The Life and Death of a Rogue AP Using Cisco’s WCS to Manage Potential Rogue APs Author: Bill Daniel, Wireless Training Specialist, CCSI, CCNA, MCSE+I Windows NT, MCSE Windows 2000... B
Trang 1The Life and Death
of a Rogue AP
Using Cisco’s WCS To Manage
Potential Rogue APs
Expert Reference Series of White Papers
Trang 2The Life and Death of a Rogue AP
Using Cisco’s WCS to Manage Potential Rogue APs
Author: Bill Daniel, Wireless Training Specialist, CCSI, CCNA, MCSE+I (Windows NT), MCSE (Windows 2000)
Trang 3All content is the property of GigaWave Technologies, a division of TESSCO Technologies ©2007 All rights reserved Page 1
Introduction:
Today, wireless networking is a reality from which IT managers cannot escape Regardless of the size of an organization, where it is located, or what vertical market it serves, network users want it No longer is wireless networking a fringe technology – it’s mainstream and it continues to expand at stellar growth rates within the enterprise marketplace
As with most progressive organizations and corporations, network users understand the value of wireless networking Maybe they’ve surfed the Internet wearing PJs on their bed, downloaded files on their back porch, or played games with wireless remotes Obviously, a large percentage enjoy sitting in a local coffee shop sipping java and responding to email Regardless, most have heard wireless networking’s siren song offering them the freedom and flexibility they crave Why? Wireless can make them more productive It might even make them more comfortable Whatever the reason, they want it, and as Meatloaf sang in a recent song, “If it’s something I want, then it’s something I need!”
Basic end-user wireless can be very inexpensive and easy to set up In fact, chances are if users have not been given access to an authorized wireless solution, they have already set up an unauthorized network of their own If they haven’t done that, it’s only a matter of time This grassroots effort to set up personal wireless networks would be a great cost saver for the enterprise if it weren’t for two little things called support and security The most significant of these, for any and all network administrators, is the wide-open lack of security that most users will inadvertently create when they install their own rogue wireless network
Basic rogue management methodology includes these steps:
• Identify potential rogues
• Locate the potential rogue
• Determine the status of the potential rogue and your course of action
This paper discusses how you can use Cisco’s Wireless Control System (WCS) software to manage potential rogue APs and eliminate the threat they pose to the unified network
It’s Good Policy to Have a Written Policy
First and foremost, have a written policy regarding the deployment/use of rogue access points (APs) on the
corporate network Draft a policy that defines what a rogue AP is (an AP not managed or authorized by the
company’s IT department) and why it is detrimental to have on the network (poses a threat to network
security) Discuss with company management what punishments the company is willing to impose on any
violators, even members of its own ranks As Sun Tzu pointed out, a policy that goes un-enforced once becomes an unenforceable policy
If at all possible, it’s recommended that you give supported users a short class on the dangers of rogue APs
to help them understand why rogues are so dangerous Explaining why such a hard stance is being taken on
personal wireless networks will make the execution of the policy easier for the IT department Of course, that’s a perfect world scenario Even the best laid plans and efforts to openly communicate network policy will not stop individuals who, for one reason or another, feel they are above the law At the very least, have all of your users sign a statement acknowledging that they understand the reasons why rogue APs can not be tolerated on the corporate network and that disciplinary measures will be taken if rogue APs are discovered
Trang 4Once users know deploying rogues are bad, for both the company and for them personally, wireless network administrators can turn their attention to how WCS helps find and eliminate evil rogues
Discovering Potential Rogue via the Network Summary Page
When WCS is opened, the first screen that appears is the Network Summary page This page shows a list of the most recent rogue APs found on your network, including the MAC address, SSID, type, state of the potential rogue, as well as the date and time the potential rogue was discovered It’s worthwhile to point out
that this list provides only the “Most Recent Rogue APs”… and not a list of all rogue APs Potential rogues
that are within hearing range of the network for any length of time may not be listed here as there might be a lot of them Remember that the Network Summary page is just that – a summary page For all the details you need to dig a little deeper Figure 1 shows a sample Network Summary page
Figure 1
Trang 5All content is the property of GigaWave Technologies, a division of TESSCO Technologies ©2007 All rights reserved Page 3
Discovering Potential Rogues via the Alarm Dashboard
The gritty truth is, network administrators must know exactly how many potential rogues WCS has heard from and identified No matter how bad it is, keep in mind that the Alarm Dashboard is just the tool When looking at this screen, IT staffers must brace themselves and look down at the lower left corner of the
screen The Alarm Dashboard is always there, following network administrators around as faithful as man’s best friend For those unfamiliar with the name of this handy tool, just look for the small grid-like square in the lower left corner on any page in WCS The dashboard is a summary of all the errors that WCS knows how to identify, broken down by category and severity The dashboard has rows for rogues, coverage, security, controllers, access points and location The error count is listed with minor errors in yellow squares, major errors in orange squares, and critical errors in red squares Potential rogues are typically listed as a minor error in the Rogues category Click on the number in that row that’s yellow and WCS will take you to a dynamically created web page showing the 20 most recent rogues Of course, if there are more than 20 recent rogues, which is probable, WCS will display links for other pages too Figure 2 shows a sample Alarm Dashboard
Figure 2
Trang 6Discovering Potential Rogues via the Network Security Summary
Click on Monitor>Security and view the Security Summary web page The upper left corner has a list entitled Rogue AP Details, which will include entries for Alert, Contained, Contained Pending, and (toward the bottom of the list) Adhoc The Security Summary page also displays entries broken down into category
by time (Last Hour, 24 Hours, and Total Active) Click on any of the numbers in these lists and WCS takes you to a separate web page that lists potential rogues belonging to that respective category Figure 3
shows a sample Network Security Summary
Figure 3
Is a Rogue AP always a Rogue AP?
