Wireless Threat Detection and Countermeasures:  Monitor and Protect Your Wireless Access Points.

Takeaway:  Automated countermeasures discover, attack, and disable rouge Wi-Fi devices! This article explores Wireless Access Controllers, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS).   These instructions explain how to enable countermeasures for Juniper Wireless Controllers (WLCs).  Cisco, Aruba, and other controllers offer similar mitigation.  

Problem:  Corporate networks are vulnerable to rouge wireless technology.  Wireless access points (WAPs), wireless routers, and wireless bridges can extend the corporate network and provide an insecure entry point.  Untrusted wireless technology risks data integrity and confidentiality.

Internal and External Rouge Wireless Threats.

Threats:  Internal threats include unapproved wireless devices that extends or bridges the corporate network.  For example, an employee may install a residential WiFi router to provide network access to their smartphone.  Their intent may not be malicious but it nonetheless exposes the network to compromise.

Hackers or wireless devices in proximity to corporate access points are external threats.  External threats can intercept and harm company data.  Additional threats can entirely disrupt wireless communication (Table 1).  

Enable Countermeasures:  The WLC includes countermeasures that attack rouge devices.  These countermeasures consist of packets that disrupt client communications to rouge devices.   Rouge devices are rendered useless once the WLA initiates an attack.  WLC countermeasures are disabled by default.  Enable countermeasures on all rouge devices:

LocalWLC#set radio-profile default countermeasures rogue
Alternately, enable countermeasures on all rouge and interfering devices:

LocalWLC#set radio-profile default countermeasures all

Enable ad-hoc countermeasures if desired:

LocalWLC#set rfdetect classification ad-hoc rogue 

Configure SSID list to whitelist existing SSIDs:

LocalWLC#set rfdetect ssid-list BIZ_SSID
Enable log messages to display on console:

LocalWLC#set rfdetect log enable
N.B., Interfering devices may include neighboring APs using the same radio channels.  The WLC includes RF Auto-Tuning that changes WLA channels as needed.  Consider rouge-only countermeasures when located near other businesses. 


Rouge Classifications:  The WLC identifies all nearby 802.11 wireless devices.  It uses a classification system to detect rouge devices: 

LocalWLC# sh rfdetect classification
User
Rule      Rules for RF Classification             Classification
----     ---------------------------              --------------
N      1. If AP in Rogue list ....................... ROGUE
N      2. If AP is part of Mobility Domain .......... MEMBER
N      3. If AP in Neighbor list .................... NEIGHBOR -------------------------------------------------------------------
Y      4. If AP is Masquerading our SSID ............ ROGUE
Y      5. Client or Client DST MAC seen in network .. ROGUE
Y      6. If AP is acting as an Ad-hoc device ....... SKIP-TEST -------------------------------------------------------------------
N      7. If SSID is in SSID list ................... NEIGHBOR -------------------------------------------------------------------
Y      8. Default Classification .................... SUSPECT
Rouge List:  The WLC attacks all devices in the Rouge list.  The WLA does not transmit client traffic while it attacks rouge devices.  WLAs can be provisioned in Sentry mode for dedicated scanning and attacking purposes.

Suspect List:  Devices in the Suspect list are considered potential Rouges.  The WLC does not attack suspect devices unless they become a threat.  In most circumstances, suspect devices are neighbor APs which have not been manually added to the Neighbor list.

Neighbor List:  The Neighbor list acts as a whitelist.  The WLC does not attack its neighbors.  Be a good Samaritan and add your neighbors' APs to the Neighbor list.  The Juniper WLC GUI makes identifying and adding neighbors a cinch.

 

Juniper WLC GUI:  RF Neighbors

 Countermeasures in Action:  What happens if an employee connects a wireless AP to the corporate network?  For this example, assume the switch access ports are not configured for 802.1X authentication or BPDU Guard.

1.  Employee discretely connects a Linksys wireless router to the network. 

Employee adds unapproved wireless access point to company network.

2.  The Linksys router connects to the company network and advertises its SSID:

3.  The Linksys SSID remains in the Suspect list as long as clients are not connected it.
4.  The employee connects their laptop to the Linksys SSID.  The WLC immediately identifies the Linksys AP as a rouge device:

ROGUE Sep 24 11:11:26.009242 NOTICE ROGUE_AP_ALERT: Client Mac 88:XX:XX:XX:XX:XX(Rogue AP Mac 00:XX:XX:XX:XX:XX) is seen on the wired network by Switch 172.16.1.2 on port X vlan X tag 0. Detected by listener a8:XX:XX:XX:XX:XX(AP 1, radio 1), channel 6 with RSSI -55 SSID "linksys".
5.  The WLC begins its countermeasure attack:

