ARUBA INSTANT ROGUE AP TROUBLESHOOTING

Transcription

1 ARUBA INSTANT ROGUE AP TROUBLESHOOTING Technical Climb Webinar 10:00 GMT 11:00 CET 13:00 GST Feb 28th, 2016 Presenter: Anshul Bharthan

2 INTRODUCTION TO WIDS/WIPS

3 Classification of APs The Aruba system classifies APs on a number of factors. The classification for these devices is handled automatically, but it can be overridden by the administrator. Here are the types: Valid AP: An Aruba IAP which is a part of the cluster is marked as valid. Rogue: An AP that is detected wirelessly and on the wired network. Suspected rogue: An AP that has been detected wirelessly, has some indicators that lead the Instants to believe it may be attached to the network, but to avoid false positives, it has not yet been marked as a rogue. Interfering: An AP that has been detected wirelessly, but has not been seen on the wired network. All APs begin with this setting. Neighbor: An AP that is marked as either belonging to a neighbor by an administrator manually. 3

4 Different Modes of Access Points : The three main wireless security areas to keep in mind when evaluating a WIDS system are rogue detection, rogue containment and wireless intrusion detection needs. Wireless detection happens at the radio level and then gets fed upstream. Aruba radios can be deployed in three different modes: AP mode, Air Monitor (AM) mode and Spectrum Monitor (SM) mode. 4

5 Different Modes of Access Points: AP MODE: AP mode radios focus on serving clients and pushing wireless traffic but they also perform IDS detection, Rogue detection and spectrum analysis. AP will perform off channel scanning every 10 seconds for slightly less than 100 milliseconds. The AP uses a bucketing based algorithm for channel scanning. When the AP boots, all channels are divided into 2 different buckets, regulatory channels and non-regulatory channels. The third channel bucket, active channels, is populated as the AP scans and detects channels with wireless traffic. APs can perform wireless containment but they will prioritize pushing client traffic over containment. This is a very important distinction and the reason why AMs are recommended if wireless containment is enabled. APs can also perform spectrum analysis on the channel where they are serving clients. 5

6 Different Modes of Access Points: AM MODE: AM s don t serve clients and are dedicated to wireless security. AMs typically do not need to be deployed at the same density an AP would since they do not serve clients. AMs use a channel scanning algorithm that is similar to an AP but has an extra bucket for Rare channels. Rare channels - Channels that do not belong to any country s regulatory domain and fall into a frequency range outside of the regulatory domain; 2484 MHz and 4900MHz-4995MHz (J-channels), and Mhz. We only do rare channel scanning in AM mode The AM will spend ~500 milliseconds on active channels, ~250 ms on channels in AP s regulatory domain, ~200 ms in any regulatory domain and ~100 ms on rare channels. SPECTRUM MODE: SMs are designed for spectrum classification scans every channel within 1 second. It doesn t follow the bucketing system used by APs and AMs. SMs will not perform any wireless containment since the time spent containing a rogue would impact the accuracy of the spectrum classifications. 6

7 ROGUE AP DETECTION

8 Rogue Detection Basics In order to detect Rogue AP, IAP cluster has to find all the foreign APs via the scanning algorithm. The list of all foreign APs seen by the cluster is "show ap monitor ap-list". NOTE: It is AP specific command, it only shows the current single AP data on which command is run. Please make sure that radio is up and one SSID is configured for IAP to start scanning. A foreign interfering AP, will become a rogue, when it is diagnosed to be on the same wired network as the IAP. IAP does that by looking at its show ap monitor arp-cache and/or show ap monitor enet-wired-mac <IAP wired MAC>. This cache is built based on ARP messages seen on VLANs trunked to the IAP. To successfully detect/contain rogue, it is recommended to extend the VLAN, and add required vlans on the trunk to IAP. Else IAP will not have visibility on the network, where you want rogue detection to occur. If only one IAP has trunked to the VLAN, then only that IAP has the capability to detect this rogue from other specified vlans, however it also requires the rogue AP is near by this IAP for detecting BSSID. From cluster design, it is needed to trunk the VLAN, where rogue detection is needed, to all the IAPs in the cluster. 8

9 Rogue Detection Basics and Types What does IAP do in the background to detect Rogue? The IAP constantly builds and updates an internal table of MAC addresses by collecting all MAC addresses on its Ethernet interface. This table is called the Ethernet wired MAC table. Here is the command to view this table: show ap monitor enet-wired-mac <Wired MAC of the IAP> While the IAP is up, it also constantly monitors wireless frames outgoing from other APs. As soon as a new AP is detected (regardless whether this AP is classified as Rogue / Valid / Interfering), the IAP internally creates a separate table for it. Here is the command to view this table: show ap monitor ap-wired-mac <BssID of the Rogue AP> There are few match types, on the basis of which IAP detects the rogue, a) Eth-Wired-MAC b) Eth-GW-Wired-Mac c) System-Wired-Mac, d) System-Gateway-Mac 9

