Download All You Wanted to Know About WiFi Rogue Access

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
Document related concepts

Peering wikipedia , lookup

Computer network wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Policies promoting wireless broadband in the United States wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Network tap wikipedia , lookup

Airborne Networking wikipedia , lookup

Distributed firewall wikipedia , lookup

Wireless security wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Transcript 
All You Wanted to Know About
WiFi Rogue Access Points
A quick reference to Rogue AP security
threat, Rogue AP detection and mitigation
Gopinath K. N.
Hemant Chaskar
AirTight Networks
www.AirTightNetworks.com
What is Rogue AP
Š Unmanaged
(unauthorized) AP attached to enterprise
wired network
© 2009, AirTight Networks Inc. All Rights Reserved.
How does Rogue AP pop up on enterprise network
Š Malicious
intent or simply unwitting, impatient employee
Š Commoditization
of WiFi APs raises the risk of someone
putting up personal AP on the enterprise network
Wall Jack AP
Pocket AP
Wireless Router
PCMCIA and USB APs
Š It
has been estimated that almost 20% of corporations
have Rogue APs in their networks at some time
© 2009, AirTight Networks Inc. All Rights Reserved.
Why is Rogue AP such a bad thing
ŠRogue
AP on network =
(logically) LAN jack of
your network hanging
out of the premises
ŠRF
signal spillage of
Rogue AP provides
access to wired
enterprise network from
outside of the premises
© 2009, AirTight Networks Inc. All Rights Reserved.
What are some specific attacks which can be
launched through Rogue AP
Š Attacks
on wired network infrastructure
• ARP poisoning, DHCP attacks, STP attacks, DoS attacks etc.
Š Mapping
the network for targeted attacks
Š Scanning
Š MIM
hosts on network for targeted attacks
(Man-In-Middle) and data sniffing on wired network
Š See
this blog article for details on attacks through Rogue
AP http://blog.airtightnetworks.com/wifi-rogue-ap-5-waysto-%e2%80%9cuse%e2%80%9d-it/
So, how can you protect enterprise
network from Rogue APs?
© 2009, AirTight Networks Inc. All Rights Reserved.
Can the firewall protect from Rogue AP
Š No!
Š Firewall
works at traffic transfer point between LAN & Internet
Š Firewall
does not detect Rogue AP
Š Firewall
does not see traffic through Rogue AP
Rogue AP
Office Premises
and LAN
Internet
Firewall
© 2009, AirTight Networks Inc. All Rights Reserved.
Attacker
Can WPA2 protect from Rogue APs
Š No!
Š You
can enforce security controls such as WPA2 only on
APs which you manage, i.e., your Authorized APs
Š Rogue
AP is not your managed AP
Š In
fact, most Rogue APs found in the field installed by
naïve users either have
• OPEN wireless link (out of box default) or
• WEP wireless link (deterministically crackable)
© 2009, AirTight Networks Inc. All Rights Reserved.
Is 802.1X port control sufficient to protect
from Rogue AP
Š As
a matter of fact, most networks do not have 802.1x
port control today
Š If
even if 802.1x is deployed, it cannot protect from all
Rogue AP configurations, some examples below:
802.1X
Rogue AP
Legitimate
user
Rogue APs over bridging laptops
MAC spoofer
© 2009, AirTight Networks Inc. All Rights Reserved.
Can antivirus, wired IDS protect from Rogue AP
Š No!
Š Rogue
AP threats operates at a layer below antivirus and
wired IDS protection
© 2009, AirTight Networks Inc. All Rights Reserved.
Is NAC sufficient to protect from Rogue AP
Š As
a matter of fact, most networks do not have NAC
deployed today
Š If
even if NAC is deployed, it cannot protect from all
Rogue AP configurations, some examples below:
NAC
Rogue AP
Legitimate
user
Rogue APs over bridging laptops
MAC spoofer
© 2009, AirTight Networks Inc. All Rights Reserved.
So what protects network from Rogue APs
Š Sensor
based wireless intrusion
prevention system (WIPS) which
• Watches for Rogue APs 24x7
• Performs wired/wireless correlation
for AP network connectivity testing
to detect Rogue AP
• Provides for automatic blocking of
Rogue AP
• Locates Rogue AP for easy
searching and removal from the
network
© 2009, AirTight Networks Inc. All Rights Reserved.
WIPS in action - Rogue AP protection
Š See
demonstration video at
http://www.airtightnetworks.com/fileadmin/content_images/
demos/RogueAP-Demo/RogueAP-Demo.html
© 2009, AirTight Networks Inc. All Rights Reserved.
What are different types of Rogue APs
Š Various
permutations and combinations of
• Bridging APs (on subnets coinciding with or different
from wired interface address)
• Router (NAT) APs (with and without MAC cloning)
• APs with encrypted wireless links
• APs with open wireless links
• Soft APs (natively configured on wireless client or which
use external devices such as USB sticks)
• APs on different VLANs in the LAN including no-WiFi
subnets
© 2009, AirTight Networks Inc. All Rights Reserved.
