Detecting Rogue APs
The most important WIP Wireless Intrusion Protection. The WIP module provides wired and wireless AP detection, classification, and containment. It detects Denial of Service (DoS) and impersonation attacks, and prevents client and network intrusions. functionality is the ability to classify an AP as a potential security threat. An AP is considered to be rogue if it is both unauthorized and plugged in to the wired side of the network. An AP is considered to be interfering if it is seen in the RF Radio Frequency. RF refers to the electromagnetic wave frequencies within a range of 3 kHz to 300 GHz, including the frequencies used for communications or Radar signals. environment but is not connected to the wired network.
While the interfering AP can potentially cause RF Radio Frequency. RF refers to the electromagnetic wave frequencies within a range of 3 kHz to 300 GHz, including the frequencies used for communications or Radar signals. interference, it is not considered a direct security threat since it is not connected to the wired network. However, an interfering AP may be reclassified as a rogue AP.
This section describes the following topics:
WIDS Containment Enhancements
Air Monitor enabled APs detect and mitigate possible security threats in a wireless network. Air Monitor supports containment of rogue APs and prevents clients from associating with rogue APs. Air Monitor sends tarpit or deauthentication containment frames if any of the following criteria is met:
When an AP is marked for DOS, a single broadcast deauthentication frame is sent for disassociation and if stations do not honor the broadcast message, two unicast deauthentication frames are sent to disassociate the station from the AP and vice versa.
To disassociate a valid station from the non-valid AP, a unicast deauthentication frame is sent from the station’s MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address to the AP and vice versa.
AP impersonation is active and it disassociates all stations from the invalid AP by sending unicast deauthentication frames.
Understanding Classification Terminology
APs and clients are discovered during scanning of the wireless medium, and they are classified into various groups. The AP and client classification definitions are in Table 1 and Table 2.
Classification |
Description |
|
Any client that successfully authenticates with a valid AP and passes encrypted traffic. |
|
Any clients for which DoS Denial of Service. DoS is any type of attack where the attackers send excessive messages to flood traffic and thereby preventing the legitimate users from accessing the service. is enabled manually. |
|
A client associated to any AP and is not valid. |
Understanding Classification Methodology
A discovered AP is classified as a rogue or a suspected rogue by the following methods:
Internal heuristics
AP classification rules
Manually by the user
The internal heuristics works by checking if the discovered AP is communicating with a wired device on the customer network. This is done by matching the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of devices that are on the discovered AP’s network with that of the user’s wired network. The MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. of the device on the discovered AP’s network is known as the Match MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. . The ways in which the matching of wired MACs occurs is detailed in the sections Understanding Match Methods and Understanding Match Types.
This section describes the following topics:
Understanding Match Methods
The match methods are:
Plus One—The match MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. matches a device whose MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address’ last bit was one more than that of the Match MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. .
Minus One—The match MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. matches a device whose MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address’ last bit was one less than that of the Match MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. .
Equal—The match was against the same MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address.
OUI Organizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI.—The match was against the manufacturer’s OUI Organizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI. of the wired device.
The classification details for
and are available by clicking on their respective section icons in the page of the WebUI. The information is also available in the command.Understanding Match Types
MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses of wired devices learned by an AP on its Ethernet Ethernet is a network protocol for data transmission over LAN. interface.
TheGateway Gateway is a network node that allows traffic to flow in and out of the network. MACs of all APs across Mobility Master and managed devices.
The collection ofMAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses of wired devices learned by monitoring traffic out of other valid and rogue APs.
TheMAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses that are configured by the user, typically that of well-known servers in the network.
TheUser-triggered classification.
MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address matched a set of known wired devices that are maintained in an external database.
The The classification was determined by the mobility manager,AP is classified as rogue because classification has been disabled, causing all non-authorized APs to be classified as rogue.
MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses of wired devices learned by a different AP than the one that uses it for classifying a rogue.
TheBSSID Basic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly., which belongs to the same AP that supports multiple BSSIDs Basic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly. on the radio interface. For Aruba OUIs, if the base BSSID Basic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly. of a beacon matches the base BSSID Basic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly. of a known valid BSSID Basic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly. then the new BSSID Basic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly. is not considered to be valid.
