As I said in the last part of this article, in this post we will discuss the methods used to deal with Malicious APs and then in the next post I am also going to show you how to configure WLC for Rogue Detection, Classification and Containment.
Before I start talking about real Rogue Containment feature, let me mention one additional method you could potentially use to mitigate all problems related to a Malicious Rogue AP found in your network – Switchport Tracing. This is something you can enable from a Wireless Control System – WCS (which by the way is NOT listed on the 4.0 security blueprint). With this method being used once a MAC is found on the wired port you have an option to shut this interface down from the WCS.
ROGUE CONTAINMENT
OK, now let’s talk about Containment. Containment is a method of using over-the-air packets to temporarily interrupt service on a Rogue device until it can physically be removed (which is the best thing you can do when a Rogue AP is connected to your network). It works by sending de-authentication packets with the spoofed source address of the Rogue AP so that any clients associated with the Rogue are kicked off (until you remove the bad AP).
A particular Rogue can be contained using 1 to 4 APs, where each AP can contain up to 3 Rogue devices per radio when running Local Mode or up to 6 when AP is configured in the Monitor Mode. By default, the controller uses one AP for containing a client. If two APs are able to detect a particular Rogue, the AP with the highest RSSI contains the client regardless of the AP mode.
Containment is normally configured manually, on a per-Rogue basis, but there is also a feature known as Auto-Containment that provides the ability to automatically launch Containment under four certain scenarios :
a) Rogue on Wire – If a rogue device is identified to be attached to the wired network
b) Using our SSID – If a rogue device is using an SSID which is the same as that configured on the Controller. This feature aims to address a honey-pot attack before it causes damage
c) Valid client on Rogue AP – If a client listed in ACS or ISE is found to be associated with a rogue device. This is preventing it from associating to any non-managed AP
d) AdHoc Rogue AP – If an ad-hoc network is discovered
Finally note that Auto-Containment is disabled by default and it should only be enabled to nullify the most damaging threats – it could have legal consequences if you started containing other party’s devices working on un-licensed frequencies opened for a public use such as ISM (and it is always possible that the other side may also start containing our APs, treating them as Malicious Rogues).
–
Piotr Kaluzny
CCIE #25665 (Security), CCSP, CCNP
Sr. Technical Instructor - IPexpert, Inc.
URL: http://www.IPexpert.com