Bachelor Degree Project

Comparison of systems to detect rogue access points

Author: Alexander Lennartsson, Hilda Melander Supervisor: Ola Flygt Semester: VT 2019 Subject: Computer Science Abstract A hacker might use a rogue access point to gain access to a network, this poses a threat to the individuals connected to it. The hacker might have the potential to leak corporate data or steal private information. The detection of rogue access points is therefore of importance to prevent any damage to both businesses and individuals. Comparing different software that detects rogue access points increases the chance of someone finding a solution that suits their network. The different type of software that are compared are intrusion detection systems, wireless scanners and a Cisco wireless lan controller. The parameters that are being compared are; cost, compat- ibility, detection capability and implementation difficulty. In order to obtain results some of the parameters require testing. As there are three types of software, three experiment environments should be conducted. Our research indicates that already existing network equipment or the size of the network affects the results from the experiments. Keywords: Network Intrusion Detection, Rogue Access Points, Wireless Scanner, Wireless Lan Controller, Software Comparisons Contents

List of FiguresI

List of TablesII

1 Introduction1 1.1 Background...... 1 1.2 Related work...... 1 1.3 Problem formulation...... 2 1.4 Motivation...... 2 1.5 Objectives...... 3 1.6 Scope/Limitation...... 3 1.7 Target group...... 4 1.8 Outline...... 4

2 Method5 2.1 Scientific Approach...... 5 2.2 Reliability and Validity...... 5 2.3 Ethical considerations...... 5

3 Detection methods for rogue access points6 3.1 Intrusion Detection...... 6 3.1.1 Signature-based detection...... 6 3.1.2 Anomaly-based detection...... 6 3.2 Intrusion Prevention...... 7 3.3 Wireless Scanner...... 7 3.4 Detection Approaches of Rogue access points...... 7 3.5 The Software Packages...... 7

4 The Parameters9 4.1 Parameter Motivation...... 9

5 Implementation 10 5.1 IDS Experiment environment...... 10 5.1.1 Snort...... 11 5.1.2 Zeek(Bro)...... 11 5.1.3 Suricata...... 11 5.2 Wireless Scanner Experiment environment...... 11 5.2.1 Wireless Scanners software...... 12 5.3 WLC Experiment environment...... 12 5.3.1 Cisco WLC...... 13

6 Results 14 6.1 Implementation difficulty...... 14 6.2 Compatibility...... 15 6.3 Cost...... 15 6.4 Detection Capability...... 16 7 Analysis and Discussion 18 7.1 The Analyzed Concerns...... 18 7.2 Ways to detect rogue access points...... 18 7.3 Parameters used to compare...... 18 7.3.1 Implementation difficulty...... 18 7.3.2 Compatibility...... 19 7.3.3 Cost...... 19 7.3.4 Detection Capability...... 20 7.4 Solutions for Networks...... 20 7.4.1 Scenario one: Small sized network...... 20 7.4.2 Scenario two: Large sized network...... 20

8 Conclusion and Future work 22 8.1 Conclusion...... 22 8.2 Future work...... 22

References 24

A AppendixA A.1 Device summary...... A A.2 Software versions...... B A.3 Acronyms...... C List of Figures

5.1 IDS Topology...... 10 5.2 RSSI Topology...... 12 5.3 WLC Topology...... 13 1.4 Devices...... A

I List of Tables

1.1 Research questions...... 2 1.2 Objectives...... 3 6.3 Difficulty table...... 14 6.4 Compatibility table...... 15 6.5 Cost table...... 16 6.6 Detection table...... 17 1.7 Software versions...... B 1.8 Acronyms...... C

II 1 Introduction

The process and the mechanism of detecting rogue access points (RAP) differ between software packages [1]. By making a comparison of different software and their ability to find RAP’s, there is a chance of decreasing the harm that they pose. The harm of a RAP depends on what type of RAP it is. Some examples of the harm that a RAP can cause are theft of company data or eavesdropping on private conversations [2]. Knowing in which situations that certain software are more effective can increase the security of the network. The requirements on a network can change based on different variables. Examples of requirements can be; level of security, management, cost and existing network equipment or hardware specifications. As most networks have unique features it is necessary to find a suiting protection solution for each network. A compari- son between software is essential as RAP’s can bring harm to both the enterprise and the people associated with it [2].

1.1 Background Nowadays, many places offer Wi-Fi access, anything from the local coffee shop to work- places. One of the security concerns with Wi-Fi access being available almost everywhere is RAP’s. There are three types of RAP; (1) an unauthorized AP, (2) a phishing AP and (3) a compromised AP [3]. Many AP’s are not configured securely, and these are threats to the connecting network as it lowers the security of the overall network. The category (1) of a RAP is set up on a networks infrastructure without the approval of the network administrator [4]. The (2) can be when a device is configured to mimic an already existing AP to try and lure individuals into using the mimicked device. The hacker could monitor the data sent or received via the phishing AP, and it might result in stolen information and credentials. An AP is considered to be a RAP of (3) if there are unusual events that are caused by a hacker, virus, or another type of mechanism [5]. To prevent the attack which could cause an AP to become compromised, it might require additional software. One type of system that can detect the compromised AP’s is called intrusion detection system (IDS). IDS is a system that monitors the network and can detect attacks and other malicious activities. An IDS is not able to do any management control work, this means that when a IDS finds a problem it will forward a message to an administrator. [3]. Another type of software that can be used to detect RAP’s are wireless scanners. Wireless scanners measure the radio signals that an AP broadcasts. The power of the signal is measured using the devices received signal strength indicator (RSSI). The higher the RSSI value is the closer the wireless scanner device is to the AP [6].

1.2 Related work There are significant amount of subsequent studies that are relevant to the research. As our research investigates multiple types of software, some studies are relevant to certain software packages such as [7] and [8]. Both of these studies describes Snort and its func- tions as an IDS. They give suggestions for how to make Snort able to act as an intrusion detection prevention system (IPS) to prevent attacks. In [8] the focus is on creating a framework that uses RSSI to prevent the RAP’s more efficiently. This means that the study mentions the security concerns of the RAP’s. The framework is said to be able to detect both phishing AP and unauthorized AP’s. While in [7] the main focus is on

1 Snort combined with firewall commands. Neither of the proposed suggestions are rele- vant to the thesis research as the thesis focuses on Snort as an IDS. However, in the thesis comparison there are wireless scanners which uses RSSI to detect RAP’s. Other studies that are relevant to the research are [9] and [1]. In these studies the detection of the RAP is mentioned. However, [9] focuses more on how an IDS should be designed for the detection of the RAP. While in [1] the focus is on the different methods that can be used in the detection of the RAP.

