195

) to

specify APs as trusted.

•

Use the

Rogue AP

screen (see

Section 15.2.2 on page 196

) to

display details of all IEEE 802.11a/b/g/n wireless access points within the NWA’s

coverage area, except for the NWA itself and the access points included in the

friendly AP list.

15.1.2

What You Need To Know About Rogue AP

The following terms and concepts may help as you read through this chapter.

You can configure the NWA to detect rogue IEEE 802.11a/n (5 GHz) and IEEE

802.11b/g (2.4 GHz) APs.

You can also set the NWA to e-mail you immediately when a rogue AP is detected

(see

Chapter 19 on page 242

for information on how to set up e-mail logs).

You can set how often you want the NWA to scan for rogue APs in the

ROGUE AP

Configuration

screen (see

Section 15.2 on page 194

Friendly APs

If you have more than one AP in your wireless network, you can configure a list of

“friendly” APs. Friendly APs are other wireless access points, aside from the NWA,

that are detected in your network, as well as any others that you know are not a

threat (those from neighboring networks, for example). It is recommended that

you export (save) your list of friendly APs often, especially if you have a network

with a large number of access points. If you do not add them to the friendly AP

list, these access points will appear in the

Rogue AP

list each time the NWA

scans.