Wireless Intrusion Detection Services

Intrusion Detection Services (IDS) greatly increase the security capabilities of the SonicWALL security appliance with SonicOS Enhanced by enabling it to recognize and even take countermeasures against the most common types of illicit wireless activity. IDS consists of three types of services, namely, Sequence Number Analysis, Association Flood Detection, and Rogue Access Point Detection. IDS logging and notification can be enabled under Log > Enhanced Log Settings by selecting WLAN IDS under Log Categories and Alerts.

Intrusion Detection Settings

Rogue Access Points have emerged as one of the most serious and insidious threats to wireless security. In general terms, an access point is considered rogue when it has not been authorized for use on a network. The convenience, affordability and availability of non-secure access points, and the ease with which they can be added to a network creates a easy environment for introducing rogue access points. Specifically, the real threat emerges in a number of different ways, including unintentional and unwitting connections to the rogue device, transmission of sensitive data over non-secure channels, and unwanted access to LAN resources. So while this doesn't represent a deficiency in the security of a specific wireless device, it is a weakness to the overall security of wireless networks.

The security appliance can alleviate this weakness by recognizing rogue access points potentially attempting to gain access to your network. It accomplishes this in two ways: active scanning for access points on all 802.11a and 802.11g channels, and passive scanning (while in Access Point mode) for beaconing access points on a single channel of operation.

Scanning for Access Points

Active scanning occurs when the security appliance starts up, and at any time Scan Now is clicked on the SonicPoint > IDS page. When the security appliance executes a scan, a temporary interruption of wireless clients occurs for no more than a few seconds. This interruption manifests itself as follows:

•	Non-persistent, stateless protocols (such as HTTP) should not exhibit any ill-effects.

•	Persistent connections (protocols such as FTP) are impaired or severed.

•	WiFiSec connections should automatically re-establish and resume with no noticeable interruption to the client.

WARNING:If service disruption is a concern, it is recommended that the Scan Now feature not be used while the SonicWALL security appliance is in Access Point mode until such a time that no clients are active, or the potential for disruption becomes acceptable.

Discovered Access Points

The Discovered Access points displays information on every access point that can be detected by the SonicPoint radio:

NOTE: This feature is only supported on SonicOS 5.8 or higher.

•	SonicPoint: The SonicPoint that detected the access point.

•	MAC Address (BSSID): The MAC address of the radio interface of the detected access point.

•	SSID: The radio SSID of the access point.

•	Type: The range of radio bands used by the access point, 2.4 GHz or 5 GHz.

•	Channel: The radio channel used by the access point.

•	Manufacturer: The manufacturer of the access point. SonicPoints will show a manufacturer of either SonicWALL or Senao.

•	Signal Strength: The strength of the detected radio signal

•	Max Rate: The fastest allowable data rate for the access point radio, typically 54 Mbps.

•	Authorize: Click the Authorize icon to add the access point to the address object group of authorized access points.

If you have more than one SonicPoint, you can select an individual device from the SonicPoint list to limit the Discovered Access Points table to display only scan results from that SonicPoint. Select All SonicPoints to display scan results from all SonicPoints.

Authorizing Access Points on Your Network

Access Points detected by the security appliance are regarded as rogues until they are identified to the security appliance as authorized for operation. To authorize an access point, it can be manually added to the Discovered Access Points list by clicking the Edit icon in the Authorize column and specifying its MAC address (BSSID) along with an optional comment. Alternatively, if an access point is discovered by the security appliance scanning feature, it can be added to the list by clicking the Authorize icon.

When a SonicPoint detects a non-SonicPoint access point, a table with the following information displays:

 

Table 18. Discovered Access Points

Column	Description
SonicPoint	The SonicPoint that detected the access point.
MAC Address (BSSID)	The MAC address of the radio interface of the detected access point.
SSID	The radio SSID of the access point.
Type	The range of radio bands used by the access point, 2.4GHz or 5GHz
Channel	The radio channel used by the access point.
Manufacturer	The manufacturer of the access point. SonicPoints will show a manufacturer of either SonicWALL or Senao.
Signal Strength	The strength of the detected radio signal.
Max Rate	The strength of the detected radio signal.
Authorize	Adds the access point to the address object group of authorized access points.