Detecting Rogue APs

The most important WIP Wireless Intrusion Protection. The WIP module provides wired and wireless AP detection, classification, and containment. It detects Denial of Service (DoS) and impersonation attacks, and prevents client and network intrusions. functionality is the ability to classify an AP as a potential security threat. An AP is considered to be rogue if it is both unauthorized and plugged in to the wired side of the network. An AP is considered to be interfering if it is seen in the RF Radio Frequency. RF refers to the electromagnetic wave frequencies within a range of 3 kHz to 300 GHz, including the frequencies used for communications or Radar signals. environment but is not connected to the wired network.

While the interfering AP can potentially cause RF Radio Frequency. RF refers to the electromagnetic wave frequencies within a range of 3 kHz to 300 GHz, including the frequencies used for communications or Radar signals. interference, it is not considered a direct security threat since it is not connected to the wired network. However, an interfering AP may be reclassified as a rogue AP.

This section describes the following topics:

WIDS Containment Enhancements

Air Monitor enabled APs detect and mitigate possible security threats in a wireless network. Air Monitor supports containment of rogue APs and prevents clients from associating with rogue APs. Air Monitor sends tarpit or deauthentication containment frames if any of the following criteria is met:

  • When an AP is marked for DOS, a single broadcast deauthentication frame is sent for disassociation and if stations do not honor the broadcast message, two unicast deauthentication frames are sent to disassociate the station from the AP and vice versa.
  • To disassociate a valid station from the non-valid AP, a unicast deauthentication frame is sent from the station’s MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address to the AP and vice versa.
  • AP impersonation is active and it disassociates all stations from the invalid AP by sending unicast deauthentication frames.

Understanding Classification Terminology

APs and clients are discovered during scanning of the wireless medium, and they are classified into various groups. The AP and client classification definitions are in Table 1 and Table 2.

Table 1: AP Classification Definition

Classification

Description

Authorized

An AP that is part of the enterprise providing WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. service.

Neighbor

A neighboring AP is when the BSSIDs Basic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly. are known. Once classified, a neighboring AP does not change its state.

Interfering

An AP that is seen in the RF Radio Frequency. RF refers to the electromagnetic wave frequencies within a range of 3 kHz to 300 GHz, including the frequencies used for communications or Radar signals. environment but is not connected to the wired network. An interfering AP is not considered a direct security threat since it is not connected to the wired network. For example, an interfering AP can be an AP that belongs to a neighboring office’s WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. but is not part of your WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. network.

Rogue

An unauthorized AP that is plugged into the wired side of the network.

Suspected Rogue

A suspected rogue AP is an unauthorized AP that may be plugged into the wired side of the network.

Contained

An AP for which DoS Denial of Service. DoS is any type of attack where the attackers send excessive messages to flood traffic and thereby preventing the legitimate users from accessing the service. is enabled manually.

 

Table 2: Client Classification Definitions

Classification

Description

Authorized

Any client that successfully authenticates with a valid AP and passes encrypted traffic.

Contained

Any clients for which DoS Denial of Service. DoS is any type of attack where the attackers send excessive messages to flood traffic and thereby preventing the legitimate users from accessing the service. is enabled manually.

Interfering

A client associated to any AP and is not valid.

Understanding Classification Methodology

A discovered AP is classified as a rogue or a suspected rogue by the following methods:

  • Internal heuristics
  • AP classification rules
  • Manually by the user

The internal heuristics works by checking if the discovered AP is communicating with a wired device on the customer network. This is done by matching the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of devices that are on the discovered AP’s network with that of the user’s wired network. The MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. of the device on the discovered AP’s network is known as the Match MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. . The ways in which the matching of wired MACs occurs is detailed in the sections Understanding Match Methods and Understanding Match Types.

This section describes the following topics:

Understanding Match Methods

The match methods are:

The classification details for Discovered Radios and Discovered clients are available by clicking on their respective section icons in the Dashboard > Security page of the WebUI. The information is also available in the show wms rogue-ap command.

