Preventing Rogue APs from joining (having an unauthorized access to) your personal or corporate networks is not easy, and there is no single solution that guarantees 100% success.

However, you would have a reasonable degree of success in keeping those uninvited pests off your network if you follow some the suggestions outlined below.

Please be advised that the following list is not an all-inclusive one-size-fits-all cure for all your Rogue AP Blues. A lot is going to depend on how your network is designed, setup, and managed; the quality (or lack thereof) of various networking devices used on your network, and how proactive you (or your network administrators) are in monitoring your network usage and in enforcing your network security policies.

Having said that, here is a list of things you can do to improve your chances of keeping rogue APs off your network:

• Insist on Enterprise-grade Hardware on your LANs/WLANs: Most consumer grade wifi/networking devices (e.g. some of those entry-level consumer-grade products from Belkin, D-Link, Linksys, Netgear, etc.) that cost less to start with can prove to be very costly in terms of security risks they expose you (and everyone else that makes use of your network) to. Just as would not expect/allow your banker to install wire-screen doors to guard your safe deposit boxes, insist on your WLAN/LAN design engineers to specify and use only state-of-the-art, enterprise class network gear on your LAN/WLAN.
  
• Insist on Networking Hardware that Supports Policy Based Security: Most of the wifi gear available in consumer electronic stores offers little or no support for creating, enforcing and monitoring policy based security. If your networking hardware is not capable of restricting/granting access based on your security policies, there is little (if anything at all) that you can do to keep unwanted/unauthorized elements off your network.
  
• Insist on hardware that announces itself on LAN Interface: Most wifi routers/APs/Bridges sold at consumer electronics stores do not advertise their presence when they get connected to a LAN. Better networking products do so on their LAN interfaces (NICs) when they are made part of a network. If your network designer has been careful enough to build your LAN/WLAN using such better quality networking devices, you would be in a position to run a closed network -i.e. deny access to Rogue APs that do not identify themselves (and be verified) to be ones that are already known to be trusted on your LAN/WLAN.
  
• Deny Network Access to Every one, Unless Explicitly Allowed: Configuring your network to deny access to all -except for those explicitly white-listed by you is one of the most effective ways to ward off rogue APs and parasitic network users.
  
• Use MAC Address Filtering: Allow members-only access to your IT resources. Configure your network devices to grant access based on a predefined set of MAC addresses. If you discover a rogue/suspicious wireless client (an unknown MAC Address) during a routine rogue device detection audits, treat it as a rogue alert and block that MAC address from your wireless network permanently by adding it to your MAC Address based ACL -i.e. your MAC filters.
  
• Use Only Enterprise Class APs on your Network: Enterprise-class access points may cost a little bit more to start with, but they are designed to interface nicely with most Network Management and Network Security Software Applications.

  APs that are designed to be managed include a management interfaces on the wired side of the network. Such an AP would broadcast its presence on your wired network (LAN) when it is installed, so you (or your administrator) would know as soon as a AP would show up on your LAN.

  Assuming that you are using only APs that announce them selves on power-up, blocking out most of those run-of-the-mill (cheap) Rogue APs is usually easy -all you need to do is to add a policy using your network management/security console that denies access to all "unknown" devices.

  Not only are managed devices helpful in blocking Rogue APs, they are easy to (often automatically) configure -thanks to the "managed interface" on their wired side. This comes handy if you need to replace a broken/damaged AP in a hurry, and need to have it configured (cloning security policies, access filters, etc.) just like other APs on your network.

• Avoid Hubs, Use Managed Switches: Managed Switches allow configuration/application of various access-filters/policies not only at the switch/interface level, but also selectively on various switch ports. They also allow you to partition/isolate traffic across different network segments.
  
• Restrict Devices on Various Switch Ports:
  All Access Points (including Rogue APs) have to be ultimately plugged into ports on your network switches. Therefore, you should pre-specify (for every port on all your managed switches) the list of individual MAC addresses (of various devices) that are to be allowed to communicate through each of those ports. This way, you can configure your network to NOT communicate with any such "unknown/rogue" device -even after someone has managed to hook one up into your network.

• Implement Muti-Layered Security: Use several modes of access-control -including access-filters based on SSID, Host IP address, Network Level Authentication, Host Level Authentication, Service Level Authentication, and Application Level Authentication control. Doing so will limit the damage others can inflict upon your network/data should they manage to sneak a Rogue AP upon your LAN/WLAN.

As you may have gathered from the above, preventing unauthorized access to your IT resources (connected to your LAN as well as those on your WLAN) starts with a security-centric network design, requires use of enterprise quality managed networking hardware; and creation, communication, monitoring and enforcement of "acceptable network use policy."

Rogue APs do not succeed in connecting to your network due to some stroke of luck or due to magical/favorable alignment of heavenly stars. They breach your network by exploiting design and configuration flows.

Expect and require your network design engineer to custom design a LAN/WLAN for you that is not only affordable and fast, but also secure.