Re: IDS deployment guidelines

bauerdp · ‎05-18-2005

Hello,

we are a university campus and recently started WLSE Radio Monitoring. Now we are swamped with Rogue APs faults and Interference and Ad-Hoc faults. We tried changing the RSSI threshold for Rogue detection throughout the whole allowed range of -45 to -95 dBm, but the number of faults does not seem to significantly increase/decrease. I guess we would like to know what is the appropriate way to deal with the faults - should we delete the Rogue APs from the database or change them to Friendly? These Rogues are student devices (hence we have no control over them), since we eliminated the ones that had been installed by faculty/staff in the academic halls and public areas (we have control over what;s on campus premises).

Also, what are other people doing in regards to Ad-Hoc detection? Right now we just disabled the feature since, again, we cannot control student devices.

And, finally, does anyone know of an article that explains the Interference values in WLSE? Like, what is the good value to put instead of the WLSE default of -87, and what is a good time percentage?

I know this is a big question, but any testimonials would be appreciated.

rmushtaq · ‎05-18-2005

An earlier IOS bug (CSCsa32966), can also generate false rogues. This is fixed in the latest IOS. You may want to check this as well. As for Ad-hoc. it may not be easy unless you do some inspection to see if they are false or else. Understanding Ad-Hoc Network Detection: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cwparent/cw_1105/wlse/2_11/u_gd/wids.htm#wp1000514 explaines in detail how this works.