The classification was derived from anotherA user-defined AP classification rule has matched.
MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses of wired devices learned on the managed device.
TheGateway Gateway is a network node that allows traffic to flow in and out of the network. MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses learned on the managed device.
TheUnderstanding Suspected Rogue Confidence Level
A suspected rogue AP is a potential threat to the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. infrastructure. A suspected rogue AP has a confidence level associated with it. An AP can be marked as a suspected rogue if it is determined to be a potential threat on the wired network, or if it matches a user-defined classification rule.
The suspected-rogue classification mechanisms are:
Each mechanism that causes a suspected-rogue classification is assigned a confidence level increment of 20%.
AP classification rules have a configured confidence level.
When a mechanism matches a previously unmatched mechanism, the confidence level increment associated with that mechanism is added to the current confidence level (the confidence level starts at zero).
The confidence level is capped at 100%.
If your managed device reboots, your suspected-rogue APs are not checked against any new rules that were configured after the reboot. Without this restriction, all the mechanisms that classified your APs as suspected-rogues may trigger again, causing the confidence level to surpass its cap of 100%. You can explicitly mark an AP as “interfering” to trigger all new rules to match against it.
Understanding AP Classification Rules
AP classification rule configuration is performed only on Mobility Master. If AMP AirWave Management Platform. AMP is a network management system for configuring, monitoring, and upgrading wired and wireless devices on your network. is enabled via the command, then processing of the AP classification rules is disabled on Mobility Master. A rule is identified by its ASCII American Standard Code for Information Interchange. An ASCII code is a numerical representation of a character or an action. character string name (32 characters maximum). The AP classification rules have one of the following specifications:
Discovered-AP-Count or the number of APs that can see the AP
This following topics provide information on understanding SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network., SNR Signal-to-Noise Ratio. SNR is used for comparing the level of a desired signal with the level of background noise., Discovered-AP-Count specifications, and sample rules:
Understanding SSID specification
Each rule can have up to 6 SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. parameters. If one or more SSIDs Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. are specified in a rule, an option of whether to match any of the SSIDs Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. or not match all of the SSIDs Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. can be specified. The default is to check for a match operation.
Understanding SNR specification
Each rule can have only one specification of the SNR Signal-to-Noise Ratio. SNR is used for comparing the level of a desired signal with the level of background noise.. A minimum and/or maximum can be specified in each rule, and the specification is in SNR Signal-to-Noise Ratio. SNR is used for comparing the level of a desired signal with the level of background noise. (db).
Understanding Discovered-AP-Count specification
Each rule can have only one specification of the Discovered-AP-Count. Each rule can specify a minimum or maximum of the Discovered-AP-count. The minimum or maximum operation must be specified if the Discovered-AP-count is specified. The default setting is to check for the minimum discovered-AP-count.
Sample Rules
If SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. equals xyz AND SNR Signal-to-Noise Ratio. SNR is used for comparing the level of a desired signal with the level of background noise. > 40 then classify AP as suspected-rogue with conf-level-increment of 20
If SNR Signal-to-Noise Ratio. SNR is used for comparing the level of a desired signal with the level of background noise. > 60 and DISCOVERING_APS > 2, then classify AP as suspected-rogue with conf-level increment of 35
If SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. equals ‘XYZ’, then classify AP as known-neighbor
Understanding Rule Matching
A rule must be enabled before it is matched. A maximum of 32 rules can be created with a maximum of 16 rules simultaneously active. If a rule matches, an AP is classified either as
or asFor an AP classified as
, an associated confidence-level is provided (minimum is 5%).The following mechanism is used for rule matching:
When all the conditions specified in the rule evaluate to true, the rule matches.
If multiple rules match, causing the AP to be classified as a Suspected Rogue, the confidence level of each rule is aggregated to determine the confidence level of the classification.
When multiple rules match and any one of those matching rules cause the AP to be classified as a Neighbor, then the AP is classified as Neighbor.
APs classified as either Neighbor or Suspected Rogue will attempt to match any configured AP rule.
Once a rule matches an AP, the same rule will not be checked for the AP.
When the managed device reboots, no attempt to match a previously matched AP is made.
If a rule is disabled or modified, all APs that were previously classified based on that rule will continue to be in the newly classified state.