In the first blog post related to Wireless Security we took a look at the Initial Phase of Rogue Management – Detection. Now we are going to discuss what happens next – how the WLC is gonna deal with the devices that were marked as “Rogues”. This is what’s known as the Classification Phase.
ROGUE CLASSIFICATION
Once a Rogue AP is detected, next step taken by the WLC is to classify it. There are three types of Rogue APs :
- Unclassified
- Friendly
- Malicious
By default, all Rogues that are detected by the Cisco UWN are considered to be “Unclassified” with just one exception – when the Rogue is also detected on our network it will be automatically re-classified to “Malicious”. This holds true even if there is no Classification Rules (more on this later) configured on the Controller.
OK, so now the question is what’s the difference between the three types of Rogues?
- A Friendly AP is an AP that is not directly controlled by the WLC but we know about it existence – e.g. a neighboring network AP. Key thing about Friendly APs is that we know they do not pose any threat to our network. You can either define Friendly Access Points manually in the “Friendly MAC List” or classify Rogues as Friendly manually based on the Classification Rules.
- Malicious APs are those that were setup with malicious intent and that are not controlled by our WLC. These will be all APs we did not classify as “Friendly” that were either seen on our wired network or were classified as “Malicious” based on our Classification Rules.
- Unclassified AP is an Access Point that was not classified as “Friendly” or “Malicious” (it is neither good nor bad). As mentioned earlier, by default if no Classification Rules exists and Rogue is not seen on the wired network it will be marked as “Unclassified”.
OK before we get to the Classification Rules, I mentioned that if a Rogue AP is seen on our wired network it will be classified as “Malicious”. But how do we actually know if it is there or not? Well, there are three technologies used to answer that question :
- Rogue Location Detection Protocol (RLDP)
- A special AP Mode setting known as “Rogue Detector”
- Switchport Tracing
With RLDP enabled, our legitimate APs will try to connect to the Rogue AP’s SSID acting as if they were the clients (note that our APs’ legitimate clients will be dropped/not serviced during that time). After they connect they will send a packet destined to the WLC over-the-air, through the Rogue AP, to see if the traffic actually goes to our wired network. Note that this option will only work when the Rogue AP is configured with Open Authentication (no authentication).
For situations when WEP or WPA is used to protect the communication with the Rogue AP, another method can be used – Rogue Detector Mode, which is a passive approach (radio is turned off)). It works similar to an IDS – AP listens for wired traffic only (ARP frames specifically) and compares source MACs to the known MACs of the Rogue devices (which were learned from WLC). This feature is pretty limited since it is not looking at the exact “wired” MAC of the Rogue AP but it more tries to guess it based on the wireless-NIC MAC (looking at MACs +1/-1 different from the learned one). As a side note, to use this mode the switchport connected to the Rouge-Detector AP must be configured as a trunk with all “wireless” VLANs allowed.
The third method used to figure out if a Rogue is on the wired segment or not is called Switchport Tracing. This one relies on WCS (Wireless Control System) where WCS retrieves CDP information from an AP that detected a Rogue. This tells WCS what is the neighboring switch – and it can then poll it via SNMP to obtain information about MAC addresses from the CAM. Once this is done it can compare the retrieved MACs to the Rogue MACs – if there is a match it means the Rogue is on the wired side as well. This method, assuming SNMP was configured for read-write access, can be also used to shutdown the switchport where the Rogue turns out to be Malicious (in the Containment Phase).
Rogue Classification Rules
As we said earlier, an AP gets marked as “Unclassified” unless it was detected on the wired network (ending up as “Malicious” AP) or it was manually classified as “Friendly” (by adding it to the “Friendly MAC List”). There is, however, another method we can use to classify newly detected Rogues as “Friendly” or “Malicious” – based on the rules and conditions we create that match our security policy and/or other requirements. For example, some elements you may want to take into account that may suggest that Rogue AP should be treated as “Malicious”, are :
- This AP uses your SSID
- It has a strong signal (RSSI)
- Has the connected client
These are the actual matching criteria we will be able to use in our Classification Rules :
- Managed SSID (WLC-known SSIDs that we configured on the Controller)
- User-defined SSID (an arbitrary SSID)
- No Encryption (requires that Rogue AP’s SSID does not have encryption enabled)
- Minimum Received Signal Strength Indication (RSSI) – useful when we only want to match Rogues that are “close” to our network
- Time Duration (the minimum period of time during which the Rogue is being detected)
- Number of associated clients
Similarly to MQC class-maps, we have two matching options that ultimately affect how many conditions must be met in a rule to be a match (“match-all” and “match-any”). Match-all means that all conditions must be met whereas “match-any” says that we’ll have a hit for the rule if at least one condition is met (no matter which).
Classification Rules come into play when a Rogue was not found on the Friendly MAC List (which is configured manually). Rules are processed in order (top-down) starting with Malicious Rules. If there is no match in any Malicious Rule, then Friendly Rules are processed. If there is no match here too, the AP ends up as “Unclassified” – so same as what happens by default if no rules are present and AP is not on the wired network.
Once you re-classify a rogue, it won’t be tried to be re-classified anymore. The only exception is when an “Unclassified” AP at some point gets detected on the wired segment – then the type of the AP will be automatically moved to “Malicious”.
In the third part of this article we will discuss methods used to prevent Malicious APs from hijacking our clients and finally I will also show you how to configure Rogue Management on WLC.
–
Piotr Kaluzny
CCIE #25665 (Security), CCSP, CCNP
Sr. Technical Instructor - IPexpert, Inc.
URL: http://www.IPexpert.com