RAPIDS
8 minute read
Rogue Access Point Intrusion Detection System (RAPIDS) automatically detects and locates unauthorized access points (APs), regardless of your deployment persona, through a patented combination of wireless and wired network scans. RAPIDS uses existing, authorized APs to scan the RF environment for any unauthorized devices in range. RAPIDS also scans your wired network to determine if the wirelessly detected rogues are physically connected. Customers can deploy this solution with “hybrid” APs serving as both APs and sensors or as an overlay architecture where Aruba APs act as dedicated sensors called air monitors (AMs). RAPIDS uses data from both the dedicated sensors and deployed APs to provide the most complete view of your wireless environment. The solution improves network security, manages compliance requirements, and reduces the cost of manual security efforts.
-
Rogue device detection is a core component of wireless security.
-
RAPIDS rules engine and containment options allows for creation of a detailed definition of what constitutes a rogue device and can quickly act on a rogue AP for investigation, restrictive action, or both.
-
Once rogue devices are discovered, RAPIDS can alert a security team of the possible threat and provides essential information needed to locate and manage the threat.
-
The RAPIDS feature set is included with Foundation subscriptions.
RAPIDS provides an effective defense against rogues and other forms of wireless intrusion. To accomplish these objectives, RAPIDS will:
-
Perform multiple types of wireless scans.
-
Correlate the results of the various scans to consolidate all available information about identified devices.
-
Classify the discovered devices based on rules that are customized to an organization’s security needs.
-
Generate automated alerts and reports for IT containing key known information about unauthorized devices, including the physical location and switch port whenever possible.
-
Deploy containment mechanisms to neutralize potential threats.
Key Features & Advantages of using RAPIDS
Feature | Benefit |
---|---|
Wireless scanning that leverages existing Access Points and AM sensors | Time and cost savings. Eliminates the need to perform walk-arounds or to purchase additional RF sensors or dedicated servers. |
Default or Custom Rules-based threat classification | Time and resource savings. Allows staff to focus on the most important risk mitigation tasks. Comprehensive device classification that’s tailored to the organization means less time spent investigating false positives. |
Automated alerts | Faster response times. Alerts staff the instant a rogue is detected, reducing reaction time and further improving security. |
Rogue AP location and switch/port information | Faster threat mitigation. Greatly simplifies the task of securing rogue devices and removing potential threats. |
Reporting | Reduced regulatory expense. Comprehensive rogue and audit reports helps companies comply with various industry standards and regulatory requirements. |
IDS event management | Single point of control. Provides you with a full picture of network security. Improves security by aggregating data for pattern detection. |
Manual and automated containment | Continuous security. Improves security by enabling immediate action even when network staff is not present. |
RAPIDS Use Cases
Regulatory compliance is a key motivator that drives many organizations to implement stringent security processes for their enterprise wireless networks. The most common regulations are Payment Card Industry (PCI) Data Security Standard, Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX).
RAPIDS reporting is helpful for compliance audits
-
PCI DSS requires that all organizations accepting credit or debit cards for purchases protect their networks from attacks via rogue or unauthorized wireless APs and clients. This applies even if the merchant has not deployed a wireless network for its own use.
-
RAPIDS helps retailers and other covered organizations comply with these requirements. RAPIDS also enables companies to set up automated, prioritized alerts that can be emailed to a specified distribution list when rogues are detected.
-
Hospitals use RAPIDS to protect patient data as well as protect thier systems. They need to know if rogues exist on their network along with critical medical devices use for patient care.
WIDS vs RAPIDS
Wireless Intrusion Detection Service (WIDS) provides additional behavioral information and security for a wireless network by constantly scanning the RF environment for pre-defined wireless signatures. Intrusion detection is built into AOS and uses a signature matching logic, as opposed to RAPIDS usage of rule matching.
-
AOS can trigger alerts, known as WIDS events, based on the configured threat detection level: high, medium, or low.
-
WIDS events can be categorized into two buckets:
-
Infrastructure Detection Events
-
Client Detection Events
-
RAPIDS will consume WIDS events to present the event information in a clear and intelligible manner with logging and rogue location information. Security events rarely happen in isolation, the attack will usually generate multiple WIDS events so RAPIDS will merge the reporting of multiple related attacks into a single event to reduce the amount of noise.
