Wireless Access

Reply
Frequent Contributor I

Old 802.11n APs for Wireless IDS/IPS

Hi Airheads Experts!

 

I need some help regarding RFProtect.

Earlier I found an Aruba documentation where compare what can the .ac and .n capable APs detect and what can't, so my quiestion is what kind of threats the .n APs doesn't provide protection. Now I can't find this document. So I need some help what is the exactly risk if I use .n APs for AM instead of .ac.

 

Thank you in advance for your reply!

Br.,

Zs

Re: Old 802.11n APs for Wireless IDS/IPS

You wouldn't be able to  listen to 11ac modulated communication (256 QAM and 80 MHz channels) with 11n Air Monitors.

 

More details:

 

For 11ac devices to be backwards compatible, the management frames like beacons will go out at 20 MHz.  That way non-11ac clients can detect the AP and connect to them.  This means that legacy a/b/g/n APs can also wirelessly detect rogue 11ac access points.  But the legacy APs won’t necessarily have visibility into the data come out of a rogue 11ac AP. 

 

If the rogue is communicating with an 11ac client, the data frames may have a channel that is too wide, or a modulation that the legacy AP cannot decode.  That means legacy APs is unable to always determine if a client is associated to the rogue.  That detection is critical for more advanced features such as wireless containment and wired rogue detection.  If an AP can’t hear the client on the rogue, then it cannot contain it. 

 

Wired rogue detection is based on looking at the source MAC address of frames coming out of the rogue AP.  Those are the data frames.  With an 11ac rogue and an 11ac client, they may not be visible to 11a/b/g/n devices.  If a legacy client connects to the 11ac rogue, then it can be detected by the legacy AP since the legacy radio can understand the traffic.

 

Because of these limitations, an 11ac overlay or 11ac network is recommended for high security customers.  11ac is required to make sure that all potential threats are detected.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Frequent Contributor I

Re: Old 802.11n APs for Wireless IDS/IPS

Hi SethFiermonti,

 

 

 

Frequent Contributor I

Re: Old 802.11n APs for Wireless IDS/IPS

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: