Let’s consider a following situation – an employee brings his or her own Access Point into a well-secured environment and connects it to a wall socket. As a result anyone with a wireless-enabled device can now associate with the AP (or least a group of people that know the PSK if WEP/WPA was configured) and get access to our internal (wired) network. This is what’s known as a Rogue Access Point – in simple words we can say that Rogue AP is an AP that is not under our control. These Rogue APs can be a serious breach of network security because they can be plugged into a network port behind the corporate firewall and/or IPS.
I will now discuss one of the wireless security features available on WLC (so this will be Unified Wireless Architecture) that is used to detect and deal with Rogue devices. This is what’s collectively known as Rogue Management.
In short we can say that there are three phases in the Rogue Management process :
- Detection
- Classification
- Containment
In this blog post our focus is going to be Rogue Detection.
ROGUE DETECTION
Two main methods used to detect Rogue APs are : Infrastructure Scanning and RF Groups.
With Infrastructure Scanning our APs will be listening for rogue beacons and if a rogue device is detected they will inform about it WLC. A pre-requisite to use this method is to enable our AP to work in one of three modes – Local, FlexConnect or Monitor.
Local (or FlexConnect) Mode is the normal operation of an AP. This mode allows data clients to be serviced while configured channels are scanned for noise and rogues (AP splits its cycles between serving WLAN clients and scanning channels for threats). This works by allowing AP to go off-channel for 50 ms to listen for Rogues and then go back to the original channel to service the clients (a single channel switchover takes 10ms). Since the default interval is 180 seconds, it means that each of 11 channels will be scanned at least once (within the interval) since the clients are services for 16 seconds in a single channel. By the way the interval and the channels to scan are configurable (we’ll take a look at it in one of the later posts).
Monitor Mode turns your AP into more of a passive device – this is a listen-only configuration (radio is only received with one small exception, namely the ability of sending so-called de-authentication frames). When an AP is configured in the Monitor Mode, it will scan all configured channels every ~12 seconds (it utilizes 100% of the radio’s time for scanning and this way listens for about 1.2 seconds on each channel). This provides better detection – Monitor Mode APs are far superior at detecting Rogues as they have a more comprehensive view of the activity. A disadvantage here is the inability to use Rogue Location Discovery Protocol, RLDP (since a Monitor Mode AP cannot establish an association). RLDP is one of the protocols used in the Classification phase – we’ll talk about it in the next post.
Another method used by WLC to detect Rogues uses a concept of a RF Group. Each of your controllers is configured with a RF Group name (this is one of the elements you configure when you initialize WLC which is something you may be asked to do in the real lab). Once a AP registers with a controller, it embeds an authentication Information Element that is specific to the RF Group configured on the controller in all its beacons/probe response frames. When the AP hears beacons/ probe response frames from an AP either without this IE or with wrong IE, then the AP reports that AP as a Rogue, records its BSSID in a Rogue Table, and sends the table to the WLC.
This active scanning, combined with neighbor messages, identifies which APs are Rogues and which APs are valid and part of the network. The bottom line is that once APs detect Rogue APs or Clients, they send this information to the Controller for further processing.
In the second part of this article we are gonna discuss how WLC will actually handle the information about detected Rogues – I’ll keep you posted.
–
Piotr Kaluzny
CCIE #25665 (Security), CCSP, CCNP
Sr. Technical Instructor - IPexpert, Inc.
URL: http://www.IPexpert.com