Wireless Threat Detection and Countermeasures: Monitor and Protect Your Wireless Access Points.
Takeaway: Automated countermeasures discover, attack, and disable rouge Wi-Fi devices! This article explores Wireless Access Controllers, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS). These instructions explain how to enable countermeasures for Juniper Wireless Controllers (WLCs). Cisco, Aruba, and other controllers offer similar mitigation.
Problem: Corporate networks are vulnerable to rouge wireless technology. Wireless access points (WAPs), wireless routers, and wireless bridges can extend the corporate network and provide an insecure entry point. Untrusted wireless technology risks data integrity and confidentiality.
|
Internal and External Rouge Wireless Threats. |
Threats: Internal threats include unapproved wireless devices that extends or bridges the corporate network. For example, an employee may install a residential WiFi router to provide network access to their smartphone. Their intent may not be malicious but it nonetheless exposes the network to compromise.
Hackers or wireless devices in proximity to corporate access points are external threats. External threats can intercept and harm company data. Additional threats can entirely disrupt wireless communication (Table 1).
Enable Countermeasures: The WLC includes countermeasures that attack rouge devices. These countermeasures consist of packets that disrupt client communications to rouge devices. Rouge devices are rendered useless once the WLA initiates an attack. WLC countermeasures are disabled by default. Enable countermeasures on all rouge devices:
LocalWLC#set radio-profile default countermeasures rogue
Alternately, enable countermeasures on all rouge and interfering devices:
LocalWLC#set radio-profile default countermeasures all
Enable ad-hoc countermeasures if desired:
LocalWLC#set rfdetect classification ad-hoc rogue
Configure SSID list to whitelist existing SSIDs:
LocalWLC#set rfdetect ssid-list BIZ_SSID
Enable log messages to display on console:
LocalWLC#set rfdetect log enable
N.B., Interfering devices may include neighboring APs using the same radio channels. The WLC includes RF Auto-Tuning that changes WLA channels as needed. Consider rouge-only countermeasures when located near other businesses.
Rouge Classifications: The WLC identifies all nearby 802.11 wireless devices. It uses a classification system to detect rouge devices:
LocalWLC# sh rfdetect classification
User
Rule Rules for RF Classification Classification
---- --------------------------- --------------
N 1. If AP in Rogue list ....................... ROGUE
N 2. If AP is part of Mobility Domain .......... MEMBER
N 3. If AP in Neighbor list .................... NEIGHBOR
-------------------------------------------------------------------
Y 4. If AP is Masquerading our SSID ............ ROGUE
Y 5. Client or Client DST MAC seen in network .. ROGUE
Y 6. If AP is acting as an Ad-hoc device ....... SKIP-TEST
-------------------------------------------------------------------
N 7. If SSID is in SSID list ................... NEIGHBOR
-------------------------------------------------------------------
Y 8. Default Classification .................... SUSPECT
Rouge List: The WLC attacks all devices in the Rouge list. The WLA does not transmit client traffic while it attacks rouge devices. WLAs can be provisioned in Sentry mode for dedicated scanning and attacking purposes.
Suspect List: Devices in the Suspect list are considered potential Rouges. The WLC does not attack suspect devices unless they become a threat. In most circumstances, suspect devices are neighbor APs which have not been manually added to the Neighbor list.
Neighbor List: The Neighbor list acts as a whitelist. The WLC does not attack its neighbors. Be a good Samaritan and add your neighbors' APs to the Neighbor list. The Juniper WLC GUI makes identifying and adding neighbors a cinch.
|
Juniper WLC GUI: RF Neighbors |
Countermeasures in Action: What happens if an employee connects a wireless AP to the corporate network? For this example, assume the switch access ports are not configured for 802.1X authentication or BPDU Guard.
1. Employee discretely connects a Linksys wireless router to the network.
|
Employee adds unapproved wireless access point to company network. |
2. The Linksys router connects to the company network and advertises its SSID:
3. The Linksys SSID remains in the Suspect list as long as clients are not connected it.
4. The employee connects their laptop to the Linksys SSID. The WLC immediately identifies the Linksys AP as a rouge device:
ROGUE Sep 24 11:11:26.009242 NOTICE ROGUE_AP_ALERT: Client Mac 88:XX:XX:XX:XX:XX(Rogue AP Mac 00:XX:XX:XX:XX:XX) is seen on the wired network by Switch 172.16.1.2 on port X vlan X tag 0. Detected by listener a8:XX:XX:XX:XX:XX(AP 1, radio 1), channel 6 with RSSI -55 SSID "linksys".
