RF Scanning Methods

HPE Aruba Networking Access Points, Gateways, and Central can work together to scan the environment for the detection of threats to the wireless network.

Scanning

Radios in an HPE Aruba Networking AP can be configured to scan the wireless network in three different modes: Access Point (AP) mode, Air Monitor (AM) mode, and Spectrum Monitor mode. Each mode is designed to prioritize different tasks.

Radio Mode Serve Clients IDS/Rogue Detection IDS/Rogue Channels Scanned Wireless Containment Spectrum Analysis
AP Yes Yes All regulatory channels Best effort Client serving channel only
Air Monitor No Yes All regulatory + Rare channels Yes No
Spectrum Monitor No Yes All regulatory + Rare channels No Yes, All Channels

Access Point mode

Radios in AP mode focus on serving clients and pushing wireless traffic but they also perform IDS detection. Most wireless administrators use this mode in their networks. The information provided by the APs is the basis for detection. IDS detection occurs while the AP is serving clients, ensuring full IDS attack detection within the network. The off-channel scanning will find rogue devices and IDS attacks originating from outside of the network.

AP mode scanning operation

Typically, an AP will perform off channel scanning every 10 seconds for slightly less than 100 milliseconds per channel. This allows the AP to monitor the surroundings without missing beacons and causing connectivity problems for clients. Off-channel scanning has multiple use cases in addition to WIDS/WIPS.

Scanning all regulatory domain channels is recommended. That will include any valid channel in any regulatory domain, not just the regulatory domain of the AP. This is recommended since attackers typically don’t feel the need to follow the law. Detection of a malicious device can be performed on a channel outside the AP’s regulatory domain but the AP cannot perform containment on the channels outside of the assigned regulatory domain. The AP can be restricted to scan just the channels within the assigned regulatory domain but this is not recommended for security conscious customers.

APs use a bucketing based algorithm for channel scanning. When an AP boots up, the channels are classified into two different buckets- regulatory and non-regulatory channels. The regulatory channels are scanned more frequently than the non-regulatory channels. A third bucket of “active” channels is populated as the AP scans and detects channels with wireless traffic. The active bucket is scanned more frequently than the regulatory and non-regulatory channels. This allows the AP to spend the most time on channels where a threat is more likely than on other channels with a lower likelihood of threats.

The APs primarily protect the channel to which they are assigned; APs can additionally be configured to conduct an off-channel scan approximately every 10 seconds for a period of about 100 ms to look for any WIDS events.

A representation of how a radio in AP mode will go off-channel for scanning.

Due to the adaptive nature of the scanning algorithm, answering the question of “how much time is required to scan all channels?” is relatively difficult. Typically, all channels will be scanned at least once in less than an hour, with active channels getting scanned much more frequently.

Air Monitor mode

Air Monitors (AMs) are dedicated to wireless security. They do not serve clients and hence do not need to be deployed at the same density as APs. In most cases, a 4:1 or 5:1 ratio of APs to AMs is recommended if containment is needed, but that varies heavily based on AP density, environment, and the types of WIDS/WIPS features enabled.

AM mode scanning operation

AMs use a channel scanning algorithm similar to that of APs but use a fourth bucket of classification for ‘rare’ channels. In raw frequency, that is 2412 through 2484 MHz and 4900 through 5895 MHz in 5 MHz increments. Rare channels include the 4.9 GHz spectrum which is a licensed public safety band in many countries. The 6 GHz band is scanned from 5945 MHz through 7125 MHz, with channel scanning done every 20 MHz using the group scanning technology to be able to catch the maximum channel width supported by the radio.

Due to the analog nature of wireless, we have found that the natural bleed through of RF signals will allow us to find rogues that are configured in between standard channels by scanning every 5 MHz. The channels scanned by an AM are configured in the AM scanning profile which is part of the radio profile.

Scan dwell times are based on the bucketing system. When in AP mode, the off-channel dwell time is quite short to minimize impact for serving client devices and allow for the regular sending of beacons. Since the AM is not serving clients and no beacons are being sent, the AM does not need to be on any particular channel regularly.

