EMAIL SUPPORT
dclessons@dclessons.comLOCATION
AFThreats Detection by Juniper Mist
Threats Detection by Juniper Mist
Rogue, Neighbor, Spoofs, and Honeypot APs
Besides the 2.4-GHz and 5-GHz radios, Juniper® Series of High-Performance Access Points (formerly known as Mist APs) also contain a third radio dedicated only to scanning. This radio is used for detecting rogue, spoofed, neighbor, and honeypot APs on both 2.4-GHz and 5-GHz radio bands. This means that regardless of the radios you have enabled on your AP (2.4-GHz or 5-GHz), it will still be able to detect unauthorized APs at any frequency using the scanning radio.
Honeypot APs are unauthorized APs advertising your service set identifier (SSID). A bad actor might try to spoof your login screen to capture your credentials. This is an obvious security risk that should be detected and mitigated. Detection of honeypot APs can prevent such threats to your network. This feature is enabled by default under Site Settings .
Juniper Access Points also scan for unknown APs that are classified as a neighbor AP. You can set an received signal strength indicator (RSSI) threshold as criteria for detecting these Neighbor APs in proximity of your WLAN.
Rogue APs are defined as any AP not claimed into your organization but detected as connected on the same wired network. Rogue APs share the same local area network, but are unknown to your organization.
The term "spoofs" is used to describe rogue wireless APs. The attacker in AP spoofing assumes the basic service set identifier (BSSID) of a valid AP, but they can choose any extended service set identifier (ESSID), regardless of whether it matches the corporate SSID of the WLAN network. When it detects using the same SSID and MAC address, the impacted MAC address of the AP is marked as Spoofs under the type column. The rogue and neighbor AP detection features are disabled by default.
Rogue, Neighbor, Spoofs, and Honeypot APs—Configuration
Rogue and neighbor AP detection is disabled by default. To enable it, go to Organization -> Site Configuration. Here, you can enter an RSSI threshold value at which APs will be detected as neighbors or rogues. The default RSSI is –80dBm. You might set the RSSI threshold for rogue AP detection between –40dBm to –100dBm. Also, set a time threshold for neighbor AP detection to avoid getting flooded with neighbor APs, which only appear momentarily.
To prevent sanctioned APs from being identified as a rogue or honeypot, add them to an allowlist with the specific SSID and BSSIDs of the detected APs in the Security Configuration box. Juniper MistTM allows using wildcards in the BSSID input field similar to ab-cd* , bcde*, and cd:ef:* .
Rogue Clients
Clients connected to any of the rogue APs are defined as rogue clients. To view the detected rogue APs, navigate to Site > Security and select the Rogue APs tab. Click any of the SSIDs to see a list of rogue clients connected.
Comment
TABLE OF CONTENTS
RECENT POSTS
- Advancing Your Career with Cisco Data Center Mastery: A Comprehensive Guide to Nexus Training
- Securing Networks in the Digital Age: Your Guide to Mastering Cisco Identity Services Engine (ISE)
- Becoming an AWS Solution Architect: Your Path to Cloud Expertise
- Navigating Your Journey to Docker Expertise: Master Docker with Comprehensive Training and Certification
- Transform Your Azure Networking Expertise Through AZ-700 Training
- Why Choose DClessons for Your SD-WAN Velocloud Training Needs
- Next-Level Networking: Unlocking Cisco ACI and DCACIA Potential with DClessons
- Mastering Data Center Technologies with DClessons: A Comprehensive Guide to Cisco CCIE Data Center Training
- Why Choose Cisco SD-WAN Solutions with DClessons?
- What is Docker and Why is It Important?
LEAVE A COMMENT
Please login here to comment.