What Is AP Isolation?

By David Dunning

In computer networking, AP is an abbreviation for access point. An access point, or wireless access point, is a device that permits mobile devices, such as laptop computers and personal digital assistants, to connect wirelessly to a wired computer network. AP isolation is a technique for preventing mobile devices connected to an AP from communicating directly with each other.

Malicious Network Traffic

AP isolation effectively creates a “virtual” network among wireless devices, one in which each device is a separate entity in its own right. AP isolation allows network administrators to separate potentially malicious network traffic from a publicly accessible portion of a wireless network from the main control network. In so doing, it prevents the main control network from being flooded with unsolicited network traffic, which may include viruses, worms and Trojan horses.

Applications

A typical application of AP isolation is a wireless hotspot, of the type found in airports, coffee bars and railway stations. A wireless hotspot typically allows numerous guest users to connect to an AP and create a single, large wireless network. Without AP isolation, unscrupulous users could connect to network devices other than the AP itself for the purposes of hacking or flood the whole network with traffic, rendering it unusable.

ARP Poisoning

AP isolation can be a useful weapon in the fight against malicious attacks on wireless networks, but certain types of attack, known as ARP poisoning or ARP spoofing attacks, may be able to bypass the AP altogether. ARP stands for Address Resolution Protocol and describes a method of finding the physical Ethernet address of a network device from its Internet Protocol address. An attacker may transmit a unit of data, known as a packet, with a falsified Ethernet address directly to a network device so that it appears that the packet came from the AP. To protect against this type of attack, network administrators must place wired Ethernet devices on a different portion of the network, or subnet, than wireless devices.

PSPF

Almost all network equipment vendors implement AP isolation in one form or another. One of the world’s leading network vendors, Cisco, implements AP isolation in the form of a technology known as Publicly Secure Packet Forwarding. However, PSPF, in common with other AP isolation techniques, does not prevent an attacker from sending a “poisoned” ARP packet to another client, so it must still be used in conjunction with subnetting to provide an effective defense mechanism.