Rogue AP containment methods

Wireless network monitoring systems are quickly moving from detection alone to detection and prevention. In particular, many now provide options to "block" rogue devices, preventing wireless or wired network access. This tip explores how these containment features work, their potential side-effects, and what network administrators should consider before activating them.

Wireless Security Lunchtime Learning

Wireless network monitoring systems have evolved over the years, moving from detection alone to full-blown prevention. Today, many Wireless Intrusion Prevention Systems (WIPS) can be configured to "contain" unauthorized rogue devices by preventing wireless or wired LAN access. This tip explores how rogue containment methods work, their potential side effects and what network administrators should consider before using them.

Wired containment

A rogue may be an unauthorized access point (AP) installed by an employee for convenience, an AP planted in your office to create a wireless backdoor, or a software AP bridging attack traffic into your wired LAN. In each of these cases, the rogue is physically connected to your corporate network. Disabling an upstream Ethernet switch port can immediately break that connection.

First, identify the target switch port by scanning the wired LAN to find a device with the rogue's MAC address. Or associate with the rogue AP, then use traceroute to establish the rogue's path back into your network. Your WIPS may support one or both "connectivity check" methods, launched from an AP or dedicated sensor near the rogue.

If the switch port used by the rogue can be identified, your WIPS may be able to send that switch an SNMP request to disable that port. Alternatively, it may be able to send such a request to a Network Management System -- for example, Cisco's Adaptive WIPS can remotely disable the Cisco Catalyst Ethernet port to which a rogue appears to be connected.

Wired containment may require some pre-configuration, like adding managed subnets and SNMP community strings to your WIPS so that it can discover switches, or adding specific switches to a search list. In some cases, switches may not be SNMP-managed, or may be located in subnets that cannot be reached from a WIPS sensor or server. Also, even when wired containment is technically possible, it may not be permissible due to organizational policies.

Wireless containment

Where wired containment is not possible, practical, or appropriate, consider wireless containment. Wireless containment applies not only to rogue APs, but also to rogue stations connected to your own APs, and to Ad Hoc clients. Wireless containment methods vary quite a bit; for example:

  • A common but coarse method is sending a steady stream of deauthenticate packets to the rogue's MAC address, or the AP's broadcast address. For example, a WIPS may deauthenticate everyone using a rogue AP, or it may selectively deauthenticate only rogue stations using a legitimate AP. Broadcast deauthenticates should be used with care to avoid accidentally attacking a neighbor's new AP. Selective deauthenticates are less disruptive, but may be circumvented by rogues that use MAC spoofing or roam to another legitimate AP/channel.
  • Some WIPS use more selective honeypot and tar-paper algorithms to keep a rogue busy so that it won't try to communicate with anyone else. For example, a rogue Ad Hoc may be drawn to a WIPS sensor that pretends to be a peer Ad Hoc. Or the sensor may pretend to be an AP, keeping rogue clients associated with it so that they do not roam to real APs.

Unlike wired methods, wireless containment does not usually require coordination with other network devices or servers. But wireless containment consumes bandwidth and WIPS sensor resources. Some sensors can be time-shared, so that monitoring intervals are merely shortened, while other sensors cannot scan channels while being used for containment. Some sensors can block several rogues at once, but the more that one sensor tries to do, the less effective containment (and WIPS monitoring) may become.

Considerations

Containment is a double-edged sword. It can be very important to stem damage while a rogue is investigated and eliminated. Dispatching staff to a remote site can take days; rogues can do damage in just minutes, then move on. But improper containment actions can also impede your own business productivity, do financial harm to your neighbors or incur legal liability.

It is therefore essential to understand what containment features do before invoking them. Experiment with containment features in isolated test WLANs until you understand rogue classification accuracy, intended containment method impacts, and unintended consequences. When you move to a production WLAN, apply containment sparingly at first. Automate containment only after careful analysis and management approval.

Develop a policy for when to use containment, and who is authorized to make containment decisions. For example, you may require human investigation for all but the highest-priority rogue incidents, such as those involving mission-critical systems or restricted areas. Or you may decide to automate conservative containment scenarios, while reserving more aggressive methods for escalation. For example, disabling your own Ethernet switch ports or selectively deauthenticating rogue clients from your own APs may be considered well within your jurisdiction, and unlikely to accidentally impact your neighbors.

Also, define when containment measures should be removed or made permanent. For example, wireless containment is frequently a stop-loss tactic, imposed for a short period, or until the rogue gets discouraged and moves on. But Wireless Intrusion Prevention Systems can also use containment to persistently enforce authorized usage policies by preventing legitimate stations from ever maintaining associations with unauthorized APs, no matter who owns those APs.

Remember, a double-edged sword in skilled hands can be a powerful tool. Containment can be extremely valuable in the war against rogues, so long as you treat these "strike back" capabilities with the respect and care they deserve.

>> Read the next tip: Wireless intrusion prevention systems: Overlay vs. embedded sensors

Dig Deeper on Threat detection and response