Can wire side only scanning protect from all Rogue AP
Š No!
Š Several
Rogue AP types are undetectable by wire side only
scanning, examples:
• Bridging APs on a subnet inconsistent with their wired IP
address (default configuration)
• Soft APs
• Router (NAT) APs with cloned wire side MAC address
Š See
http://blog.airtightnetworks.com/rogue-ap-detectionpci-compliance/ for more details
© 2009, AirTight Networks Inc. All Rights Reserved.
What does AP auto-classification mean in the context
of Rogue AP
Š Automatically
classifying APs visible in airspace into three
categories: Authorized, External and Rogue
Managed APs
(Static Part)
Authorized
AP
External
AP
Rogue
AP
All APs visible in air
Unmanaged APs
(Dynamic Part)
Not connected
to my network
Connected to
my network
© 2009, AirTight Networks Inc. All Rights Reserved.
What is key technology enabler for accurate autoclassification
Š Robust
testing of AP’s connectivity to monitored enterprise
network is the key technology enabler
Š If
AP is not detected as connected, when it is indeed
connected to the monitored enterprise network, it results in
security hole (false negative)
Š If
AP is detected as connected, when it is indeed not
connected to the monitored enterprise network, it results in
false alarm (false positive)
© 2009, AirTight Networks Inc. All Rights Reserved.
What are prevalent AP connectivity testing methods
MAC Correlation (CAM
table lookup)
• Collect all MAC addresses
seen on wired network
(CAM table lookup)
• Detect all MAC addresses
seen on wireless network
• Presume network
connectivity of APs based
on match between wired
and wireless MAC
addresses
Signature Packet Injection
• Inject signatures packets
in the wired and wireless
network
• Detect which APs forward
signature packets
between wired and
wireless interfaces
• Confirm network
connectivity of APs based
on signature packet
forwarding
© 2009, AirTight Networks Inc. All Rights Reserved.
How do these connectivity testing methods compare
Š Packet
injection method is superior to CAM table lookup as
it is fast, accurate, gracefully scalable to large networks
and capable of detecting all types of Rogue APs
Š For
more details on this comparison and auto-classification
methods used in various WIPS in the market, see
http://blog.airtightnetworks.com/ugly-bad-and-good-ofwireless-rogue-access-point-detection/
http://blog.airtightnetworks.com/making-the-right-choicefor-rogue-access-point-detection-technology/
© 2009, AirTight Networks Inc. All Rights Reserved.
How does WIPS block Rogue AP
Š Over
the air quarantine
• WIPS sensor blocks client’s
connection to Rogue AP by
transmitting spoofed
disconnection frames
• Deauthentication is popularly
Š Switch
port disable
• WIPS attempts to locate switch
port into which Rogue AP is
connected
• If found, disables the switch
port using SNMP
used disconnection frame
WIPS Sensor
Rogue AP
© 2009, AirTight Networks Inc. All Rights Reserved.
How do the two Rogue AP blocking methods
compare
Š Over
the air quarantine
• Works independent of
Š Switch
port disable
• Only works for those Rogue
correlation between wired
and wireless addresses of
Rogue AP
APs which have correlation
between wired and wireless
addresses
• Non-intrusive with network
• Highly intrusive. WIPS needs
infrastructure
• No interoperability problems
with different switch vendors
• Deauthentication based over
the air quarantine will not
work with .11w Rogue APs
need to know “set” password
on switches. Error in tracing
leaf switch may turn off entire
switch branch
• Suffers from switch vendor
interoperability problems
© 2009, AirTight Networks Inc. All Rights Reserved.
Conclusion
Š Rogue
AP is unmanaged AP plugged into wired enterprise
network by unwilling or malicious employees or visitors
Š Rogue
AP can expose wired enterprise network to
outsiders over its RF signal spillage
Š Rogue
AP threat is not mitigated by firewalls, WPA2,
802.1x, NAC, anti-virus or wire side scanners
Š Sensor
based wireless intrusion prevention system (WIPS)
detects, blocks and locates Rogue APs
Š Testing
of AP’s connectivity to monitored enterprise
network is key technology enabler for reliable protection
from Rogue APs
© 2009, AirTight Networks Inc. All Rights Reserved.
Related documents
Rogue River Blue
Rogue River Blue
Enterprise Wireless LAN (WLAN) Management
Enterprise Wireless LAN (WLAN) Management
Lecture 26
Lecture 26
4As.ANA-Piracy-Statement
4As.ANA-Piracy-Statement
Enterprise Wireless LAN (WLAN) Management and Services
Enterprise Wireless LAN (WLAN) Management and Services
Inside Cancer: How genes influence cancer
Inside Cancer: How genes influence cancer
Document 8938497
Document 8938497
PPT Version
PPT Version
Information for advertisers - Australian Psychological Society
Information for advertisers - Australian Psychological Society
extreme nonlinear structures in optics
extreme nonlinear structures in optics