1.3 Problem formulation RAP can pose a threat to the networks in the area, depending on what type of RAP it is. If the RAP is set up by a hacker, it could cause harm by leakage of data from an enterprise or by intercepting private conversations [5]. The harm that can be caused by a RAP is the reason why it is important to investigate how different software detects the RAP’s. As most networks have unique features, not every software might be suitable for each network [citera?]. By comparing software solutions, the chance that someone finds the correct software for their network increases, hence protects them against RAP’s. In order to find software solutions to suit a wide range of networks, various parameters needed to be compared. The chosen parameters had to take into consideration that the requirements on a home and corporate network are different. There are many things that needs to be taken into consideration for example an enter- prise might be able to afford more expensive equipment than a household. There might be hardware or software constraints or time limitations. The parameters in the comparison needs to have a motivation for why it is important to test them. The motivation is required to find software packages that suit multiple networks. The research questions found in Table 1.1 are created based on the problems.

RQ1 What different ways are there to detect rogue access points? RQ2 What parameters should be used in the comparison of the IDS, Wire- less Scanners and the Cisco WLC? RQ3 When is a software solution preferred in a home or corporate net- work?

Table 1.1: Research questions

1.4 Motivation Mobile devices are becoming more usual which increases the amount of places offering Wi-Fi access [10]. More places are offering Wi-Fi access, which brings security concerns such as RAP [11]. A RAP might be set up by an employee that wants better Wi-Fi range. If the employee has not configured the AP with the same security as the rest of the AP on the network, security would be lower on that AP [9]. If a hacker knows that this specific AP have lower security configurations, the hacker might take advantage of this. The AP could be used as a backdoor into the rest of the network and in this case the hacker could gather corporate data, or eavesdrop on private conversations [5]. Other places where the increase of Wi-Fi access might result in unwanted attention from hackers, are public places such as coffee shops. A hacker could set up a phishing AP in a public area and then wait until someone connects to it. In case someone connects to the AP, their network traffic can be monitored. The security concern is that all the conversations could be monitored and their credentials might be stolen [12].

2 Another reason why it is vital to be able to detect the RAP’s is that Internet of Things (IoT) is becoming more usual. Some IoT devices can be changed and implemented as RAP’s, and if a hacker has managed to change or brought in a fake device, it might result in leaked data [13]. The threat of a RAP is why it is imperative to have the right equipment and methods to detect them, preventing users from using the access points.

1.5 Objectives The objectives set for the research are guidelines to complete the research questions found in Table 1.1. They are chosen based on their importance in the process of making a comparison between the current markets options on software packages detection of RAP’s and if the solutions suit a home or corporate network.

O1 Implement environments for the experiments and conduct them. O2 Create a comparison between software packages and the results re- ceived from the experiments. O3 Continue to find more data from other sources to evaluate the results and to compare parameters not tested in the experiment.

Table 1.2: Objectives

O1 in Table 1.2 refers to the experiments that are conducted and required to make a comparison between products. To complete O1, it is required to know what parameters that have been tested, and have therefore started on RQ2 in Table 1.1. O2 is the guideline to fully complete RQ2 and have the results from the experiments, and all the data on the research question have finished. O3 describes the importance of finding data from multiple sources to verify the ob- tained results from the experiments and to compare parameters that are not possible to test only based on the conducted experiments. In O3, both RQ1 and RQ3 from Table 1.1 are answered as the information requires answers that can not be found entirely based on the experiments, but other sources are necessary.

1.6 Scope/Limitation The different IDS that are compared are Snort [14], Cisco Wireless Lan Controller (WLC) [15], Suricata [16], Zeek(Bro) [17]. In addition to these systems, there are experiments on wireless scanners such as Wifi Analyzer by Abdelrahman M. Sid [18], TamoGraph site survey [19], Xirrus WIfi inspector [20]. One of the limitations of the research is that, not every software packages have the ability to locate RAP’s. The IDS software packages are not able to verify the locations as they do not have this feature implemented. An AP sends out radio signals on the physical layer [21], and the IDS operates on higher layers [22]. As the IDS does not operate on the same layer they can not locate the AP using RSSI. Some of the software packages used in the comparisons are not open-source, which means that some of the data is confidential. That means that all the chosen parameters are not possible to compare with every single one of the solutions. Another limitation is that the cost parameter is approximate as it depends on where geographically the products are bought. The overall price might differ depending on what equipment that is currently used in the network. If a network have existing equipment

3 with compatibility constraints, a more expensive software that fits these constraints might be more suitable. As replacing the equipment might exceed the price of the software.

1.7 Target group The research aims to ease the process of deciding software protection solutions to detect RAP’s. This is done by presenting positives and negatives of different types of solutions. The targeted audience group for the thesis are IT professionals that are engaged in the security and network field. It is, however, beneficial for anyone that is planning on setting up a network as the research presents a security risk and solutions to avoid it.

1.8 Outline The structure of the report is in the following order. Section 2, describes the scientific methods used. Section 3, contains information on the methods used for the detection of rogue access points. Section 4, motivates the chosen parameters that are used in the comparison. Section 5, contains the implementation of the controlled experiment. Section 6, contains the results from Section 3, 4 and 5. In section 7, there is an analysis that discusses the provided results. Section 8 summarizes the research and discuss future work.

4 2 Method

This section contains a detailed overview of the scientific method used. It contains infor- mation of how the results was verified to know that they are reliable. There have been ethical considerations that had to be taken into consideration. The ethics of the research have been examined and discussed.

2.1 Scientific Approach The research addresses its approach from controlled experiments. There are three con- trolled experiment environments created as depending on the tested software, the equip- ment requirements for the experiment differs. The first experiment conducted is the ex- periment on the IDS software packages. When there are substantial data from the IDS experiment, the Wireless Scanner experiment starts, and the experiment is conducted sim- ilarly to the IDS experiment. The last type of software tested was the WLC, and it was created using a virtual Cisco WLC.

