Rules and Classifications

Threat Types

It is an important first step to reveal and classify potential wireless threats in securing the wireless network and network infrastructure as a whole. Once classified, remediation can be taken against confirmed threats and innocuous alerts can be dismissed. AirGuard automatically classifies threats into the following categories to provide great visibility and overall protection for your network.

Rogue SSIDs

The network administrator can manually maintain an SSID naming rule set to identify the Rogue APs. For any wireless services matching the rogue rules, the cloud system would identify it as a rogue service and list it in Rogue SSIDs.

Note:

Rogue rules are Network-wide settings. If you have multiple Networks running close to each other and with different managed SSIDs defined, you'd better add all managed SSIDs in the white list rule set to avoid the adjacent managed SSIDs being identified as rogue SSIDs.

Other SSIDs

SSIDs that do not match the rogue rules or match the whitelist rules are classified as Other SSIDs. This can be the SSIDs running by your neighbors or by the coffee shop close to your office. With the visibility of these SSIDs, the network administrator can easily decide whether or not to identify the SSIDs as rogues.

Evil Twin

An evil twin is a fraudulent Wi-Fi access point that appears to be legitimate but is set up to eavesdrop on wireless communications. The evil twin is the wireless LAN equivalent of the phishing scam. AirGuard could detect two types of evil twins:

  1. AP spoofs

    The malicious mimic of a legitimate AP by spoofing the SSID name.

  2. AP Impersonation

    Malicious impersonation not only on the SSID name but also the BSSID (the wireless MAC address, which makes it indistinguishable from the original AP).

More details are available here.

Malicious Attacks

To prevent clients from associating with the legitimate AP, it's possible to have Denial of Service (DoS) attacks by sending an excessive number of broadcast messages to clients or APs. DoS attacks could be from malicious clients, APs, or even another WIPS system in the area that considers the corporate network a threat and is attempting to remediate. AirGuard is capable of detecting two types of Malicious Attacks:

  1. De-auth attack to AP

    The attacker mimics a client by sending an excessive number of De-auth messages to managed APs and makes the AP disconnect the client.

  2. De-auth attack to client

    The attacker mimics an AP by sending an excessive number of De-auth messages to a client associating with managed AP. This also results in the disconnection of an attacked client.

RF Jamming

RF jamming is a technique utilizing the open medium nature of WiFi by sending a lot of noise in the environment, making it impossible for other nodes to send messages through available channels.

An RF jammer is not needed to be compliant with WiFi protocols. Instead, it only needs to interfere with the physical transmission and reception of wireless communications. AirGuard is capable of detecting four types of RF jamming:

  1. Constant Jammer:

    Continually emits a radio signal that interferes with communication.

  2. Deceptive Jammer:

    Constantly injects regular packets to the channel without following CSMA/CA procedure.

  3. Random Jammer:

    Intermittently emits the jamming signal.

  4. Reactive Jammer

    Jam and simultaneously sense/discern/detect the legitimate transmission.

Refer to more details here.

Last updated