Xem mẫu

  1. Written and provided by Expert Reference Series of White Papers The Life and Death of a Rogue AP Using Cisco’s WCS To Manage Potential Rogue APs 1-800-COURSES www.globalknowledge.com
  2. GigaWave Technologies® White Paper The Life and Death of a Rogue AP Using Cisco’s WCS to Manage Potential Rogue APs Author: Bill Daniel, Wireless Training Specialist, CCSI, CCNA, MCSE+I (Windows NT), MCSE (Windows 2000) All content is the property of GigaWave Technologies, a division of TESSCO Technologies. ©2007 All rights reserved.
  3. GigaWave Technologies® White Paper Introduction: Today, wireless networking is a reality from which IT managers cannot escape. Regardless of the size of an organization, where it is located, or what vertical market it serves, network users want it. No longer is wireless networking a fringe technology – it’s mainstream and it continues to expand at stellar growth rates within the enterprise marketplace. As with most progressive organizations and corporations, network users understand the value of wireless networking. Maybe they’ve surfed the Internet wearing PJs on their bed, downloaded files on their back porch, or played games with wireless remotes. Obviously, a large percentage enjoy sitting in a local coffee shop sipping java and responding to email. Regardless, most have heard wireless networking’s siren song offering them the freedom and flexibility they crave. Why? Wireless can make them more productive. It might even make them more comfortable. Whatever the reason, they want it, and as Meatloaf sang in a recent song, “If it’s something I want, then it’s something I need!” Basic end-user wireless can be very inexpensive and easy to set up. In fact, chances are if users have not been given access to an authorized wireless solution, they have already set up an unauthorized network of their own. If they haven’t done that, it’s only a matter of time. This grassroots effort to set up personal wireless networks would be a great cost saver for the enterprise if it weren’t for two little things called support and security. The most significant of these, for any and all network administrators, is the wide-open lack of security that most users will inadvertently create when they install their own rogue wireless network. Basic rogue management methodology includes these steps: • Identify potential rogues • Locate the potential rogue • Determine the status of the potential rogue and your course of action This paper discusses how you can use Cisco’s Wireless Control System (WCS) software to manage potential rogue APs and eliminate the threat they pose to the unified network. It’s Good Policy to Have a Written Policy First and foremost, have a written policy regarding the deployment/use of rogue access points (APs) on the corporate network. Draft a policy that defines what a rogue AP is (an AP not managed or authorized by the company’s IT department) and why it is detrimental to have on the network (poses a threat to network security). Discuss with company management what punishments the company is willing to impose on any violators, even members of its own ranks. As Sun Tzu pointed out, a policy that goes un-enforced once becomes an unenforceable policy. If at all possible, it’s recommended that you give supported users a short class on the dangers of rogue APs to help them understand why rogues are so dangerous. Explaining why such a hard stance is being taken on personal wireless networks will make the execution of the policy easier for the IT department. Of course, that’s a perfect world scenario. Even the best laid plans and efforts to openly communicate network policy will not stop individuals who, for one reason or another, feel they are above the law. At the very least, have all of your users sign a statement acknowledging that they understand the reasons why rogue APs can not be tolerated on the corporate network and that disciplinary measures will be taken if rogue APs are discovered. All content is the property of GigaWave Technologies, a division of TESSCO Technologies. ©2007 All rights reserved. Page 1
  4. GigaWave Technologies® White Paper Once users know deploying rogues are bad, for both the company and for them personally, wireless network administrators can turn their attention to how WCS helps find and eliminate evil rogues. Discovering Potential Rogue via the Network Summary Page When WCS is opened, the first screen that appears is the Network Summary page. This page shows a list of the most recent rogue APs found on your network, including the MAC address, SSID, type, state of the potential rogue, as well as the date and time the potential rogue was discovered. It’s worthwhile to point out that this list provides only the “Most Recent Rogue APs”… and not a list of all rogue APs. Potential rogues that are within hearing range of the network for any length of time may not be listed here as there might be a lot of them. Remember that the Network Summary page is just that – a summary page. For all the details you need to dig a little deeper. Figure 1 shows a sample Network Summary page. Figure 1 All content is the property of GigaWave Technologies, a division of TESSCO Technologies. ©2007 All rights reserved. Page 2