2.2 Reliability and Validity The experiments were limited due to the size of the experiment environments and its geographical area. If the same tests on a larger-scaled network with different equipment, the results might have been different. Interference from devices located outside of the test environment might have affected the results of the experiments. To achieve reliable results from the experiments, the results were compared with other researchers solutions, such as [23]. The parameters that other researchers have not con- ducted similarly were investigated thoroughly.

2.3 Ethical considerations By creating an experimental lab that is geographically close to other networks, the lab devices are competing for airtime on their channel. The AP’s from the lab environment is a type of RAP’s to the other network; however, the least mundane type [3]. Another thing that is required to take into consideration is that the lab contains AP’s, someone could try to enter the environment using the SSID of the AP. If they enter the network, their activity are logged and their traffic monitored. The prevention method used to avoid anyone entering the lab environment is to have a password before allowing access. Some of the software packages used in the experiments have the ability to view MAC and IP addresses of devices close to the lab environment. This type of information is not presented in the report, the only exception is the network address used for the topology.

5 3 Detection methods for rogue access points

This chapter contains information on methods used to detect RAPs. There are multi- ple solutions presented such as intrusion detection systems, intrusion prevention systems and wireless scanners. The different approaches on how to detect RAP’s are described. The last part of the section categorizes the software packages, based on their method of detecting RAP’s.

3.1 Intrusion Detection IDS have the ability to monitor and analyze network traffic. The system searches for malicious or suspicious activity on the network [24]. There are multiple types of IDS, but the main one that this research focuses on, is the network-based intrusion detection systems (NIDS). NIDS can be either software or hardware-based systems depending on the manufacturer. A NIDS analyzes network traffic to find malicious activity, this is done by inspecting incoming packets [25]. There are techniques that allow the NIDS to search all incoming packets on a network. One of these techniques are port-mirroring, this is a switching ability which means that it requires the network to have a switch. The switch replicates all packets that are sent on the network and directs them towards the interface of the NIDS. There are other techniques to supply the IDS with the networks traffic such as network test access point and switched port analyzer [26]. Every IDS does not function in the exact same manner, but the two main types are signature-based detection and anomaly-based detection [24].

3.1.1 Signature-based detection The technique, pattern-matching, is an essential factor in the signature-based detection function of an IDS. The signature-based IDS analyze the network traffic with already known attack patterns that are stored in a database full of signatures. If there is a match between the traffic and a known attack, an alarm is sent to the administrator [27]. The events generated when a match is found can be used to communicate what the matched pattern was; this enables the possibility to let the administrator know what has caused the alert [28]. The development of a rule in a signature-based IDS requires the identification of the wanted network behaviour and then depending on the used IDS, the structuring of the rule differs. The signature engine detects the known attacks stored in the database. That the signature engine finds the attack patterns in a database means that if there is no rule for an attack, the IDS can not alert the administrator [28].

3.1.2 Anomaly-based detection An anomaly-based IDS compares the network traffic against a statistical model [27]. If the network traffic deviates from the model, there is an alert sent to the administrator warning for suspicious activity. The model contains what is considered the normal traffic for the network and it respects the ports, protocols, bandwidth as well as other devices on the network [28].

6 3.2 Intrusion Prevention The detection of a RAP in an IPS is similar to an IDS. The two mechanisms that the IDS have, signature-based detection and anomaly-based detection, are implemented in the IPS as well. The main difference between an IPS and an IDS is that the IPS can analyze and take automated actions instead of only notifying the administrator [29].

3.3 Wireless Scanner Access point broadcasts themselves and sends out information in waves, these waves are called beacon frames. The devices that search for the beacon frames are called RS Clients [30]. The RS Clients in combination with software packages for example wireless scanners, can detect and locate an AP based on the data of its beacon frame. The wireless scanners use the RSSI value to measure the power of the signal that the AP broadcasts. If the RSSI has a high value, the device is close to the AP [6]. Some wireless scanners can create a map locating all the nearby devices that are broadcasting themselves. A scenario of how a wireless scanner works; It starts with scanning the nearby area for beacon frames. After the software has collected the beacon frames, a map is created with all the devices that were found during the scan. From this map, the user can locate trusted or not trusted devices such as RAP. It might be necessary to know the addresses of the networks trusted devices depending on what wireless scanner software that is used. All software packages do not have the ability to distinguish between trusted and not trusted devices [6].

3.4 Detection Approaches of Rogue access points According to [1] there are three approaches to detecting RAP’s; server-side, client-side and hybrid. The server-side approach is when it is the AP or server that contains the software required to detect the RAP. The client-side approach is when a client device such as a laptop or mobile phone contains applications to prevent itself from connecting to a RAP. One technique to make a client-side approached application is to verify the round trip time, to check for the amount of hops required when connection to an AP. The hybrid approach is a combination of the server and client-side approach, in which the server and the client are actively trying to prevent the RAP [1].

3.5 The Software Packages The software packages in the experiment that are an IDS are; Snort [14], Suricata [16], Zeek(Bro) [17] and Cisco WLC [15]. The IDS that are tested do not use the same detection methods. Snort uses a rule-based detection where it is required to configure the rule in a set manner. It is a signature-based detection IDS, however, there are frameworks on the market that allows Snort to identify anomalies [31]. Suricata, like Snort, is a rule-based IDS, it is even compatible with Snorts rules. Suri- cata have the ability to detect anomalies in the protocols. This means that Suricata adapts traits for both signature and anomaly based detection [32]. The manufacturer of Zeek highlights that the software is more of an anomaly-based detection IDS than that of a signature-based. It has the ability to perform signature-based but also contains a variety of different approaches that are anomaly-based [33]

7 The Cisco WLC have a signature-based detection approach [34]. Based on the event reporting from the access points, the WLC can find certain anomalies [35]. The wireless scanners that are used in the experiment are; Wifi Analyzer [18], Tamo- Graph site survey [19], Xirrus WIfi inspector [20]. These software packages are using the same approach to detect RAP’s. The approach they are using is to locate the RAP based on the devices RSSI and the AP’s beacon frames [6].

8 4 The Parameters

This section contains the motivation behind the chosen parameters. The parameters that are described in the chapter are implementation difficulty, compatibility, cost and detec- tion capability.

