724-746-5500 | blackbox.com
724-746-5500 | blackbox.com
Page 29
Chapter 2: Preparing for a WAN Deployment
After creating a WIPS policy on the Configuration > Advanced Configuration > Security Policies > WIPS Policies > New page,
define how you want to perform rogue AP and client mitigation: manually, automatically, or semi-automatically. Each approach is
described below.
Manual Mitigation
To mitigate rogue APs and their clients manually, expand the Optional Settings section and select Manual. The following
mitigation parameters apply when operating in manual mode:
Period for client detection and mitigation:
After you enable rogue detection on a SmartPath AP, it scans detected rogue APs
for clients during the period of time that you specify. If you manually start mitigation against a rogue, the SmartPath AP not only
continues scanning for clients during this period, it also sends deauth frames to the rogue AP and any detected clients during the
same period. For example, if you leave this at its default setting of 1 second, the SmartPath AP checks for rogues and attacks
them every second.
Consecutive number of mitigation periods:
This specifies how many consecutive periods of time to spend attacking a rogue
AP and its clients before allowing client inactivity to cause a ceasefire and commence a countdown to end the mitigation. The
default setting is 60 consecutive periods.
Max time limit for mitigation efforts per rogue AP:
This is the maximum amount of time that an attack against a rogue AP
can last. If the length of client inactivity does not cause the attack to be suspended or if you do not manually stop the attack, the
SmartPath AP will stop it when this time limit elapses. The default duration is 14,400 seconds (4 hours), which means that a
SmartPath AP continues checking for clients of a detected rogue for up to four hours and mitigating them if it finds them.
Length of client inactivity needed to stop mitigation:
The SmartPath AP stops an attack when there are no more clients
associated with the mitigated rogue AP for this length of time. The default setting is 3600 seconds (1 hour). If the SmartPath AP
detects any associated clients before this length of time elapses, it sends a deauth flood attack and resets the counter to begin
the countdown again. If there are no more clients associated with the AP after this length of time elapses, the SmartPath AP
stops the mitigation process—even if there is still time remaining in the maximum time limit.
NOTE: The remaining parameter—max number of mitigator APs per rogue AP—only applies when using automatic and
semi-automatic modes.
In Manual mode, you must periodically check for rogue APs and their clients on the Monitor > Access Points > Rogue APs page. If
you find a rogue that you want to mitigate, select the checkbox in each row of a reporting SmartPath AP that you want to use to
perform the mitigation, and then click “Mitigation > Start.” When you think that the mitigation process has continued long
enough and you want to stop it, select the check box of each attacking SmartPath AP and then click Mitigation > Stop. With
manual
mitigation, you manually control the entire mitigation process: which rogues to attack, which SmartPath APs to use in the attack,
when to start the attack, and when to stop it.
Automatic Mitigation
To configure SmartPath APs to mitigate rogue APs and their clients automatically, expand the Optional Settings section and select
Automatic. In this mode, SmartPath APs automatically start and stop the mitigation process without any administrator
involvement.
When you select Automatic, the following option appears: Automatically mitigate rogue APs only if they are connected to your
network. By default, this check box is selected. This ensures that SmartPath APs only attack rogue APs that are in their backhaul
network, not APs in external networks that happen to be within radio range.
NOTE: Be careful not to attack legitimate external APs. If there are neighboring wireless LANs within radio detection range, only
enable automatic mitigation of rogue APs detected in your own network.