  5. GigaWave Technologies® White Paper Discovering Potential Rogues via the Alarm Dashboard The gritty truth is, network administrators must know exactly how many potential rogues WCS has heard from and identified. No matter how bad it is, keep in mind that the Alarm Dashboard is just the tool. When looking at this screen, IT staffers must brace themselves and look down at the lower left corner of the screen. The Alarm Dashboard is always there, following network administrators around as faithful as man’s best friend. For those unfamiliar with the name of this handy tool, just look for the small grid-like square in the lower left corner on any page in WCS. The dashboard is a summary of all the errors that WCS knows how to identify, broken down by category and severity. The dashboard has rows for rogues, coverage, security, controllers, access points and location. The error count is listed with minor errors in yellow squares, major errors in orange squares, and critical errors in red squares. Potential rogues are typically listed as a minor error in the Rogues category. Click on the number in that row that’s yellow and WCS will take you to a dynamically created web page showing the 20 most recent rogues. Of course, if there are more than 20 recent rogues, which is probable, WCS will display links for other pages too. Figure 2 shows a sample Alarm Dashboard. Figure 2 All content is the property of GigaWave Technologies, a division of TESSCO Technologies. ©2007 All rights reserved. Page 3
  6. GigaWave Technologies® White Paper Discovering Potential Rogues via the Network Security Summary Click on Monitor>Security and view the Security Summary web page. The upper left corner has a list entitled Rogue AP Details, which will include entries for Alert, Contained, Contained Pending, and (toward the bottom of the list) Adhoc. The Security Summary page also displays entries broken down into category by time (Last Hour, 24 Hours, and Total Active). Click on any of the numbers in these lists and WCS takes you to a separate web page that lists potential rogues belonging to that respective category. Figure 3 shows a sample Network Security Summary. Figure 3 Is a Rogue AP always a Rogue AP? Ultimately, IT administrators who take security seriously will find themselves staring at a web page that displays a list of all the potential rogues on the network. It’s important understand the difference between rogues and potential rogues. Wireless networking experts and instructors use the term “potential rogues”, because an AP in the Security Summary list might not actually be a rogue AP. For instance, it could be an All content is the property of GigaWave Technologies, a division of TESSCO Technologies. ©2007 All rights reserved. Page 4
  7. GigaWave Technologies® White Paper AP belonging to a neighbor (assuming any mortal dared to set up an adjacent rival wireless network – this happens all the time). It could also be an AP set up by internal IT staff that is not managed by the controller- based network (i.e. an autonomous 1130 set up for guest Internet access in the lobby). Long-story-short, network administrators must determine if the potential rogue really is a rogue after all. Is the Potential Rogue On My Physical Network? One of the best ways to determine if a potential rogue is a rogue is to see where it lives. To do this, open up the properties of any potential rogue and four lines down from the top appears an entry that reads “On Network” followed by a yes or a no. If the answer to the question is “no”, then the potential rogue is not physically plugged into the routed/switched network. If the answer here is “yes”, then the potential rogue is plugged in and talking to other hosts on the wired network. This brings up the question of how the potential rogue was discovered in the first place. In accordance with the 802.11 standard, all APs must send out beacon announcements every 100 milliseconds (or so). These beacon announcements advertise the AP’s radio MAC address, the SSID’s being used, supported data rates, and the authentication and encryption methods used at that AP. In other words, the AP announces all the data a potential client would need to know in order to determine