4.1 Parameter Motivation The gathered results from the experiment were listed in four parameters: (1) implementa- tion difficulty, (2) compatibility, (3) cost and (4) detection capability. The first parameter (1) describes the implementation process of the software packages. The parameter is important because of the limitations in time or resources. For example, a rule-based IDS requires the user to have knowledge of network behaviour. When imple- menting this type of IDS the time that it takes to understand the network behaviour and transfer the knowledge into a rule might exceed the time or resource limitation. The (2) parameter contains information about the compatibility concerns of the soft- ware packages. This is important if there are already existing equipment in the network as there could be hardware or software constraints. An example is if a device has a certain operating system that is not compatible with all the software packages, it means that all the solutions would not work on the device. If a software package is bought that is not compatible with the device it loses its value for the network as it can not be used. The parameter (3) is a variable to take into account when installing software packages, if there are any budget limitations. Based on the size of a network the cost might not be feasible. A start-up company might not be able to afford as expensive solutions due to the lack of funding. In cases where the budget is limited cheaper software solutions might be preferred. The last parameter (4) describes the detection methods, that are used in the detection of RAP’s. The parameter contains information about of how the detection of the software packages are done, whether the process is automated or manual. In a network with sensi- tive data a RAP is required to be found as quickly as possible, which is why the detection capability is important.

9 5 Implementation

The experiments are conducted using three lab environments, one for the IDS’s, one for the Wireless Scanner and another one for the Cisco WLC. The IDS are described in the first subsection, the second subsection explains the implementation of wireless scanners and the third subsection is of the Cisco WLC.

5.1 IDS Experiment environment The topology that was used for the IDS experiment can be found in Figure 5.1 and the set up consisted of 2 Asus EA-N66 AP’s. One of the Asus AP’s was implemented as an unauthorized RAP while the other one was operating as a trusted AP. There were 3 lap- tops, the laptops can be found in Appendix A.1, Laptop 1 was acting as a Dynamic Host Configuration Protocol (DHCP) server for the network. Laptop 2, had Zeek(Bro) imple- mented while Laptop 3 was used for Snort and Suricata. To connect all the devices there was a Dell Switch of model N1548P. The switch was configured to have port mirroring setup on the interface connected to the IDS device. Port mirroring allows one interface to read all data being sent on the network.

Figure 5.1: IDS Topology

10 5.1.1 Snort The tests conducted on Snort were using Laptop 3 from Appendix A.1.The Snort version used was snort 2.9.12. To be able to run Snort, it is required to install DAQ, the ver- sion of DAQ was 2.0.6 [36]. When the DAQ dependencies and Snort were installed, the configuration file required editing. In the configuration file, all the paths were changed from "/" to “ as the lab device is operating on a Windows OS instead of Unix. After the paths were changed, the network addresses were added to the variable “home_net”. Snort have the ability to whitelist and blacklist IP addresses. In the whitelist file, the devices that were going to be authorized were added [37]. In the file local.rules, the implemented rule was to send alerts to the administrator, when a device that is not on the whitelist appears on the network. The command that was added was: "alert ( msg: "REPUTATION_EVENT_WHITELIST"; sid: 2; gid: 136; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )" [37].

5.1.2 Zeek(Bro) Zeek(Bro) was operated on Laptop 2, from Appendix A.1. The version of the software used in the experiment was Zeek(Bro) 2.6.1. In the configurations, there was a node added for monitoring the network. After the monitoring node was added to the configuration file, the network address for the experiment was added.

5.1.3 Suricata The version of Suricata that the tests were run on was version 4.1.3. It was installed on Laptop 3 that can be found in Appendix A.1. The changes that were made in the configuration file was the variable HOME_Net that was changed to be the network range ( 10.0.0.0 /24). The variable !$HOME_NET points towards the external network [38].

5.2 Wireless Scanner Experiment environment The Wireless Scanner experiments was conducted at the same geographical area as the IDS environment. Depending on which one of the wireless scanner software packages that was tested, the devices required differed. It means that the topology for the wireless scanner experiments that is found in 5.2 differ slightly depending on which one of the software packages that were tested. The experiment for TamoGraph site survey version 5.0 Build 227, and Xirrus Wi-Fi Inspector version 2.0 were both installed on Laptop 3 in Appendix A.1. The Laptop was not connected to the IDS network, as the software packages are not necessarily in a wired environment [8]. The Wifi Analyzer was the only software that was installed on a smart phone device, a Samsung Galaxy A3. The Wifi Analyzer software scans the wireless network for beacon frames.

11 Figure 5.2: RSSI Topology

5.2.1 Wireless Scanners software The wireless scanners required no additional configurations once the software packages were installed.

5.3 WLC Experiment environment The setup for the experiment with the Cisco WLC consisted of 2 AP’s of the model AIR- LAP1142N-E-K9. One of the Air AP’s was operating as an unauthorized RAP, and the second one was operating as a trusted AP. There were two laptops, the laptops can be found in Appendix A.1. Laptop 1 was acting as a DHCP server, and Laptop 3, from the Appendix had VMware Workstation Pro installed on it. In VMware Workstation Pro, the virtual WLC AIR_CTVM-K9_8_3_143_0. was imported. A Dell switch of the model N1548P, was configured to allow the devices to communicate. The topology of the WLC experiment can be seen in Figure 5.3

12 Figure 5.3: WLC Topology

5.3.1 Cisco WLC The virtual Cisco WLC, version AIR_CTVM-K9_8_3_143_0 was imported into VMware Workstation Pro on Laptop 3 from Appendix A.1. After setting up the environment the Air AP’s sent discovery messages to the WLC that then detects the AP’s [39].

13 6 Results

This section contains the results from the controlled experiments. The tested parameters have their own subsections in which the results of the software packages are presented. The first subsection presents the results of the implementation difficulty parameter. The second subsection is about the software packages compatibilities and if there is specific equipment required. In the third subsection, the cost of the various software packages are presented and last the detection compatibility is described.

6.1 Implementation difficulty The implementation difficulties have been split into four categories Total Time, User Friendliness, Extra Configurations and Active Community. The products have then been organized into the categories seen in Table 6.3.