-
RAPIDS in Central aggregates WIDS events and provides a method to view which events are getting raised in the environment.
-
Each event has a specific victim MAC address; events are aggregated for each of those victim MACs.
-
Multiple APs reporting the same event.
-
Several attacks against the same MAC.
-
-
-
Visibility in the UI, NBAPI, API streaming
-
Device classification is a combination of cloud processing and edge processing.
-
Aruba access points can discover Rogue access points independently, without intervention from Aruba Central (continuous monitoring).
-
Aruba Central classification takes precedence.
-
RAPIDS Classifications
RAPIDS ranks classifications in the following hierarchy.
-
Interfering
-
Suspected Rogue
-
Rogue
-
Neighbor (Known Interfering)
-
Manually Contained (DoS)
-
Valid
In the lifecycle of a monitored AP, classifications can only be promoted (i.e.. go higher in the list – in other words left to right in the diagram below) and can never be demoted (ie. go back down to a lower value).
If a neighbor reaches one of the classifications, “Valid” (in orange), this is considered a ‘final state’. Meaning, the AP will stop applying its own classification algorithms on that AP and this is where the AP will remain (unless it is aged out, or if the user manually classifies it to something else).
This same behavior also applies to the custom rules. For example, if a neighbor AP is already classified as Rogue then even if it matches a rule, it will never be demoted to a Suspected Rogue.
{% include image.html rel_url=“image2.png” alt=“RAPIDS ranks classifications in the following hierarchy: Interfering, Suspected Rogue, Rogue, Neighbor (Known Interfering), Manually Contained (DoS), Valid” caption=“RAPIDS ranks classifications in the following hierarchy: Interfering, Suspected Rogue, Rogue, Neighbor (Known Interfering), Manually Contained (DoS), Valid” %}
This same behavior also applies to the custom rules. For example, if a neighbor AP is already classified as Rogue then even if it matches a rule, will never be demoted to a Suspected Rogue.
Configuring Rules
After enabling RAPIDS in the UI, a set of 3 default classification rules will take effect.
For existing RAPIDS customers, these rules are the same rules that have been applied in previous releases. Maximum of 32 Single Rules can be configured. All criteria in a single rule uses an “AND” operand which means a rule will only be applied if all the criteria in that rule evaluate as a match.
Classification Criteria
- Signal - The user will be able to specify a minimum signal strength from -120 to 0 dB
- Detecting AP Count - The number of detecting APs that can “see” the monitored AP 2 to 255
- WLAN classification – Valid, Interfering, Unsecure, DOS, Unknown, Known Interfering, Suspected Unsecure
- SSID Includes - Pattern for matching against the SSID value of a monitored AP.
- SSID excludes - Pattern for matching against the SSID value of a monitored AP.
- Known valid SSIDs - Match against all known valid SSIDs configured on the customer’s account. Regular expression matching
- Plugged into wired network - When there is a managed PVOS/CX switch and a neighbor AP is determined to be plugged into the wired network when the BSSID matches the first 40 bits of a known wired MAC address as reported by the switch.
- Time on network - Minimum number of minutes since monitored AP was first seen on the network
- Site - List of site IDs for which this rule applies. If not populated then apply rule to all sites.
- Band - The radio band of the monitored AP. 80211B (2.4 GHz), A (5 GHz), G (2.4 GHz), AG (Not Used), 6GHz
- Valid client MAC match - Match any monitored BSSID against the current valid station cache list. This must be an exact match.
- Encryption - Encryption: OPEN, WEP, WPA, WPA2, WPA3
Rule ordering matters; rules are evaluated from top to bottom in the custom rule list.
Whenever a match is found; then that rule is executed and further rule evaluation is stopped.
Because of this, it’s important to order your rules from lower classifications to higher classifications.
Manual classification will be respected; if a neighbor AP has already been manually classified by the user then no rules will be evaluated for that AP.
If the classification rule selects a non-final state classification (ie. Interfering or Suspected Rogue), then AP rogue detection algorithms will continue to be applied at the edge. And theoretically they could determine that the AP is in fact a rogue and promote the classification to Rogue.
Rogues Panel
The rogues panel provides a lot of detailed information about your wireless environment. Here is an example of what information is provided.
Feedback
Was this page helpful?
Glad to hear it!
Sorry to hear that.