EMAIL SUPPORT
dclessons@dclessons.comLOCATION
AFThreats Detection by Juniper Mist
Threats Detection by Juniper Mist
Rogue, Neighbor, Spoofs, and Honeypot APs
Besides the 2.4-GHz and 5-GHz radios, Juniper® Series of High-Performance Access Points (formerly known as Mist APs) also contain a third radio dedicated only to scanning. This radio is used for detecting rogue, spoofed, neighbor, and honeypot APs on both 2.4-GHz and 5-GHz radio bands. This means that regardless of the radios you have enabled on your AP (2.4-GHz or 5-GHz), it will still be able to detect unauthorized APs at any frequency using the scanning radio.
Honeypot APs are unauthorized APs advertising your service set identifier (SSID). A bad actor might try to spoof your login screen to capture your credentials. This is an obvious security risk that should be detected and mitigated. Detection of honeypot APs can prevent such threats to your network. This feature is enabled by default under Site Settings .
Juniper Access Points also scan for unknown APs that are classified as a neighbor AP. You can set an received signal strength indicator (RSSI) threshold as criteria for detecting these Neighbor APs in proximity of your WLAN.
Rogue APs are defined as any AP not claimed into your organization but detected as connected on the same wired network. Rogue APs share the same local area network, but are unknown to your organization.
The term "spoofs" is used to describe rogue wireless APs. The attacker in AP spoofing assumes the basic service set identifier (BSSID) of a valid AP, but they can choose any extended service set identifier (ESSID), regardless of whether it matches the corporate SSID of the WLAN network. When it detects using the same SSID and MAC address, the impacted MAC address of the AP is marked as Spoofs under the type column. The rogue and neighbor AP detection features are disabled by default.
Rogue, Neighbor, Spoofs, and Honeypot APs—Configuration
Rogue and neighbor AP detection is disabled by default. To enable it, go to Organization -> Site Configuration. Here, you can enter an RSSI threshold value at which APs will be detected as neighbors or rogues. The default RSSI is –80dBm. You might set the RSSI threshold for rogue AP detection between –40dBm to –100dBm. Also, set a time threshold for neighbor AP detection to avoid getting flooded with neighbor APs, which only appear momentarily.
To prevent sanctioned APs from being identified as a rogue or honeypot, add them to an allowlist with the specific SSID and BSSIDs of the detected APs in the Security Configuration box. Juniper MistTM allows using wildcards in the BSSID input field similar to ab-cd* , bcde*, and cd:ef:* .
Rogue Clients
Clients connected to any of the rogue APs are defined as rogue clients. To view the detected rogue APs, navigate to Site > Security and select the Rogue APs tab. Click any of the SSIDs to see a list of rogue clients connected.
LEAVE A COMMENT
Please login here to comment.