Extra Active User Product Total Time Configurations Community Friendliness Snort 7 hours Yes Yes 3 Zeek(Bro) 11 hours Yes Yes 2 Suricata - Yes Yes 1 Cisco Wireless - Yes Yes 4 Lan Controller Wifi Analyzer 15min No No 5 TamoGraph 15min No No 5 site survey Xirrus Wifi 15min No No 5 Inspector Table 6.3: Difficulty table

The Total Time parameter includes the time that it took to install the software, under- stand it and configure it for the purpose of finding RAP. The two products that have ’-’ as a result of Total Time have not been set up or configured in a working manner during the experiment. Another parameter tested was if the products require any Extra Configurations after installation. If the product required additional configurations, the value in Table 6.3 was set as ’Yes’ otherwise, it was set as ’No’. The Active Community values in the Table are the same as the Extra Configurations, the values ’Yes’ and ’No’. If the product had an active community, the value in Table 6.3 was set to ’Yes’. The definition used for the active community is, that there are updates on forums and other channels concerning the product. User Friendliness contains a scale where a product is rated between 1-5, 1 is the lowest score, and 5 is the highest. For a product to be assigned the value 5 it is required to have; short installation time, no configurations needed to use the software, a graphical user interface (GUI), and information on how to detect RAP using the software. For a product to achieve a score of 4; it has a GUI, minimal configurations to set up, and information on how to set up RAP detection on the community forums. If the product has the value of 3 it has; a helpful community where the configurations to set up the RAP can be found.

14 In order for software to receive a score of 2 it means that they have; information on the community on how to set up a RAP. However, the necessary configurations take an extended time to configure and understand. A product that obtained the value 1 indicates that; the product has no GUI, informa- tion of the configurations were not readily available, there were issues concerning the installation and configurations.

6.2 Compatibility The compatibility results shown in Table 6.4 contains information of what operating sys- tem (OS) the products can be used on.

Product OS Fedora, Centos, FreeBSD, Snort Windows* Linux, FreeBSD, and Mac OS X. Zeek(Bro) Other Unix platforms may work as well but are not regularly tested. Cisco Wireless Lan Controller Cisco IOS Linux, Mac, FreeBSD, UNIX, Suricata Windows* Wifi Analyzer Android TamoGraph site survey Windows*, Mac Xirrus Wifi Inspector Windows*, Mac

*multiple versions available

Table 6.4: Compatibility table

Table 6.4 contains the OS’s that the products support. Some of the products support multiple version of the OS. Cisco WLC is the only tested product that have hardware manufacturer restrictions. The Cisco WLC is limited to a specific type of manufacturer, Cisco.

6.3 Cost The cost results in Table 6.5 contains four different categories subscription/standard, busi- ness subscription/pro, available for free and extra features. The currency that is used in the Table is USD and the date that the results were obtained was on the 17th of May, 2019.

15 Private Business Available Extra Product Subscription/ Subscription/ Pro for free features Standard Snort 29$ per ruleset 399$ per sensor Yes Yes Zeek(Bro) - - Yes Yes Suricata - - Yes Yes Cisco Wireless 150$ and more - No No Lan Controller Wifi Analyzer - 2.99$ for pro Yes No TamoGraph site Yes (Trial 918$ for standard 1130$ for pro ? survey only) Xirrus Wifi Yes (Trial - - Yes Inspector only) Table 6.5: Cost table

The Private Subscription/Standard in Table 6.5 contains the prices that the product can be found for with private usage purposes. The values that can be found varies between each product and the products that have ’-’ as their set value does not offer the service. Cisco WLC does not have an exact price because it requires specific hardware and the cheapest WLC found was selling for 150 dollars [40]. The Business Subscription/Pro includes the prices for enterprise usage of the products. Included in this parameter, is when a product is possible to buy and then update from a standard to a pro version. The parameter Available for free, includes when the product can be installed and used for free. If a product has a trial version, this is shown as a value in this column. The possible values in the Available for free column varies between a ’No’, ’Yes’ and ’Yes (Trial only)’. The Extra Features parameter describes whether a product has third party software packages. The third party software can be added to the product to improve or increase the usability. The values found in the Extra feature column in Table 6.5 are either ’Yes’ or ’No’.

6.4 Detection Capability The results of the detection capability have been split into three categories detection method, prevention method and difficulty finding RAP. These categories can be found in Table 6.6.

16 Action when Difficulty finding Product Detection method detected RAP Alerts / Snort Automated 2 Notifications Alerts / Zeek(Bro) Automated 2 Notifications Alerts / Suricata Automated 2 Notifications Cisco Wireless Lan Alerts / Automated 1 Controller Notifications Wifi Analyzer Manual None 3 TamoGraph site Manual None 3 survey Xirrus Wifi Manual None 3 Inspector Table 6.6: Detection table

The Detection Methods are set as either automated or manual, and the result of each product can be found in Table 6.6. If the value is set as ’Automated’, it means that the software searches for the RAP via an automated process. The automated process is when the software is configured to detect the RAP. After the software is configured, it does not require additional human interaction to detect them. The manual method requires a person to actively search for the RAP based on the MAC address and service set identifier. The action when detected is the second category in Table 6.6 and contains information about what happens when a product notices a RAP. Multiple products have the value ’None’ set in the Table. None means that the software does not take any action when the RAP is detected. The other products are assigned the value ’Alerts / Notifications’. If a product that has the value ‘Alerts / Notifications’ detects a RAP, it sends either alerts or notifications to the administrator. The last category is a scale from 1-3, where 1 is the highest and 3 is the lowest. The category determines the difficulties of finding a RAP using the software. The value 1 is assigned if the software provides information of precisely what device that is the RAP. The value 2 is obtained when the product notifies if there is a RAP in the network but does not specify what device. The products with a value of 3 does not provide any information on whether there is a RAP in the network or where the device is located.

17 7 Analysis and Discussion

The research questions found in Table 1.1 are in this section analyzed and discussed. The research questions are answered based on the results from Section3,4 and6.

7.1 The Analyzed Concerns The thesis addresses the security concerns that RAP brings for networks. It analyzes dif- ferent types of software packages and compares them with each other. Depending on the size of a network the concern for RAP differs. By comparing the parameters of imple- mentation difficulty, compatibility, cost and detection capability the software packages can be evaluated to suited networks.

7.2 Ways to detect rogue access points The detection of RAP can be done using different types of software packages and these are wireless scanners, IDS and IPS. The wireless scanners use the beacon frames that an AP broadcasts to detect the device. Based on the beacon frames and its strength, the user can locate the RAP and verify where in the geographical area that the device is located. An IDS have two primary mechanisms to detect RAP’s signature-based detection and anomaly-based detection. The signature-based detection searches for patterns in the net- work traffic. The patterns are stored in a database and when a match in the network traffic is found an alert or notification is sent to the administrator. While in the anomaly-based detection the network traffic is compared to a model. The model contains the regular traf- fic, and if the current network traffic diverts from the model it is considered suspicious activity. In both the detection methods the administrator of the network is required to set up rules or construct the model to be able to find the RAP. An IPS works similarly to an IDS, however it has an additional ability when a RAP is found which is to try and eliminate the threat.