ROGUE Sep 24 11:12:35.065652 NOTICE ROGUE_AP_ALERT: COUNTERMEASURES STARTED for Xmtr Mac 00:XX:XX:XX:XX:XX Performer Mac a8:XX:XX:XX:XX:XX SW-I Paddr 172.16.1.2 AP 1 Radio 1 Channel 6
6.  Confirm countermeasures:

WLC# sh rfdetect countermeasures Total number of entries:1
          Type(Adhoc/Infra) Countermeasures                        Port/Radio
Rogue MAC         /Class    Radio Mac        RSSI MX IPaddr        /Channel ----------------- -------- ----------------- ---- --------------- ------------ 00:XX:XX:XX:XX:XX I/rogue  a8:XX:XX:XX:XX:XX -59  172.16.1.2       AP 1/1/6

WLC Detected a Rouge SSID

Conclusion:  Tests confirm wireless clients cannot connect to rouge SSIDs when WLC countermeasures are enabled.  Interestingly, the WLC countermeasures are similar to those available on some WiFi hacking tools.  These countermeasures compliment existing mitigation strategies;  Enterprise WPA2, 802.1X authentication;  BYOD Policy, client and server certificate authentication; disabling client auto-connect; Windows IPSec, etc... 


Table 1. Wireless Threats and Mitigation.

Threat	Type of Attack	Purpose	Mitigation
RF Jamming	DoS - Flooding	Overwhelms WLAN with high-power noise.	WLA detects excessive interference on a channel.  WLC Auto-Tuning changes the radio to a different channel.
De-authenticate frames	DoS Precursor to Identity Spoofing	Basis for man-in-the-middle attacks.  Spoofing changes source MAC so frames appear to come from a legitimate AP.	WLA checks packets for the source MAC address.
Broadcast De-authenticate Frames	DoS Precursor to Identity Spoofing	Spoofs de-authenticate frames to disconnect all clients attached to an AP.	WLA checks for de-authenticate broadcast frames.
Disassociation frames	DoS Precursor to Identity Spoofing	Disassociation frames from an AP instructs clients to end their association to AP.	WLA checks for  disassociation frames
Null probe response	DoS	Rogue devices send probe response with null SSID.  NICs can lock up upon null probe responses.	WLA checks for Null probe responses.
Decrypt Errors	Identity Spoofing	Rogue device pretends to be a legitimate device by spoofing the MAC address.	WLA checks for excessive number of decrypt errors.  This indicates multiple clients are using the same MAC address.
Fake APs	DoS	Rouge device sends beacon frames for excessive SSIDs or BSSIDs.  Clients cannot connect to valid Aps.	WLA check for excessive beacon frames.
Fake SSIDs	Identity Spoofing -MITM	Rouge device pretends to be a legitimate SSID in your network.  Clients associate with rouge SSID.	WLA checks for APs masquerading as company SSID.
Spoofed WAPs	Identity Spoofing -MITM	Rouge device pretends to be legitimate AP by changing its MAC source address.	WLC detects spoofed AP attacks based on AP fingerprint.  WLA signatures must be enabled to detect AP spoofing.
Netstumbler and Wellenreiter	Reconnaissance	Hacker applications gather information about APs, location, manufacturer, and encryption.	WLC syslog warnings identify Netstumbler and Wellenreiter.
Wireless Bridge	Identity Spoofing	Extends network to personal or rouge devices.	WLA identifies internal wireless bridges.
Ad-Hoc Networks	Identity Spoofing	Client Wireless NICs extend network to personal or rouge devices.	WLA identifies internal Ad-Hoc Networks.
Weak WEP Keys	Brute Force Vulnerability	Network systems vulnerable to attacks.	WLC syslog warnings identify clients using weak WEP.

 Note:  IDS console messaging and SNMP alerts are additional mitigation features.  WLAs are configured to actively scan for threats (i.e. Active Scan) by default.


Table 2.  Rouge Determination

Wireless AP, bridge, or ad-hoc Network	Yes	No
Does the device have a known MAC address from the wired network?	Rouge	Suspect
Does the destination header contain a known MAC from the wire network?	Rouge	Suspect
Does the SSID belong to the SSID list?	Member	Rouge
Is the device use a Juniper transmitter?	Suspect	Rouge
Does the client or AP MAC address on the blacklist?	Rouge	Suspect
Does the client or AP MAC address belong to the Rouge list?	Rouge	Suspect
Does the client or AP MAC address belong to the Neighbor list?	Neighbor	Suspect

References:  Juniper Mobility System  Software Configuration Guide

CISCO Juniper Network Administration Network Security Risk Management WiFi