whether or not they should try connecting to the AP. Access points running in Local Mode or Monitor Mode can listen for these beacon reports, which they will then forward to their supporting controller. They will also forward information on which client devices have associated to the potential rogue APs, giving us a very complete picture of rogue activity on our net- work. If the controller has been added to our install of WCS, then WCS uses SNMP to discover what the controller knows about potential rogues. Each subnet should have an AP set up in Rogue Detector mode. The Rogue Detector uses a protocol called Rogue Location Discovery Protocol (RLDP) to determine if the potential rogue is on the wired network. At direction from the controller, the Rogue Detector will act as if it were a client. It will attempt to authenticate and associate to the potential rogue, request a DHCP assigned address, and once all of that is done, try to send an ARP message back to the controller. If this ARP request reaches the controller, then we know the potential rogue is physically on the network. Now it’s time to see where the potential rogue really is. Skull-and-Crossbones – Finding Where Potential Rogues Are Hiding From the command menu (upper right corner of the potential rogue’s properties), select the command Map (High Resolution) and then click GO. A web page will appear displaying a copy of the map for the floor on which the potential rogue is located. The map depicts the floor plan, the location of APs (indicated by icons labeled with the APs names), and a skull-and-crossbones icon that shows the most likely location of the rogue. Normally, an icon depicting a heat map-type cloud around the potential rogue that changes from black to dark grey then red, orange, yellow and eventually white, appears immediately around the potential rogue. The colors get darker where the potential rogue has a greater likelihood of being found. Wireless network administrators who are unaware of these facts need not loose too much sleep. However, taking a class on wireless network management or security would be a good way to atone for this boo-boo. Nevertheless, based on the beacons received by other APs on the network, wireless administrators should now be able to discover if the AP is inside the building (whether it’s on the wired network or not). Figure 4 shows what a rogue AP looks like on a WCS map. All content is the property of GigaWave Technologies, a division of TESSCO Technologies. ©2007 All rights reserved. Page 5
  8. GigaWave Technologies® White Paper Figure 4 Rogue AP Located and Identified -- Now What? If the unauthorized AP is physically attached to your wired network then it’s no longer a potential rogue – it’s a confirmed bad guy. If it’s not attached to the wired network, but is clearly inside the building then it’s definitely a rogue AP. CAVEAT -- be absolutely sure if there’s any chance you have neighbors who have legitimate wireless networks. Now, it’s time to “contain” the rogue AP. This is a fancy way of saying: Pick between one and four local mode APs on the network and tell them to spoof the MAC address and SSID of the rogue, then send out a de-authentication flood to all the rogue AP’s clients. How effective is this? Extremely! In fact, the experience of being a victim of forced de-authentication is nothing akin to the feeling of hopelessness felt as the supplicant shows very strong signal strength, associate with the rogue, try to authenticate, fail, and roll back to associating again – it’s maddening. It’s kind of like driving on black ice; once the truck starts traveling sideways, you’re just along for the ride. All content is the property of GigaWave Technologies, a division of TESSCO Technologies. ©2007 All rights reserved. Page 6
  9. GigaWave Technologies® White Paper After initiating containment, go out and physically locate that nasty, evil rogue. Pick it up, unplug it, and carry it back to the company’s stash of confiscated items. Then do with it whatever the legal folks recommend. BE CAREFUL! While this technical whitepaper gives wireless administrators the ultimate weapon for destroying rogues, a little cold water must be tossed. Again, a caveat for those poised and ready to go on a rogue hunting trip. DO NOT go around indiscriminately containing potential rogues – it’s a temptation, but IT staffers must be stronger than that. There was a time when containment of rogues was automatic and it was a big selling point for this product line. Nevertheless, the product was made manually more “intelligent” to ensure that no neighboring wireless network was contained automatically. Indiscriminate containment is a dangerous thing and can lead to poten- tial lawsuits. For