7.3 Parameters used to compare The parameters were chosen in order to try and suit a variety of network sizes. The parameters were performed in a geographically limited area, and they needed to be able to be used in the majority of the systems. The experiment parameters are; implementation difficulty, compatibility, cost and detection capability. These were chosen as they vary depending on the software package but they always exist in a network, no matter the size. The cost for example, is something that is always important if there is any type of budget. The implementation difficulty is important if there are time constraints. The compatibility matters since not every software package can operate on every OS. The detection capability was chosen as the detection methods of RAP was different depending on what software package that was used.

7.3.1 Implementation difficulty The results from the implementation difficulty experiment indicates that the IDS soft- ware packages required more time to implement and configure than the wireless scanners. All the IDS software packages required extra configurations for the purpose of detecting RAP’s. The wireless scanners do not require extra configurations to detect RAP. The

18 wireless scanners are able to run straight after the installation which increased the user- friendliness parameter for these software packages. The Table 6.3 highlights that all the wireless scanners gained a perfect score at user- friendliness. The Cisco WLC received a high score and majority of the IDS software packages got a low score. The low score, that the IDS products received, is based on the lack of RAP detection configuration documentation. It is required of the administrator to know how to detect RAP in the network traffic, as there are almost no guidelines on the IDS’s communities of this sort. The time needed for implementation varies between the majority of the products. The wireless scanners works directly after installation while all the IDS software packages required extra configurations. The reason why Cisco WLC and Suricata does not have an implementation time due to them not being entirely completed. The WLC experiment was almost finished, the part that was not completed was, that the firmware of the AP’s was unobtainable at the time of the experiment. This means that the discovery message was not sent towards the WLC. This resulted in the WLC not being able to find the AP’s. The Active Community results indicate that all of the IDS software packages and the WLC have an active community. This is something that the wireless scanners lack. However, even with an active community, the IDS software packages require the user to find the correct documentation and instructions to set up the software for the wanted purpose. To find any document on the community websites that concern the topic of RAP and how to configure the IDS to detect them requires the user to search for it actively.

7.3.2 Compatibility When it comes to compatibility concerns, it was only Cisco that required hardware prod- ucts from a specific manufacturer(Cisco). All other IDS and wireless scanners are not restricted to a specific hardware manufacturer and could be run with a variety of differ- ent hardware. However, the compatibility results in Table 6.4 shows that it is important to select the right OS. Zeek is for example only available on Unix platforms, and the configuration files of Snort are configured with Linux file system prefix. Wifi Analyzer is only compatible with smartphones and smart tablets running Android. According to the compatibility table the wireless scanners are compatible with conventional OS sys- tems (Windows, Mac). The IDS software packages can operate on the conventional OS systems as well as some Unix systems.

7.3.3 Cost The cost of the products can be seen in the Section 6.3, and it varies depending on what type of subscription that is wanted. Most of the products are available for free; however, some only offer Trial versions such as Xirrus Wifi Inspector and TamoGraph Site Survey. Another option that is not available for free is the Cisco WLC, as it requires Cisco’s equipment to be run, which has been discussed in section 7.3.2. This means that the price varies on the Cisco WLC as the equipment price is necessary to consider before getting an estimated cost. If a company already have equipment that is compatible with the Cisco WLC, the overall price might be lower with this option. Products like Snort and TamoGraph site survey have both Standard and Pro subscrip- tions. In Snort the feature that are purchased for the Standard subscription are extra rule- sets while in the Pro version it is sensors. The extra features that some of the products have makes the price vary. Some of the third party software that can be found in some of the products increase the overall costs.

19 Which means that giving a set price of each product is difficult as it depends on what features the user or company wants. In some scenarios, what might seem like the more expensive option might end up cheaper for that specific network.

7.3.4 Detection Capability The results that were acquired from the experiments detection capability can be found in Table 6.6. According to the table, the IDS and Cisco WLC have an automated detection method. The automated detection method means that the detection is done through an- alyzing the traffic of the network. When the traffic is analyzed and a RAP is identified, there is an alert or notification sent to notify the administrator about it. The products that have been assigned the manual detection method are the wireless scanners. The wireless scanners requires a human to actively search for the RAP’s in order to detect them. To find the RAP’s it is required to know the trusted networks devices MAC addresses, and then based on these find the untrusted devices. The active search consists of a human that uses the software and identifies the RAP by having knowledge of his network. The time that it takes to find the RAP with a manual detection is based on the human error, as it requires verifying the device without any additional help from the software. If the human is asleep, there are several hours before the manual search is ongoing, and the risk of a hacker gaining important data increases. The scale in difficulty of finding RAP indicate, that the wireless scanners take more time in the detection of RAP’s, than the IDS and the WLC. If the administrator gets an alert that notifies him about the activity on the network, the administrator can find the cause faster. If the administrator get the alerts through the automated detection method, they have a higher chance to stop the potential threat faster than if he would be using a manual process.

7.4 Solutions for Networks Requirements on a network are dependent on the size of the network. There are con- cerns such as budget limitations and security standards that are required to be taken into consideration.

7.4.1 Scenario one: Small sized network Viewing the results from a small sized networks perspective, it is important to find a soft- ware solution that has simpler implementation and is affordable. A household would nor- mally have a stricter budget than an enterprise, as the overall income is lower. As there are constraints on the budget a software solution that is dependant on specific hardware man- ufacturers or subscriptions might exceed the budget. A smaller network is operated by one or a few individuals, therefore a software that can be installed without much knowledge in the field is preferred. Suggestion: For a smaller sized network, a wireless scanner software is suitable as most of them are free to download and straightforward to install.

7.4.2 Scenario two: Large sized network A larger sized network such as an enterprise networks have different requirements set on the network. The enterprise perspective typically has a higher budget and might already

20 have existing equipment in the network that should be taken into consideration. An enter- prise network requires a higher security standard, if the company has sensitive data on the network. As the security standard is higher, a software package with an automated detec- tion method could be useful. The administrator is notified via an alert or notification as soon as the software notices a threat, minimizing the risk of any intruders on the network. Suggestion: For a larger sized network, an IDS or WLC is suitable since it features automated detection methods.

