On Sat, Oct 4, 2014 at 2:47 PM, Jay Ashworth <jra@baylink.com> wrote:
----- Original Message -----
From: "Chris Marget" <chris@marget.com>
You [I] said:
It is OK for an enterprise wifi system to make this sort of attack *on rogue APs which are trying to pretend to be part of it (same
ESSID).
I'm curious to hear how you'd rationalize containing a copycat AP under the current rules.
<snip>
The "need to manage our RF space" arguments ring hollow to me. I certainly understand why someone would *want* to manage the spectrum, but that's just not anyone's privilege when using ISM bands. If the need is great enough, get some licensed spectrum and manage that.
I wasn't making that argument.
Yes, sorry. I presented two arguments. Only the one about copycat SSIDs is yours.
I was making the "if someone tries to pretend to be part of my network, so that my users will inadvertantly attach to them and possibly leak 'classified' data, *then that rogue user is making a 1030 attack on my network*.
A copycat AP is unquestionably hostile, and likely interfering with users, but I'm unconvinced that the hostility triggers a privilege to attack it under part 15 rules. In addition to not being allowed to interfere, we also have:
You're not attacking it, per se; you are defensively disconnecting from it *users who are part of your own network*; these are endpoints *you are administratively allowed to exert control over*, from my viewpoint.
Okay, so we're not talking about wholesale containment of the copycat AP, but rather management of our own client devices which, by definition, we can't interfere with. Because they're ours. That approach sounds perfectly reasonable. I wonder, absent certificates, how one can be certain about the identity of the client, and if such a narrowly scoped containment mechanism is actually implemented by the various checkboxes available to enterprise wifi administrators.
I make a clear distinction (now that it's not 3am :-) between what Marriott is doing, and what enterprises doing rogue protection are doing, as noted above.
Is it clear exactly what "enterprises going rogue protection" are up to? I've asked several, gotten wildly different answers. Keeping "my clients" off "copycat APs" sounds reasonable. More aggressive action might not be. Thanks.