Wi-Fi is a Passion


Rogue detection and mitigation

A WIDS/WIPS can do device classification and recognize devices such as access points, client stations, and ad hoc clients, as long as those devices are within range of the sensors. When the devices are scanned and recognized the devices will be classified in four categories:
Authorized devices: Devices that are owned by the company or allowed to be on the network.
Unauthorized devices: This is the classification of all new devices that are scanned for the first time. These devices can later be reclassified as neighbour device.
Neighbour device: known devices that are not part of the company. These devices are first recognized as unauthorized devices and manually assigned to neighbour. These devices are mostly devices from companies around your company.
Rogue devices: These are the devices that are considered as threat devices. These devices are not known from neighbours and are interfering the network.

Rogue devices are most of the time plugged in the wired network. In this case rogue detection can be done in different ways. An approach is using SNMP to get a table with all the MAC addresses that are connected to the access layer switches. When you compare those MAC addresses with the MAC addresses on the wireless side (BSSIDs) you have a database with all authorized devices. All the devices that are found both by SNMP on the wired site and a sensor on the wireless side are classified as a rogue.
- A rogue AP is plugged in the wired network with MAC address 11:11:11:11:11:11
- A sensor detects a new device and classify
- ies this as an unauthorized device, at this point it is not a rogue yet.
- The gateway sends out an ARP request. ARP is a broadcast request, so the unauthorized device also receives this request. The unauthorized access point sends this request out of the wireless interface as well.
- Sensors picks up the ARP request that has a transmitter address (BSSID) that is not in the wired and wireless MAC address table. The devices will be classified as rogue devices.
This is a method that can be very effective, but it works only when the sensor and the rogue access point are in the same broadcast domain and the rogue access point is plugged-in the wired network. You can solve this to configure the port from the sensor to a trunk port with all the VLANs within your environment.

Another problem with this tactic is that most of the time the rogue device is not a layer 2 bridge (simple access point), but it has a separate layer 3 NIC and uses NAT. To mitigate this attack, the sensor associates itself with the rogue device and transmits data to the WIDS/WIPS server. Then the WIDS/WIPS server can classify the rogue access point as a rogue device. This action will not work when there is some security on the rogue device, like WPA2 PSK. For those cases, the WIDS/WIPS server can detect the devices with the known factor that the Ethernet MAC address is slightly different than the BSSID (wireless MAC address). For example if the Ethernet MAC address is 11:11:11:11:11:11 the BSSID is 11:11:11:11:11:12.

Other possibilities are, examine the TTL (time to live) on the wired network, Wi-Fi routers lower their TTL value. There are vendor proprietary methods as well, for example, the marker packet solution. The WIDS/WIPS server sends out a marker packet, and when the marker packet is transmitted by an unauthorized BSSID, this device will be classified as rogue device. Rogue mitigation solutions are like the detection solutions. There are many ways to do this and some of them are vendor proprietary solutions. The sensor can send spoofed de-authentication frames that use the MAC address of the rogue access point. All the clients connected to the rogue will be de-authenticated. This method is called rogue containment, or a layer 2 denial-of-services attack. Sadly, hackers get smarter and smarter every day so the firmware of the rogue access point will ignore de-authentication frames. In this case, the sensor needs to send de-authentication frames to the client with the transmit address of the rogue AP. When you use this method, you need to be sure that the device is a rogue device. What if the device was an authorized device? Then you will have just de-authenticated clients from your own network, or maybe worse from your neighbour’s network. In the last case, this can have legal problems with the neighbour company.

To mitigate independent basic service set (IBSS) is easy. In the beacon frames, the WIDS/WIPS can detect the frames and analyse this and recognize the IBSS network. After that, sending out the de-authentication frames has no impact. Since this exam is based on wireless, the solutions that are discussed here are wireless solutions, but with SNMP it is possible to disable the switch port where the rogue access point is connected.

When the rogue device is categorized, you want to mitigate it by tracking it down so you can remove it from your network. In this section, we look into device tracking within your company. The easiest way to pinpoint a device is using the RSSI. When the signal strength is stronger, you are closer to the particular device. With historical tracking, it is possible to monitor the device over a certain time on the map. This is not per se handy for rogue devices, but also for small devices that can be missing in your environment. A method called RF triangulation is making use of three access points. With the three access points, you measure three different values of signal strength and this gives you a good idea where the device is. The estimate location is within 10 meters. This method doesn’t take into account the noise in the area or multipath, reflection, absorption, and so on.

Another way is fingerprinting. With fingerprinting, you need to do first an RF calibration. With calibration, you walk with a device throughout the building and measure at different places the RSSI. This is saved in the RF fingerprinting engine. When something changes, this method will be inaccurate. This is directly a disadvantage of this method. Fingerprinting uses, like triangulation, the RSSI values. In this case, it compares the values with the known values from the calibration. The 10 meters accuracy with triangulation will be with fingerprinting 2 meters (maybe 1).

With time difference of arrival (TDoA), you have a method that uses the arrival time on three or more sensors. The speed is a known factor and, in combination with the arrival time and the angle of arrival (AoA), it is possible to locate a device.