21 8 Conclusion and Future work

This section summarizes the conclusions and discusses the possibilities for future works.

8.1 Conclusion The thesis project explores and compares software packages and their ability to detect RAP’s. At the start of the project, the original aim was to explore how IDS detect RAP, but as the project went on the aim shifted to involve wireless scanners and a WLC. The primary purpose of the changed aim was to include other relevant software packages to be able to make a more accurate and more precise comparison. The change of the outlook enabled a more extensive variety of results, it gave software solutions for both small and large networks. The methods to detect a RAP are to use a software that can monitor the network layer such as an IDS or IPS or a wireless scanner. An IDS/IPS uses either a signature-based detection or anomaly-based detection. While wireless scanners uses the radio signals that the AP broadcasts to detect RAP’s. These operate on different layers and have entirely different techniques to find the RAP’s. The costs of the products are not based on whether it is an IDS or wireless scanner. The conclusion of the cost is that it always differs based on what the customer requires and if they want any extra features. In the compatibility of the products there is one that stood out, and it was the Cisco WLC. Cisco products have restraints on them when it comes to the hardware specifica- tions of the equipment. If the network already contains multiple of Cisco’s equipment, it might end up a cheaper option to buy a WLC. The detection capability of the software packages proves that the IDS and WLC noti- fies the administrator about the detection of a RAP. While the wireless scanners requires a human to do a manual search to detect the RAP’s. It means that the IDS or WLC might be preferable solutions if the time it takes to remove the RAP is of importance for the network. The conclusions for the IDS is that even though they have an active community it lacks documentation on how to implement RAP detection efficiently. Compared to the wireless scanners and the WLC that do not have this issue as they do not require extensive additional configurations. The results that are presented in the report are general, but the information provided is of help to the industry and society. It contains information for the computer science field and involves results that can help both an enterprise and individuals to gain more knowledge in the area. If the possibility occurred to make anything differently, the conducted experiments would be performed again to obtain more concrete results. Redoing the experiments additional times would increase the possibility of the WLC and Suricata experiment being fully completed.

8.2 Future work As the wireless scanners can view the location of the RAP by the strength of the radio signal that the AP’s broadcasts. It has the possibility to handle the RAP’s in a completely different manner than the IDS. If the IDS had a RSSI, it would be possible to store the trusted network, and if a beacon that is considered not trusted would appear, the threat could be both located and noticed promptly. The suggestion is to implement a framework

22 for an IDS to read the radio signals. An implementation could contain the ability to store the AP’s as trusted or not trusted. Another suggestion that could be done as future work is to implement a wireless scan- ner that can add the current network. By implementing this feature into a wireless scanner, it would quickly be possible to determine when there is a RAP in the area. A thing that can be analyzed further based on the thesis project is the Cisco WLC and Suricata implementation as they were not successful in the experiment. There could be more research on the additional configurations required to detect the RAP in the IDS as the documentation is lacking.

23 References

[1] S. Anmulwar, S. Srivastava, S. P. Mahajan, A. K. Gupta, and V. Kumar, “Rogue access point detection methods: A review,” in International Conference on Informa- tion Communication and Embedded Systems (ICICES2014), Feb 2014, pp. 1–6.

[2] Juniper.net. (2019) Understanding rogue access points - technical documenta- tion - support - juniper networks. https://www.juniper.net/documentation/en_US/ junos-space-apps/network-director3.0/topics/concept/wireless-rogue-ap.html. Last accessed 16 May 2019.

[3] L. Ma, A. Y. Teymorian, X. Cheng, and M. Song, “Rap: Protecting commodity wi-fi networks from rogue access points,” in The Fourth International Conference on Heterogeneous Networking for Quality, Reliability, Security and Robustness & Workshops, ser. QSHINE ’07. New York, NY, USA: ACM, 2007, pp. 21:1–21:7. [Online]. Available: http://doi.acm.org.proxy.lnu.se/10.1145/1577222.1577252

[4] A. Piltzecker, Microsoft Vista for IT Security Professionals. Syngress, 2007, pp. 345-397.

[5] V. Shure. (2019) Phishing at the confluence of digital identity and wi-fi ac- cess. https://theruckusroom.ruckuswireless.com/wired-wireless/technologytrends/ phishing-at-the-confluence-of-digital-identity-and-wi-fi-access/. The Ruckus Room. Last accessed 17 May 2019.

[6] sensoro. (2015) Beacon signal performance, configura- tion and measurement. http://post.sensoro.com/2015/04/08/ beacon-signal-performance-configuration-and-measure/. Last accessed 16 May 2019.

[7] Hui Li and Dihua Liu, “Research on intelligent intrusion prevention system based on snort,” in 2010 International Conference on Computer, Mechatronics, Control and Electronic Engineering, vol. 1, Aug 2010, pp. 251–253.

[8] N. M. Ahmad, A. H. M. Amin, S. Kannan, M. F. Abdollah, and R. Yusof, “A rssi- based rogue access point detection framework for wi-fi hotspots,” in 2014 IEEE 2nd International Symposium on Telecommunication Technologies (ISTT), Nov 2014, pp. 104–109.

[9] Xiao qiang Peng, Cheng Zhang, and Dian gang Wang, “The intrusion detection system design in wlan based on rogue ap,” in 2010 2nd International Conference on Computer Engineering and Technology, vol. 3, April 2010, pp. V3–432–V3–436.

[10] Patrick Nelson. (2017) Smartphone users on wi-fi drive most website traffic. https://www.networkworld.com/article/3224909/ smartphone-users-on-wi-fi-drive-most-website-traffic.html. Network World. Last accessed 06 Jul 2019.

[11] Symantec Employee. (2019) The risks of public wi-fi. https://us.norton.com/ internetsecurity-privacy-risks-of-public-wi-fi.html. Us.norton.com. Last accessed 06 Jul 2019.

24 [12] Ryan Orsi. (2018) Understanding evil twin ap attacks and how to prevent them. https://www.darkreading.com/attacks-breaches/ understanding-evil-twin-ap-attacks-and-how-to-prevent-them-/a/d-id/1333240. Dark Reading. Last accessed 06 Jul 2019.

