Detecting Rogue APs

The most important WIP functionality is the ability to classify an AP as a potential security threat. An AP is considered to be rogue if it is both unauthorized and plugged in to the wired side of the network. An AP is considered to be interfering if it is seen in the RF environment but is not connected to the wired network.

While the interfering AP can potentially cause RF interference, it is not considered a direct security threat since it is not connected to the wired network. However, an interfering AP may be reclassified as a rogue AP.

Understanding Classification Terminology

APs and clients are discovered during scanning of the wireless medium, and they are classified into various groups. The AP and client classification definitions are in Table 1 and Table 2.

Table 1: AP Classification Definition

Classification

Description

Valid AP

An AP that is part of the enterprise providing WLAN service.

Interfering AP

An AP that is seen in the RF environment but is not connected to the wired network. An interfering AP is not considered a direct security threat since it is not connected to the wired network. For example, an interfering AP can be an AP that belongs to a neighboring office’s WLAN but is not part of your WLAN network.

Neighbor AP

A neighboring AP is when the BSSIDs are known. Once classified, a neighboring AP does not change its state.

Rogue AP

An unauthorized AP that is plugged into the wired side of the network.

Suspected-Rogue AP

A suspected rogue AP is an unauthorized AP that may be plugged into the wired side of the network.

Manually-contained AP

An AP for which DoS is enabled manually.

 

Table 2: Client Classification Definitions

Classification

Description

Valid Client

Any client that successfully authenticates with a valid AP and passes encrypted traffic is classified as a valid client.

Manually-contained Client

Any clients for which DoS is enabled manually.

Interfering Client

A client associated to any AP and is not valid.

Understanding Classification Methodology

A discovered AP is classified as a rogue or a suspected rogue by the following methods:

Internal heuristics
AP classification rules
Manually by the user

The internal heuristics works by checking if the discovered AP is communicating with a wired device on the customer network. This is done by matching the MAC address of devices that are on the discovered AP’s network with that of the user’s wired network. The MAC of the device on the discovered AP’s network is known as the Match MAC. The ways in which the matching of wired MACs occurs is detailed in the sections Understanding Match Methods and Understanding Match Types.

Understanding Match Methods

The match methods are:

Plus One—The match MAC matches a device whose MAC address’ last bit was one more than that of the Match MAC.
Minus One—The match MAC matches a device whose MAC address’ last bit was one less than that of the Match MAC.
Equal—The match was against the same MAC address.
OUI—The match was against the manufacturer’s OUI of the wired device.

The classification details are available in the ‘Discovered AP table’ section of the ‘Security Summary’ page of the WebUI. The information can be obtained by clicking on the details icon for a selected discovered AP. The information is also available in the command show wms rogue-ap.

Understanding Match Types

Eth-Wired-MAC: The MAC addresses of wired devices learned by an AP on its Ethernet interface.
GW-Wired-MAC: The collection of Gateway MACs of all APs across the master and local controllers.
AP-Wired-MAC: The MAC addresses of wired devices learned by monitoring traffic out of other valid and rogue APs.
Config-Wired-MAC: The MAC addresses that are configured by the user, typically that of well-known servers in the network.
Manual: User-triggered classification.
External-Wired-MAC: The MAC address matched a set of known wired devices that are maintained in an external database.
Mobility-Manager: The classification was determined by the mobility manager, AMP.
Classification-off: AP is classified as rogue because classification has been disabled, causing all non-authorized APs to be classified as rogue.
Propagated-Wired-MAC: The MAC addresses of wired devices learned by a different AP than the one that uses it for classifying a rogue.
Base-BSSID-Override: The classification was derived from another BSSID, which belongs to the same AP that supports multiple BSSIDs on the radio interface.
AP-Rule: A user-defined AP classification rule has matched.
System-Wired-MAC: The MAC addresses of wired devices learned at the controller.
System-Gateway-MAC: The Gateway MAC addresses learned at the controller.

Understanding Suspected Rogue Confidence Level

A suspected rogue AP is a potential threat to the WLAN infrastructure. A suspected rogue AP has a confidence level associated with it. An AP can be marked as a suspected rogue if it is determined to be a potential threat on the wired network, or if it matches a user-defined classification rule.

The suspected-rogue classification mechanisms are:

Each mechanism that causes a suspected-rogue classification is assigned a confidence level increment of 20%.
AP classification rules have a configured confidence level.
When a mechanism matches a previously unmatched mechanism, the confidence level increment associated with that mechanism is added to the current confidence level (the confidence level starts at zero).
The confidence level is capped at 100%.
If your controller reboots, your suspected-rogue APs are not checked against any new rules that were configured after the reboot. Without this restriction, all the mechanisms that classified your APs as suspected-rogues may trigger again, causing the confidence level to surpass its cap of 100%. You can explicitly mark an AP as “interfering” to trigger all new rules to match against it.

Understanding AP Classification Rules

AP classification rule configuration is performed only on a master controller. If AMP is enabled via the mobility-manager command, then processing of the AP classification rules is disabled on the master controller. A rule is identified by its ASCII character string name (32 characters maximum). The AP classification rules have one of the following specifications:

SSID of the AP
SNR of the AP
Discovered-AP-Count or the number of APs that can see the AP

Understanding SSID specification

Each rule can have up to 6 SSID parameters. If one or more SSIDs are specified in a rule, an option of whether to match any of the SSIDs or not match all of the SSIDs can be specified. The default is to check for a match operation.

Understanding SNR specification

Each rule can have only one specification of the SNR. A minimum and/or maximum can be specified in each rule, and the specification is in SNR (db).

Understanding Discovered-AP-Count specification

Each rule can have only one specification of the Discovered-AP-Count. Each rule can specify a minimum or maximum of the Discovered-AP-count. The minimum or maximum operation must be specified if the Discovered-AP-count is specified. The default setting is to check for the minimum discovered-AP-count.

Sample Rules

If SSID equals xyz AND SNR > 40 then classify AP as suspected-rogue with conf-level-increment of 20

If SNR > 60 and DISCOVERING_APS > 2, then classify AP as suspected-rogue with conf-level increment of 35

If SSID equals ‘XYZ’, then classify AP as known-neighbor

Understanding Rule Matching

A rule must be enabled before it is matched. A maximum of 32 rules can be created with a maximum of 16 rules simultaneously active. If a rule matches, an AP is classified as:

Suspected-Rogue: An associated confidence-level is provided (minimum is 5%)
Neighbor

The following mechanism is used for rule matching:

When all the conditions specified in the rule evaluate to true, the rule matches.
If multiple rules match, causing the AP to be classified as a Suspected-Rogue, the confidence level of each rule is aggregated to determine the confidence level of the classification.
When multiple rules match and any one of those matching rules cause the AP to be classified as a Neighbor, then the AP is classified as Neighbor.
APs classified as either Neighbor or Suspected-Rogue will attempt to match any configured AP rule.
Once a rule matches an AP, the same rule will not be checked for the AP.
When the controller reboots, no attempt to match a previously matched AP is made.
If a rule is disabled or modified, all APs that were previously classified based on that rule will continue to be in the newly classified state.