Rogue AP: Any device that is transmitting/Receiving Wi-Fi and is connected to a company’s wired distribution system without authorization; Or any device that is owned by the company and is transmitting/receiving Wi-Fi without authorization.
PCI DSS 11.1 and 11.1.2 require that you do the following:
11.1 Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.
11.1.2 Implement incident response procedures in the event unauthorized wireless access points are detected.
Disclaimer: This is my interpretation and process for the PCI DSS 11.1 and 11.1.2. Your results might be different, or you may have a different interpretation.
For a process that you can adopt please review my article PCI DSS 11.1 and 11.1.2 – Rogue AP(s) .
I was tasked on investigating a complaint of devices losing connection on one of the floors of the Heart Unit in a Hospital. I went on site to do a validation, make optimizations, and re-validate. During the validation, I discovered a Rogue AP.
If your organization has Cisco Prime, you might see something similar to the following image.
Path = Prime->Maps->Wireless Maps-> Site Maps->Site->Floor
Tip: You have to activate the visualization for the Rogue AP(s)
In the Floor Settings make sure the Rogue AP(s) check box is selected.
You can drill down further into the detail for the Rogue AP in the Prime GUI. I prefer to look at the Wireless Controller CLI to get real time information.
Since we know the wireless mac address is fc:3f:db:25:91:c5 we can use two commands in the CLI to gain further information.
GREP INCLUDE “fc:3f:db:25:91:c5” “SHOW ROGUE AP UNCLASSIFIED SUMMARY”
SHOW ROGUE AP DETAILED fc:3f:db:25:91:c5
As you can see the Rogue AP was impacting AP(s) on the 4th Floor and all the way down to the 2nd Floor. Any wireless device in the 2.4GHz frequency on Channel 6 that can demodulate the Rogue AP(s) transmitted preambles would have to increment their NAV Timers. This would decrease the cells efficiency.
Another nice thing about these commands is that they have the time the device was last heard. This is nice if you deploy on-site techs to turn off the offending device. You can verify that it is turned off.
Unfortunately, the only way to mitigate the Rogue AP in this case is sneaker net. However, we are armed with the device information of HP-Print-C5-Officejet Pro 8620. By the power of Google, I discovered the HP Pro 8620 is a printer that looks like…
Ok…maybe more like this…
I had a very capable on-site tech *cough* Minion *cough* locate and disable the HP Print Direct capability on the printer. The world was saved…PCI DSS 11.1 and 11.1.2 was satisfied. AND I was able to go back to my optimization of the floor’s RF.