instance, what if the neighbor is a hospital and wireless communications are truly critical -- in the literal sense of the word? Hence, Cisco now requires human intervention prior to any and all AP con- tainment. Be sure the potential rogue really is a rogue before initiating containment procedures. If there are doubts, leave the potential rogue’s status at “alert” and use some other tool (AirMagnet is a favorite tool of choice) to hunt down the rogue. While the potential danger of the rogue remains a bit longer, it is a prudent step to avoiding any potential legal issues. Finally, if you find the potential rogue does belong to a legitimate neighboring network, use the properties of that AP (as discovered by WCS) to mark the AP as “Known – External”. Then move on to the next potential rogue. Summary/Conclusion: So there it is, the life and death of the rogue AP as seen from the perspective of Cisco’s WCS. Remember the steps in this process: • Have a written policy stating why rogues are dangerous and that deploying rogues will be punished. Have employees sign their understanding of the policy • Deploy local and monitor mode APs. These APs will quickly detect beacons sent out by potential rogue APs, as well as the identity of clients that associate to them. • Deploy rogue detector APs and enable RLDP. This will allow wireless administrators to determine whether or not a potential rogue is physically attached to the wired network. • Install and configure WCS. This gives the ability to: • Aggregate all rogue AP reporting. • Locate potential rogues on a map. • Initiate containment procedures. • Investigate all potential rogues. Contain only confirmed rogues, mark all others as “Known – Internal” or “Known – External”, as appropriate. Remember, there can be severe legal liabilities for containing rogues indiscriminately. And now, in the words of Fred Bear, I wish you happy hunting. All content is the property of GigaWave Technologies, a division of TESSCO Technologies. ©2007 All rights reserved. Page 7
  10. GigaWave Technologies® White Paper About the Author Bill Daniel is a former intelligence professional in the U.S. Army who spent thirteen years working with and managing the security of classified documents, and as he puts it, “InfoSec (information security) is in my blood”. He is a former Microsoft Certified Trainer who spent five years teaching management, architecture and security of Windows-based networks before moving over to doing Cisco wireless training for GigaWave Technologies, the premier originator of Cisco’s wireless training. When he’s not busy teaching or writing he can often be found researching or playing with what he refers to as his “security tool chest” because, as he says, “You have to know how to break it if you want to know how to fix it.” Suggested Cisco Unified Wireless Courses and Technical Training Cisco Wireless LAN Security (CWLS) Cisco Wireless LAN Security Class is an advanced interactive seminar on how to secure a Cisco Wireless LAN. This is the most comprehensive seminar on Cisco Aironet wireless security advantages in the industry! Topics include: WLAN security standards, how to mitigate WLAN attacks, WLAN EAP types and security configuration on both autonomous and lightweight access point architectures. Hands-on labs feature how to configure network and client equipment to provide maximum security including how to “Harden the access point”, and build VLANs with different forms of authentication and encryption. Attendees will receive an introduction to Cisco ACS RADIUS attributes and actually configure Cisco ADU for, PEAP and EAP–FAST, and TLS. About GigaWave Technologies GigaWave Technologies offers innovative wireless networking workshops for IT professionals who want to know how to design, install, secure or sell high performance Wireless Local Area Network (WLAN) and bridging technologies. As a leading provider of WLAN training, curriculum development and wireless services, GigaWave provides its trademark, high-caliber, hands-on training techniques to progressive organizations across the globe. GigaWave specializes in wireless networking and has attained an unrivaled level of WLAN expertise. As an authorized Cisco Learning Partner, GigaWave Technologies develops and delivers the Cisco wireless networking classes. For the most current training schedule and to view full course descriptions, go to www.giga-wave.com, or call 210-375-0085. GigaWave is a division TESSCO Technologies. 10521 Gulfdale San Antonio, Texas 78216 210-375-0085 Phone 210-375-8382 Fax info@giga-wave.com www.giga-wave.com All content is the property of GigaWave Technologies, a division of TESSCO Technologies. ©2007 All rights reserved. Page 8
nguon tai.lieu . vn