Wireless Intrusion Detection Services (WIDS)

Sites containing ExtremeWireless WiNG APs can enable Wireless Intrusion Detection Services (WIDS) at those sites. When enabled, the ExtremeWireless WiNG APs record the SSIDs and BSSIDs of the APs that they can see but which do not belong to the site. These can be the authorized APs of neighboring businesses or these can be unauthorized APs being used to penetrate the customer's network.

When an ExtremeWireless WiNG AP detects a BSSID that is not part of the site, it classifies the type of problem the foreign AP could represent. The problem can be as simple as the foreign AP is using bandwidth on the same channel as the authorized APs, or as serious as the discovery of a rogue AP. A rogue AP is an unauthorized AP connected to the customer's private network. While rogue APs are not always deployed with malicious intent, they always represent a major network security breach.

Two different WIDS detection options are available:

Enabled - The AP performs detection only on the channel on which it is forwarding traffic.
Enabled with off-channel scan - The AP performs detection on the channel it is serving and periodically will jump off of that channel to detect foreign APs on other channels. Service can be disrupted briefly when the AP scans off-channel.

The output of the WIDS scanning is visible in several places in the user interface. The event log for each site that has WIDS enabled contains events corresponding to various detections. The event log of the APs at the site that detected foreign APs will also contain events for those detections.

To view a list of all the foreign APs detected in the last 30 days, select Devices > Unsanctioned APs. Selecting on a row in the unsanctioned APs listing opens a page providing some details about the specific unsanctioned AP.