Ultimately, IT administrators who take security seriously will find themselves staring at a web page that displays a list of all the potential rogues on the network It’s important understand the difference between rogues and potential rogues Wireless networking experts and instructors use the term “potential rogues”, because an AP in the Security Summary list might not actually be a rogue AP For instance, it could be an
Trang 7AP belonging to a neighbor (assuming any mortal dared to set up an adjacent rival wireless network – this happens all the time) It could also be an AP set up by internal IT staff that is not managed by the controller-based network (i.e an autonomous 1130 set up for guest Internet access in the lobby) Long-story-short, network administrators must determine if the potential rogue really is a rogue after all
Is the Potential Rogue On My Physical Network?
One of the best ways to determine if a potential rogue is a rogue is to see where it lives To do this, open up the properties of any potential rogue and four lines down from the top appears an entry that reads “On Network” followed by a yes or a no If the answer to the question is “no”, then the potential rogue is not physically plugged into the routed/switched network If the answer here is “yes”, then the potential rogue is plugged in and talking to other hosts on the wired network
This brings up the question of how the potential rogue was discovered in the first place In accordance with the 802.11 standard, all APs must send out beacon announcements every 100 milliseconds (or so) These beacon announcements advertise the AP’s radio MAC address, the SSID’s being used, supported data rates, and the authentication and encryption methods used at that AP In other words, the AP announces all the data a potential client would need to know in order to determine whether or not they should try connecting to the AP Access points running in Local Mode or Monitor Mode can listen for these beacon reports, which they will then forward to their supporting controller They will also forward information on which client devices have associated to the potential rogue APs, giving us a very complete picture of rogue activity on our net-work If the controller has been added to our install of WCS, then WCS uses SNMP to discover what the controller knows about potential rogues
Each subnet should have an AP set up in Rogue Detector mode The Rogue Detector uses a protocol called Rogue Location Discovery Protocol (RLDP) to determine if the potential rogue is on the wired network At direction from the controller, the Rogue Detector will act as if it were a client It will attempt to authenticate and associate to the potential rogue, request a DHCP assigned address, and once all of that is done, try to send an ARP message back to the controller If this ARP request reaches the controller, then we know the potential rogue is physically on the network Now it’s time to see where the potential rogue really is
Skull-and-Crossbones – Finding Where Potential Rogues Are Hiding
From the command menu (upper right corner of the potential rogue’s properties), select the command Map (High Resolution) and then click GO A web page will appear displaying a copy of the map for the floor on which the potential rogue is located The map depicts the floor plan, the location of APs (indicated by icons labeled with the APs names), and a skull-and-crossbones icon that shows the most likely location of the rogue Normally, an icon depicting a heat map-type cloud around the potential rogue that changes from black
to dark grey then red, orange, yellow and eventually white, appears immediately around the potential rogue The colors get darker where the potential rogue has a greater likelihood of being found Wireless network administrators who are unaware of these facts need not loose too much sleep However, taking a class on wireless network management or security would be a good way to atone for this boo-boo Nevertheless, based on the beacons received by other APs on the network, wireless administrators should now be able to discover if the AP is inside the building (whether it’s on the wired network or not) Figure 4 shows what a rogue AP looks like on a WCS map
All content is the property of GigaWave Technologies, a division of TESSCO Technologies ©2007 All rights reserved Page 5
Trang 8Figure 4
Rogue AP Located and Identified Now What?