5. The WLC begins its countermeasure attack:
ROGUE Sep 24 11:12:35.065652 NOTICE ROGUE_AP_ALERT: COUNTERMEASURES STARTED for Xmtr Mac 00:XX:XX:XX:XX:XX Performer Mac a8:XX:XX:XX:XX:XX SW-I Paddr 172.16.1.2 AP 1 Radio 1 Channel 6
6. Confirm countermeasures:
WLC# sh rfdetect countermeasures
Total number of entries:1
Type(Adhoc/Infra) Countermeasures Port/Radio
Rogue MAC /Class Radio Mac RSSI MX IPaddr /Channel
----------------- -------- ----------------- ---- --------------- ------------
00:XX:XX:XX:XX:XX I/rogue a8:XX:XX:XX:XX:XX -59 172.16.1.2 AP 1/1/6
|
WLC Detected a Rouge SSID
|
Conclusion: Tests confirm wireless clients cannot connect to rouge SSIDs when WLC countermeasures are enabled. Interestingly, the WLC countermeasures are similar to those available on some
WiFi hacking tools. These countermeasures compliment existing mitigation strategies; Enterprise WPA2, 802.1X authentication;
BYOD Policy, client and server certificate authentication; disabling client auto-connect;
Windows IPSec, etc...
Table 1. Wireless Threats and Mitigation.
Threat
|
Type of Attack
|
Purpose
|
Mitigation
|
|
RF Jamming
|
DoS - Flooding
|
Overwhelms WLAN with high-power noise.
|
WLA detects excessive interference on a
channel. WLC Auto-Tuning changes the radio to a different channel.
|
|
De-authenticate frames
|
DoS Precursor to Identity Spoofing
|
Basis for man-in-the-middle attacks.
Spoofing changes source MAC so frames appear to come from a legitimate AP.
|
WLA checks packets for the source MAC
address.
|
|
Broadcast De-authenticate Frames
|
DoS Precursor to Identity Spoofing |
Spoofs de-authenticate frames to disconnect all
clients attached to an AP.
|
WLA checks for de-authenticate broadcast
frames.
|
|
Disassociation frames
|
DoS Precursor to Identity Spoofing
|
Disassociation frames from an AP instructs
clients to end their association to AP.
|
WLA checks for disassociation frames
|
|
Null probe response
|
DoS
|
Rogue devices send probe response with null SSID.
NICs can lock up upon null probe responses.
|
WLA checks for Null probe responses.
|
|
Decrypt Errors
|
Identity Spoofing
|
Rogue device pretends to be a legitimate device
by spoofing the MAC address.
|
WLA checks for excessive number of decrypt
errors. This indicates multiple clients are using the same MAC address.
|
|
Fake APs
|
DoS
|
Rouge device sends beacon frames for excessive
SSIDs or BSSIDs. Clients cannot connect to valid Aps.
|
WLA check for excessive beacon frames. |
|
Fake SSIDs
|
Identity Spoofing -MITM
|
Rouge device pretends to be a legitimate SSID in
your network. Clients associate with rouge SSID.
|
WLA checks for APs masquerading as company SSID.
|
|
Spoofed WAPs
|
Identity Spoofing -MITM
|
Rouge device pretends to be legitimate AP by
changing its MAC source address.
|
WLC detects spoofed AP attacks based on AP
fingerprint. WLA signatures must be enabled to detect AP spoofing.
|
|
Netstumbler and Wellenreiter
|
Reconnaissance
|
Hacker applications gather information about APs,
location, manufacturer, and encryption.
|
WLC syslog warnings identify Netstumbler and Wellenreiter. |
|
Wireless Bridge
|
Identity Spoofing
|
Extends network to personal or rouge devices.
|
WLA identifies internal wireless bridges.
|
|
Ad-Hoc Networks
|
Identity Spoofing |
Client Wireless NICs extend network to personal
or rouge devices.
|
WLA identifies internal Ad-Hoc Networks.
|
|
Weak WEP Keys
|
Brute Force Vulnerability
|
Network systems vulnerable to attacks.
|
WLC syslog warnings identify clients using weak
WEP.
|
|
|
|
|
|
|
|
Note: IDS console messaging and SNMP alerts are additional
mitigation features. WLAs are configured to actively scan for threats
(i.e. Active Scan) by default.
Table 2. Rouge Determination
Wireless AP, bridge, or ad-hoc Network
|
Yes
|
No
|
Does the device have a known MAC address from the wired
network?
|
Rouge
|
Suspect
|
Does the destination header contain a known MAC from the
wire network?
|
Rouge
|
Suspect
|
Does the SSID belong to the SSID list?
|
Member
|
Rouge
|
Is the device use a Juniper transmitter?
|
Suspect
|
Rouge
|
Does the client or AP MAC address on the blacklist?
|
Rouge
|
Suspect
|
Does the client or AP MAC address belong to the Rouge
list?
|
Rouge
|
Suspect
|
Does the client or AP MAC address belong to the Neighbor
list?
|
Neighbor
|
Suspect
|
References: Juniper Mobility System Software Configuration Guide