Air Monitors (AMs) continuously scan all channels based on an algorithm that divides the RF channels into three buckets (active, regulatory, and rare). The AM will spend ~500 ms on active channels, ~250 ms on regulatory channels, and ~100 ms on rare channels.

A representation of how a radio in Air Monitor mode will utilize different buckets for channel scanning.

The exact channel that is scanned will be chosen randomly. The dwell times listed above are slightly randomized to ensure that a rogue cannot predict exactly when it can and cannot transmit to avoid detection.

AMs scan the active channels more frequently than regulatory channels, which are scanned more frequent than rare channels. The exact time to cycle through all the channels varies due to the algorithm noted above. To scan through all regulatory channels can take approximately 5 minutes. The APs and AMs can demodulate, monitor, and detect IEEE 802.11 standards and protocols.

Channels will be promoted to the active channel list at any time based on the detection of Wi-Fi activity. If no activity is seen for a significant period, the channel will be demoted back to the original bucket.

Spectrum monitor

Wireless networks operate in environments with electrical and radio frequency devices that can interfere with network communications. Microwave ovens, cordless phones, and even adjacent Wi-Fi networks are all potential sources of continuous or intermittent interference. The APs that support the spectrum analysis software module and configured in spectrum monitor (SM) mode are able to examine the radio frequency (RF) environment in which the Wi-Fi network is operating, identify interference, and classify the source of the interference. An analysis of the results can then be used to quickly isolate issues with packet transmission, channel quality, and traffic congestion caused by contention with other devices operating in the same band or channel.

AP radios operating in SM mode will gather spectrum data but do not service clients. Each SM will scan and analyze the spectrum band serviced by the SM’s radio. An AP radio in hybrid AP mode will continue to serve clients as an access point while also analyzing spectrum analysis data for the channel the radio uses to serve clients. The option for recording of the data from both types of spectrum analysis devices is available, which allows for saving of that data for later playback and analysis.

Wired rogue AP detection and correlation

The gateway has a few different methods to assist with determining whether or not an AP discovered on the network is a rogue.

The most basic method is a +/- 1 last octet MAC address check if traffic that has been on the wire and seen wirelessly. If wired traffic is observed with a MAC address that is within 1 digit of the wireless MAC, that device will be tagged as a wired rogue. Example, MAC addresses 64-16-4A-54-E4-72 and 64-16-4A-54-E4-71 would be detected as a rogue device.

There are a few more sophisticated methods as well. The APs and AMs will monitor traffic detected over the air and determine if that traffic originated on the wired network by checking if the wireless traffic matches any of the known wired gateway MAC addresses. The list of known wired gateway MAC addresses is built up by the gateway, APs, and AMs. For this functionality to operate correctly, all client facing VLANs need to be trunked to either the gateway, an AP, or an AM. While traffic needs to be trunked only to one AP or AM for the detection to work, the recommendation is to trunk the VLANs to all of the APs or AMs that are deployed. Wired containment requires this setup and is discussed in the chapter regarding containment.

Central will check the bridge forwarding tables and the ARP tables to gather rogue information from the network. The bridge forwarding table gives the mapping of wired MAC addresses to switch ports. The ARP table gives a mapping of wired MAC addresses and IP addresses. Central will then correlate the list of wired MAC addresses with everything that has been heard over the air. If two MAC addresses are within a configurable offset, they will be considered the same device and linked together.

For best results the recommendation is that only the attack detection that is worth investigating is turned on. Security-minded customers may choose the High option. The High option does not enable every event that can be detected by the HPE Aruba Networking system. For example, NetStumbler detection is not turned on by default. NetStumbler detection means that a client device is running an old scanning system and does not necessarily mean that the network was compromised. Custom settings can be chosen that allow the administrator to enable or disable every attack detection individually if they choose to do so.


Last modified: July 29, 2024 (6115eca)