To block or not to block: Rogue containment methods

Wireless network monitoring systems are quickly moving from detection alone to detection and prevention. In particular, many now provide options to "block" rogue devices, preventing wireless or wired network access. This tip explores how these containment features work, their potential side-effects, and what network administrators should consider before activating them.

Wireless Security
Lunchtime Learning
   By Lisa Phifer

Wireless Security Lunchtime Learning

Return to Lesson 4: How to use wireless IDS/IPS
Read the next tip: Overlay vs. embedded WIDS sensors
Return to Wireless Security Lunchtime Learning
Wireless network monitoring systems are quickly moving from detection alone to detection and prevention. In particular, many now provide options to "contain" unauthorized rogue devices by preventing wireless or wired LAN access. This tip explores how rogue containment methods work, their potential side effects and what network administrators should consider before using them.

Wired containment
A rogue may be an unauthorized access point (AP) installed by an employee for convenience, an AP planted in your office to create a wireless backdoor, or a SoftAP bridging attack traffic into your wired LAN. In each of these cases, the rogue is physically connected to your corporate network. Disabling an upstream Ethernet switch port can immediately break that connection.

First, identify the target switch port by scanning the wired LAN to find a device with the rogue's MAC address. Or associate with the rogue AP, then use traceroute to establish the rogue's path back into your network. Your Wireless IDS (WIDS) may support one or both "connectivity check" methods, launched from a sensor near the rogue.

If the switch port used by the rogue can be identified, your WIDS may be able to send that switch an SNMP request to disable that port. Alternatively, it may be able to send such a request to a Network Management System -- for example, AirDefense can send wired block requests to Cisco WLSE.

Wired containment may require some pre-configuration, like adding managed subnets and SNMP community strings to your WIDS so that it can discover switches, or adding specific switches to a search list. In some cases, switches may not be SNMP-managed, or may be located in subnets that cannot be reached from a WIDS sensor or server. Also, even when wired containment is technically possible, it may not be permissible due to organizational policies.

Wireless containment
Where wired containment is not possible, practical, or appropriate, consider wireless containment. Wireless containment applies not only to rogue APs, but also to rogue stations connected to your own APs, and to Ad Hoc clients. Wireless containment methods vary quite a bit; for example:

  • The coarsest method is jamming -- generating RF noise at a designated frequency to prevent the rogue (and everyone else) from communicating very effectively. Jamming is highly disruptive and may violate spectrum use regulations, so should be considered a last resort.

  • The most common method is sending a steady stream of deauthenticate packets to the rogue's MAC address, or the AP's broadcast address. For example, a WIDS may deauthenticate everyone using a rogue AP, or it may selectively deauthenticate only rogue stations using a legitimate AP. Broadcast deauthenticates should be used with care to avoid accidentally attacking a neighbor's new AP. Selective deauthenticates are less disruptive, but may be circumvented by rogues that use MAC spoofing or roam to another legitimate AP/channel.

  • Network Chemistry's UltraShield method uses honeypots and tar-paper algorithms to keep a rogue busy so that it won't try to communicate with anyone else. For example, a rogue Ad Hoc may be drawn to a WIDS sensor that pretends to be a peer Ad Hoc. Or the sensor may pretend to be an AP, keeping rogue clients associated with it so that they do not roam to real APs.
Unlike wired methods, wireless containment does not usually require coordination with other network devices or servers. But wireless containment consumes bandwidth and WIDS sensor resources. Some sensors can be time-shared, so that monitoring intervals are merely shortened, while other sensors cannot scan channels while being used for containment. Some sensors can block several rogues at once, but the more that one sensor tries to do, the less effective containment (and WIDS monitoring) may become.

Containment is a double-edged sword. It can be very important to stem damage while a rogue is investigated and eliminated. Dispatching staff to a remote site can take days; rogues can do damage in just minutes, then move on. But improper containment actions can also impede your own business productivity, do financial harm to your neighbors or incur legal liability.

It is therefore essential to understand what containment features do before invoking them. Experiment with containment features in isolated test WLANs until you understand intended impacts and unintended consequences. When you move to a production WLAN, apply containment sparingly at first. Automate containment only after careful analysis and management approval.

Develop a policy for when to use containment, and who is authorized to make containment decisions. For example, you may require human investigation for all but the highest-priority rogue incidents, such as those involving mission-critical systems or restricted areas. Or you may decide to automate conservative containment scenarios, while reserving more aggressive methods for escalation. For example, disabling your own switch ports or selectively deauthenticating rogues from your own APs may be considered well within your jurisdiction, and unlikely to accidentally impact your neighbors.

Also, define when containment measures should be removed or made permanent. For example, wireless containment is frequently a stop-loss tactic, imposed for a short period, or until the rogue gets discouraged and moves on. But Wireless Intrusion Prevention Systems can also use containment to persistently enforce authorized usage policies -- for example, by preventing legitimate stations from ever maintaining associations with unauthorized APs.

Remember, a double-edged sword in skilled hands can be a powerful tool. Containment can be extremely valuable in the war against rogues, so long as you treat these "strike back" capabilities with the respect and care they deserve.

>> Read the next tip: Overlay vs. embedded WIDS sensors

This was last published in April 2006

Dig Deeper on Network security

Unified Communications
Mobile Computing
Data Center