Rogue Device Detection
Starting in Release 6.1.0, CSO detects any unauthorized device that attempts to access the network. On detection, CSO immediately rejects the connection request from the device and generates an alarm so that administrators can take remedial actions promptly.
CSO generates an alarm indicating unauthorized access in the following scenarios:
Scenario 1: An unauthorized device attempts to connect using the configuration of a device that is modeled but not yet provisioned on CSO.
Users might create (model) a site and provision (activate) the site later. In such a case, the device (for example, device A) at the site is not connected to the CSO network. If a rogue device attempts to connect to the CSO network by using the configuration of device A, CSO rejects the connection request and generates an alarm.
Users can clear the alarm in the Monitor > Alerts & Alarms page after taking the necessary actions such as blocking the traffic originating from the rogue device.
CSO clears the alarm automatically when the original device is provisioned and connected to CSO.
The alarm message that is displayed for this scenario is as follows:
Rejected connection from an unauthorized device! A device with serial number serial number of rogue device attempted to connect to CSO as device A registered with CSO with serial number serial number of device A. Verify the serial number in the stage 1 configuration applied on the device or if the device is an unauthorized one, take immediate action to block the device.
Scenario 2: An unauthorized device attempts to connect using the configuration of a device that is provisioned on the CSO network.
If a device attempts to connect to the CSO network using the configuration of a provisioned device, CSO identifies the device as a rogue device and rejects the connection. CSO also raises an alarm to notify the users. Users can clear the alarm in the Monitor > Alerts & Alarms page after taking the necessary actions to block the device from accessing the network again.
The alarm message that is displayed for this scenario is as follows:
Rejected connection request from an unauthorized device! A device with serial number serial number of rogue device and device ID device id of rogue device attempted to connect to CSO. A device with the same device ID and serial number serial number of provisioned device is already provisioned on CSO. Take immediate action to prevent the unauthorized device from accessing your network again.