[13] S. Siboni, A. Shabtai, and Y. Elovici, “Leaking data from enterprise networks using a compromised smartwatch device,” in Proceedings of the 33rd Annual ACM Symposium on Applied Computing, ser. SAC ’18. New York, NY, USA: ACM, 2018, pp. 741–750. [Online]. Available: http: //doi.acm.org.proxy.lnu.se/10.1145/3167132.3167214

[14] Snort.org. (2019) Snort - network intrusion detection prevention system. https:// www.snort.org/. Last accessed 5 March 2019.

[15] Cisco. (2019) Cisco mobility services engine (up to release 8.0 soft- ware) datasheet. https://www.cisco.com/c/en/us/products/collateral/wireless/ mobility-services-engine/data_sheet_c78-475378.html. Last accessed 8 March 2019.

[16] Suricata. (2019) Suricata. https://suricata-ids.org/. Last accessed 15 March 2019.

[17] Zeek.org. (2019) The zeek network security monitor. https://www.zeek.org/. Last accessed 25 March 2019.

[18] A. M. Sid. (2019) Wifi analyzer premium for android – abdelrahman m. sid. http:// abdelrahmanmsid.com/blog/2018/08/27/wifi-analyzer-premium-for-android/. Last accessed 5 April 2019.

[19] Tamos.com. (2019) Wi-fi site survey software for 802.11 a/b/g/n/ac wlans - ta- mograph. https://www.tamos.com/products/wifi-site-survey. Last accessed 8 April 2019.

[20] Riverbed. (2019) Maximize your digital performance gain a competitive edge | riverbed. https://www.riverbed.com/. Last accessed 10 April 2019.

[21] K. Sjöberg, J. Kåredal, M. Moe, Ø. Kristiansen, R. Søråsen, E. Uhlemann, F. Tufves- son, K. Evensen, and E. Ström, “Measuring and using the rssi of ieee 802.11p,” 2010, 17th World Congress on Intelligent Transport Systems (ITS) ; Conference date: 25-10-2010 Through 29-10-2010.

[22] S. Zaman and F. Karray, “Tcp/ip model and intrusion detection systems,” in 2009 International Conference on Advanced Information Networking and Applications Workshops, May 2009, pp. 90–96.

[23] S. Ali Raza Shah and B. Issac, “Performance comparison of intrusion detection sys- tems and application of machine learning to snort system,” Future Generation Com- puter Systems, vol. 80, pp. 157–170, 03 2018.

[24] Margaret Rouse. (2015) Intrusion detection system (ids). https://searchsecurity. techtarget.com/definition/intrusion-detection-system. SearchSecurity. Last accessed 16 May 2019.

25 [25] Computer Hope. (2017) What is nids (network intrusion detection system)? https: //www.computerhope.com/jargon/n/nids.htm. Computerhope.com. Last accessed 06 Jul 2019.

[26] V. Osipov and I. Dubrawsky, Cisco security professional’s guide to secure intrusion detection systems. Syngress, 2003, pp. 25-27.

[27] R. D. Pietro, Intrusion detection systems. Springer, 2008, pp. 1-6.

[28] James Foster. (2005) Ids: Signature versus anomaly detection. https://searchsecurity. techtarget.com/tip/IDS-Signature-versus-anomaly-detection. SearchSecurity. Last accessed 16 May 2019.

[29] (2019) What is an intrusion prevention system? https://www.paloaltonetworks.com/ cyberpedia/what-is-an-intrusion-prevention-system-ips. Paloaltonetworks.com. Last accessed 18 May 2019.

[30] EnGenius Admin. (2019) What is rssi and its acceptable sig- nal strength? https://helpcenter.engeniustech.com/hc/en-us/articles/ 234761008-What-is-RSSI-and-its-acceptable-signal-strength-. Help Center | EnGenius. Last accessed 18 May 2019.

[31] M. Szmit, R. W˛ezyk,˙ M. Skowronski,´ and A. Szmit, “Traffic anomaly detection with snort,” 01 2007.

[32] (2019) Suricata, snort and zeek: 3 open source technologies for securing modern networks. https://bricata.com/blog/snort-suricata-bro-ids/. Bricata. Last accessed 06 Jul 2019.

[33] (2019) Introduction — zeek user manual v2.6.2. https://docs.zeek.org/en/stable/ intro/. Zeek.org. Last accessed 06 Jul 2019.

[34] (2007) Wireless lan controller ids signature parameters. https://www.cisco.com/c/ en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig. html. Cisco. Last accessed 06 Jul 2019.

[35] (2017) Cisco wireless controller configuration guide, release 8.3. https: //www.cisco.com/c/en/us/td/docs/wireless/controller/8-3/config-guide/b_cg83/ b_cg83_chapter_011011.htm. Cisco. Last accessed 06 Jul 2019.

[36] sdnfv. (2019) sdnfv/onvm-snort. https://github.com/sdnfv/onvm-snort/tree/master/ daq-2.0.6. Last accessed 3 May 2019.

[37] Snort. (2019) Readme.reputation. https://www.snort.org/faq/readme-reputation. Last accessed 4 May 2019.

[38] H. Jethva. (2019) Install and configure suricata ids on ubuntu-16.04. https://hostpresto.com/community/tutorials/ install-and-configure-suricata-ids-on-ubuntu-16-04. Last accessed 3 May 2019.

[39] Cisco. Lightweight ap (lap) registration to a wireless lan controller (wlc). https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/ 70333-lap-registration.html. Last accessed 10 May 2019.

26 [40] router-switch.com. (2019) Cisco wlan controller price. https://www.router-switch. com/Price-cisco-wireless-ap-cisco-wlan-controller_c60?dir=asc&order=price&p= 2. Last accessed 15 May 2019.

27 A Appendix

A.1 Device summary

Figure 1.4: Devices

A A.2 Software versions

Software Version Snort 2.9.12. Zeek(Bro) 2.6.1 Suricata 4.1.3 Cisco Wireless AIR CTVM K9 8 Lan Controller 3 143 0 Wifi Analyzer 1.8 TamoGraph site 5.0 Build 227 survey Xirrus Wifi 2.0 Inspector Table 1.7: Software versions

B A.3 Acronyms

Acronyms AP Access Point DHCP Dynamic Host Configuration Protocol GUI Graphical User Interface IDS Intrusion Detection System IoT Internet of Things IPS Intrusion Detection Prevention System NIDS Network Intrusion Detection System OS Operating System RAP Rogue Access Point RSSI Received Signal Strength Indicator WLC Wireless Lan Controller Table 1.8: Acronyms

C