If the unauthorized AP is physically attached to your wired network then it’s no longer a potential rogue – it’s
a confirmed bad guy If it’s not attached to the wired network, but is clearly inside the building then it’s
definitely a rogue AP CAVEAT be absolutely sure if there’s any chance you have neighbors who have
legitimate wireless networks Now, it’s time to “contain” the rogue AP This is a fancy way of saying: Pick between one and four local mode APs on the network and tell them to spoof the MAC address and SSID of the rogue, then send out a de-authentication flood to all the rogue AP’s clients How effective is this? Extremely! In fact, the experience of being a victim of forced de-authentication is nothing akin to the feeling
of hopelessness felt as the supplicant shows very strong signal strength, associate with the rogue, try to authenticate, fail, and roll back to associating again – it’s maddening It’s kind of like driving on black ice; once the truck starts traveling sideways, you’re just along for the ride
Trang 9After initiating containment, go out and physically locate that nasty, evil rogue Pick it up, unplug it, and carry
it back to the company’s stash of confiscated items Then do with it whatever the legal folks recommend
BE CAREFUL! While this technical whitepaper gives wireless administrators the ultimate weapon for destroying rogues, a little cold water must be tossed Again, a caveat for those poised and ready to go on a
rogue hunting trip DO NOT go around indiscriminately containing potential rogues – it’s a temptation, but IT staffers must be stronger than that
There was a time when containment of rogues was automatic and it was a big selling point for this product line Nevertheless, the product was made manually more “intelligent” to ensure that no neighboring wireless network was contained automatically Indiscriminate containment is a dangerous thing and can lead to poten-tial lawsuits For instance, what if the neighbor is a hospital and wireless communications are truly critical
in the literal sense of the word? Hence, Cisco now requires human intervention prior to any and all AP con-tainment Be sure the potential rogue really is a rogue before initiating containment procedures If there are doubts, leave the potential rogue’s status at “alert” and use some other tool (AirMagnet is a favorite tool of choice) to hunt down the rogue While the potential danger of the rogue remains a bit longer, it is a prudent step to avoiding any potential legal issues
Finally, if you find the potential rogue does belong to a legitimate neighboring network, use the properties of that AP (as discovered by WCS) to mark the AP as “Known – External” Then move on to the next potential rogue
Summary/Conclusion:
So there it is, the life and death of the rogue AP as seen from the perspective of Cisco’s WCS Remember the steps in this process:
• Have a written policy stating why rogues are dangerous and that deploying rogues will be punished Have employees sign their understanding of the policy
• Deploy local and monitor mode APs These APs will quickly detect beacons sent out by potential rogue APs, as well as the identity of clients that associate to them
• Deploy rogue detector APs and enable RLDP This will allow wireless administrators to determine
whether or not a potential rogue is physically attached to the wired network
• Install and configure WCS This gives the ability to:
• Aggregate all rogue AP reporting
• Locate potential rogues on a map
• Initiate containment procedures
• Investigate all potential rogues Contain only confirmed rogues, mark all others as “Known – Internal” or “Known – External”, as appropriate Remember, there can be severe legal liabilities for containing rogues indiscriminately
And now, in the words of Fred Bear, I wish you happy hunting
All content is the property of GigaWave Technologies, a division of TESSCO Technologies ©2007 All rights reserved Page 7
Trang 10About the Author
Bill Daniel is a former intelligence professional in the U.S Army who spent thirteen years working with and managing the security of classified documents, and as he puts it, “InfoSec (information security) is in my blood”
He is a former Microsoft Certified Trainer who spent five years teaching management, architecture and security of Windows-based networks before moving over to doing Cisco wireless training for GigaWave Technologies, the premier originator of Cisco’s wireless training When he’s not busy teaching or writing he can often be found researching or playing with what he refers to as his “security tool chest” because, as he says, “You have to know how to break it if you want to know how to fix it.”
Suggested Cisco Unified Wireless Courses and Technical Training
Cisco Wireless LAN Security (CWLS)
Cisco Wireless LAN Security Class is an advanced interactive seminar on how to secure a Cisco Wireless LAN This is the most comprehensive seminar on Cisco Aironet wireless security advantages in the industry! Topics include: WLAN security standards, how to mitigate WLAN attacks, WLAN EAP types and security configuration
on both autonomous and lightweight access point architectures Hands-on labs feature how to configure network and client equipment to provide maximum security including how to “Harden the access point”, and build VLANs with different forms of authentication and encryption Attendees will receive an introduction to Cisco ACS RADIUS attributes and actually configure Cisco ADU for, PEAP and EAP–FAST, and TLS
About GigaWave Technologies
GigaWave Technologies offers innovative wireless networking workshops for IT professionals who want to know how to design, install, secure or sell high performance Wireless Local Area Network (WLAN) and bridging technologies As a leading provider of WLAN training, curriculum development and wireless services, GigaWave provides its trademark, high-caliber, hands-on training techniques to progressive organizations across the globe GigaWave specializes in wireless networking and has attained an unrivaled level of WLAN expertise
As an authorized Cisco Learning Partner, GigaWave Technologies develops and delivers the Cisco wireless networking classes For the most current training schedule and to view full course descriptions, go to
www.giga-wave.com, or call 210-375-0085 GigaWave is a division TESSCO Technologies
10521 Gulfdale
San Antonio, Texas 78216
210-375-0085 Phone