Understanding Match Types

Understanding Suspected Rogue Confidence Level

A suspected rogue AP is a potential threat to the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. infrastructure. A suspected rogue AP has a confidence level associated with it. An AP can be marked as a suspected rogue if it is determined to be a potential threat on the wired network, or if it matches a user-defined classification rule.

The suspected-rogue classification mechanisms are:

  • Each mechanism that causes a suspected-rogue classification is assigned a confidence level increment of 20%.
  • AP classification rules have a configured confidence level.
  • When a mechanism matches a previously unmatched mechanism, the confidence level increment associated with that mechanism is added to the current confidence level (the confidence level starts at zero).
  • The confidence level is capped at 100%.
  • If your managed device reboots, your suspected-rogue APs are not checked against any new rules that were configured after the reboot. Without this restriction, all the mechanisms that classified your APs as suspected-rogues may trigger again, causing the confidence level to surpass its cap of 100%. You can explicitly mark an AP as “interfering” to trigger all new rules to match against it.

Understanding AP Classification Rules

AP classification rule configuration is performed only on Mobility Master. If AMP AirWave Management Platform. AMP is a network management system for configuring, monitoring, and upgrading wired and wireless devices on your network. is enabled via the mobility-manager command, then processing of the AP classification rules is disabled on Mobility Master. A rule is identified by its ASCII American Standard Code for Information Interchange. An ASCII code is a numerical representation of a character or an action. character string name (32 characters maximum). The AP classification rules have one of the following specifications:

This following topics provide information on understanding SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network., SNR Signal-to-Noise Ratio. SNR is used for comparing the level of a desired signal with the level of background noise., Discovered-AP-Count specifications, and sample rules:

Understanding SSID specification

Each rule can have up to 6 SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. parameters. If one or more SSIDs Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. are specified in a rule, an option of whether to match any of the SSIDs Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. or not match all of the SSIDs Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. can be specified. The default is to check for a match operation.

Understanding SNR specification

Each rule can have only one specification of the SNR Signal-to-Noise Ratio. SNR is used for comparing the level of a desired signal with the level of background noise.. A minimum and/or maximum can be specified in each rule, and the specification is in SNR Signal-to-Noise Ratio. SNR is used for comparing the level of a desired signal with the level of background noise. (db).

Understanding Discovered-AP-Count specification

Each rule can have only one specification of the Discovered-AP-Count. Each rule can specify a minimum or maximum of the Discovered-AP-count. The minimum or maximum operation must be specified if the Discovered-AP-count is specified. The default setting is to check for the minimum discovered-AP-count.

Sample Rules

If SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. equals xyz AND SNR Signal-to-Noise Ratio. SNR is used for comparing the level of a desired signal with the level of background noise. > 40 then classify AP as suspected-rogue with conf-level-increment of 20

If SNR Signal-to-Noise Ratio. SNR is used for comparing the level of a desired signal with the level of background noise. > 60 and DISCOVERING_APS > 2, then classify AP as suspected-rogue with conf-level increment of 35

If SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. equals ‘XYZ’, then classify AP as known-neighbor

Understanding Rule Matching

A rule must be enabled before it is matched. A maximum of 32 rules can be created with a maximum of 16 rules simultaneously active. If a rule matches, an AP is classified either as Suspected Rogue or as Neighbor

For an AP classified as Suspected Rogue, an associated confidence-level is provided (minimum is 5%).

The following mechanism is used for rule matching:

  • When all the conditions specified in the rule evaluate to true, the rule matches.
  • If multiple rules match, causing the AP to be classified as a Suspected Rogue, the confidence level of each rule is aggregated to determine the confidence level of the classification.
  • When multiple rules match and any one of those matching rules cause the AP to be classified as a Neighbor, then the AP is classified as Neighbor.
  • APs classified as either Neighbor or Suspected Rogue will attempt to match any configured AP rule.
  • Once a rule matches an AP, the same rule will not be checked for the AP.
  • When the managed device reboots, no attempt to match a previously matched AP is made.
  • If a rule is disabled or modified, all APs that were previously classified based on that rule will continue to be in the newly classified state.