Wednesday 19 October 2011

Rogue AP Classification

When I configure a Cisco WLAN controller, one of the configuration steps I normally take is to configure a Rogue Classification Rule that marks as malicious any rogue AP detected with a signal of -70 dBm or greater (I used to configure the rule for -69 but got sick of the giggles when explaining the implementation). This figure can obviously be tweaked - somewhere between -65 dBm and -75 dBm would be appropriate for most environments. So what is the significance of -70 dBm? Well it is the signal strength that I feel is a good middle-ground in locating rogue APs that are probably on the premises whilst eliminating most of the false positives from surrounding homes and businesses. Sure, a small number of false positives will occur depending how close surrounding businesses and homes are but without this rule, locating which rogue APs are actually within the business is like finding a needle in a haystack. Likewise, in most modern WLANs designed for capacity, the vast majority of rogue APs which are in fact on the businesses premises should be detected with of signal of -70 dBm or greater due to the high density of APs.

The configuration required for the -70 dBm rule

Without this rule...
If you do not have Cisco WCS running, you would have to click on every single rogue on the WLAN controller GUI to find the strongest signal strength heard by one of your APs. Unless you have only a handful of rogues, this is unlikely to happen as it is far too time consuming - looking on my current work WLAN controller shows close to 400 rogue APs. Things are a little better if you have WCS as you can see a large number of rogues and their associated signal strengths on a single screen. None the less, having to constantly check this list of rogues should not be required.

With this rule...
Creation of this rogue rule eases this pain. Once the rule is configured, on the WLAN controller GUI you can navigate to MONITOR --> Rogues --> Malicious APs and all rogues detected at -70 dBm or greater will be listed. Some of the rogues I see listed have a signal strength lower than -70 dBm, even from the detecting AP with the strongest strength. I am unsure if this is a bug (running 7.0.116 code) or that this rogue was previously detected with a stronger signal but has not yet been removed from the malicious list. Regardless, the list of rogues is far more manageable.

In WCS, things are even easier. Modify your general tab so that one of the components you see is 'Recent Malicious Rogue AP Alarms' or 'Malicious Rogue APs'. Now every time you log into WCS you will see if you have any potential rogues worth investigating..

Configuring this rule on a recent WLAN deployment caused 5 of the 86 APs to be marked as malicious. One of these was in fact on the premises with the other four false positives. In this case, the figure of -70 dBm could be tweaked to around -65dBm to reduce the number of false positives and due to the high density of APs installed (the WLAN was surveyed for 5 GHz VoWiFi) I would still be confident of detecting any 'on-premises' rogues. Unfortunately malicious is not an accurate term but it cannot be changed on the WLAN controller.

Are these APs really malicious?
Usually not, as I explain below. I classify rogues into one of three categories:
  1. Real malicious rogue APs
  2. Employee supplied or otherwise 'on-the-premises' APs
  3. False positives from nearby businesses or homes
Real malicious rogue APs
The term 'rogue AP' and certainly 'malicious' exist for this category of AP but ironically it would be under rare circumstances that you would actually catch a hacker with the default rules. To have some chance of doing so you would have needed to have configured this -70 rule, actively (on a daily basis) monitor your WLAN controller, WCS or other WNMS, actively track down each malicious rogue so as to eliminate category two and three rogues and finally the hacker would need to have placed this rogue on your premises in an easy to find location or actually still be on the premises. Hello hacker from several kilometres away and hello 24dB parabolic antenna! How many WLAN security breaches have actually taken place via these circumstances? I realise an evil-twin attack could occur but you would have to be very conscientious to capture one by this method.

Your best bet here is to rely on your (hopefully) well-designed and therefore well-secured WLAN alongside your wIDS or wIPS for signs of spoofed deauthentication or disassociation frames. Cisco's Management Frame Protection (MFP) would he helpful here but unfortunately requires CCXv5 clients. Your only hope of enabling it would therefore be on a voice WLAN where you had all Cisco 7925G phones which are CCXv5 compliant. I find most non-Cisco clients these days are CCXv4 and CCXv5 clients are uncommon. The standardised version of MFP is 802.11w and I did see a reference that there may be a Wi-Fi Alliance certification for clients in the works which would be great, if I interpreted correctly.

Employee supplied or otherwise 'on-the-premises' APs
This is the category that we are trying to identify with this -70 dBm rule. This is also the category that is mentioned in every article or book that discusses rogues. I have found that these APs typically fall into one of three categories:

Employee-supplied APs
Occasionally I have found employees to bring in a SOHO Wi-Fi router or AP so that they may access Wi-Fi at work. Jennifer points out that this is increasingly unlikely and I agree to some degree. Western Australia is not the US however. We actually still have an economy and many very highly paid workers where the cost of an AP purchased for work would be considered chump-change. In addition, in many regional areas 3G coverage is poor or non-existent unless your carrier is Telstra where you have traditionally paid through the nose for data. Consequently, I feel you are more likely to see user-supplied rogues here. I have certainly seen them but it is not the most common type within this category in my experience.

Business-supplied APs
I find these to be much more common than employee-supplied APs. Often in a large multi-site enterprise, the local site will use their own funds to purchase a SOHO Wi-Fi solution where a business-supplied WLAN does not exist, regardless of your businesses polices on the matter. In addition, many businesses do not have WLAN policies in place, particularly if they are yet to deploy their own WLAN. These rogues are typically detected upon roll-out of the new WLAN and should be eliminated at this time.

Business within the business
Ahh! The ol' business within the business trick! Many of the rogues I see are from a small business that operates from the main businesses premises. A school book-shop within the school or a GP / dentist within the hospital. These businesses usually operate with some autonomy, often have their own ADSL connection and consequently have a SOHO ADSL Wi-Fi router. This can present a security issue as often this associated business shares the main businesses wired LAN and of course, rarely is the SOHO Wi-FI router going to be sufficiently secure. It can also present performance issues - 802.11b enabled, adjacent channels configured, 40 MHz 2.4 GHz channels configured, etc. Many times the Wi-Fi isn't even used, so getting it disabled is not much of an issue.

False positives from nearby businesses or homes
This is the category that we are trying to eliminate with the -70 dBm rule and these make up the vast majority of detected rogues thanks to the pervasiveness of Wi-Fi. Whilst these can generally be ignored I do find them interesting to look at to get a gauge of 'APs in the area'. What percentage are 2.4 GHz vs. 5 GHz, what are the most common vendors, how much WEP is still in use - you know, all of those things that seemed cool when Netstumbler and War-driving was all the rage back in the early 2000s! I should mention, Western Australia via the WAFreeNet was the first community wireless network to perform WarFlying back in the day... or at least the first to get slashdotted for it!

Whilst it is commonly said that you have no control over these types of rogues I tend to disagree. If a rogue is being a bad neighbour by exhibiting any of the following behavior, it may be worthwhile getting in contact with the businesses IT person and explaining that these issues are negatively affecting both his or her business and your own. It is in their interest to fix the issue. Of course if they don't comply, you could always try gentle persuasion via the AirHORN 2.4 GHz jammer + high-gain antenna - just make sure it has very small side and back-lobes!... I'm kidding of course ;)

The following are reasons to hit up your 'bad neighbour' with some advice:
  • 802.11b enabled where client support is not required (you would have to take a stab here and assume they have no 802.11b-only clients)
  • Adjacent channels in use at 2.4 GHz (At 2.4 GHz, in most circumstances only channels 1, 6 and 11 should be used)
  • Overly high transmit power from APs (this may be difficult to determine however)
  • 2.4 GHz 40 MHz channel usage

EOF... almost
Whilst rogue detection rules may not be particularly useful at actually finding real malicious APs, creating this rogue rule can still help you improve the security and performance of your WLAN by identifying employee-supplied, business-supplied, business within the business and bad neighbour rogues.

No comments:

Post a Comment