10 Rogue AP Detection Sample Diagram 10

11 Rogue Detection Type Here is an example, explaining Match-Type - Eth-Wired-Mac: Two scenarios would trigger a rogue detection based on Eth-Wired-Mac: - a) An Instant AP/AM detects that the same device MAC is contained in both its Ethernet wired MAC table and in one of its non valid AP wired MAC table. b) When a nonvalid AP is acting as Layer 3 (with potentially NAT service enabled), it sends frames that have srcmac=bssid, but more importantly that have BSSID=Ethernet MAC of the AP +/- 1. In this case, the Aruba AP checks whether a src mac either equals the BSSID +/-1 that can also be found in its Ethernet wired MAC table. If there is a match, rogue detection is triggered Aruba AP : IP address : , DG Eth MAC : 18:64:72:cd:76:96 MAS Switch: IP Address: VLAN /24, VLAN /24 VLAN Mac for 10,170-00:0b:86:95:81:37 Cisco AP: IP Address : , DG Eth MAC : a8:9d:21:e1:aa:e4 BSSID 1) 84:b8:02:c9:56:60 -G 2) 84:b8:02:c8:8e:a0 -A 11

12 Rogue Detection Type In this scenario, we will check a case from the previous slide, When the IAP detected the foreign (interfering) AP, Here is what it looked like: 12

13 Rogue Detection Type Now, as soon as a client connects (g-radio in this case), we could see that the radio was marked as rogue, and similarly the other radio would be detected as rogue as client connected to it starts passing traffic. 13

14 Rogue Detection Type Earlier, we saw that the Match MAC is 84:b8:02:c9:56:60 à BSSID of Cisco AP, We see that Cisco BSS Mac information is reached to the IAP as a source mac from the wired side. There is packet dump show this in next slide. And IAP also sees the same as source MAC for the wireless traffic, hence there was a table created for the same BSSID as well. 14

15 Rogue Detection Type While IAP is detecting an AP as rogue, the Cisco BSSID can be see on the wired side of IAP, Also, to check if the Client data traffic is hitting the IAP, so as to get the MAC information, then we need to see if the Data pkt/bytes are incrementing or not. 15

16 Rogue Detection Type Here is another example, explaining Match-Type - Eth-GW-Wired-Mac: The way how IAP detects rogue in this case is by capturing the Gateway MAC (of the Rogue Client) on both wired and wireless side. To check the wireless end information, I did a Over The Air packet capture using a MacBook. On the wired end we can either check the ARP cache or the Ethernet wired MAC table to see the gateway MAC entry. 16

17 Rogue Detection Type 17

18 ROGUE CONTAINMENT

19 Types of Rogue Containment There are 2 ways of Rogue Containment: Wired containment: When enabled, IAPs will generate ARP packets on the wired network to contain wireless attacks using ARP poisoning of rogues. Wireless Containment: When enabled, the system will attempt to disconnect all clients that are connected or attempting to connect to the identified Access Point. Two containment mechanisms. A) Deauthentication containment: The Access Point or client is contained by disrupting the client association on the wireless interface. B) Tarpit containment: The Access Point is contained by luring clients that are attempting to associate with it to a tarpit. The tarpit can be on the same channel or a different channel as the Access Point being contained. Note: For containment it is not necessary to have a dedicated AM and even an IAP in Access mode can contain rogues (results can be delayed, so AM is recommended for containment). For Wireless Containment using an Access Mode IAP, the preferred method is using tarpitting. De-auth works more effectively for AMs. Wired containment is also effective for wireless clients using ARP poisoning and works for both AMs and Access Mode IAPs. 19

20 Wired Containment Wired Containment When enabled, IAPs will generate ARP packets on the wired network to contain wireless attacks using ARP poisoning of rogues. Here we can see that, since wired containment is enabled, IAP keeps sending fake ARP requests and response, to not let the device (mobile in this case), connect to the Rogue AP. IAP generates fake BSSID (mostly starting with 02:xx), and sends ARP request/response on behalf of the device ( ). We can see lots of duplicate ARP packets in the captures shown in next slide. ARP-A in the Windows test client will show incorrect MAC for the default gateway. 20

21 Wired Containment pcap 21

22 Wired Containment Types CLI knobs: (Aruba)# ids (Aruba)# wired-containment There are 2 additional knobs present only under CLI Wired-containment-ap-adj-mac: IAP can detect SOHO rogues, but it can not start containing them using the knob, wired-containment. For containing them it needs, CLI knob, wired-containment-ap-adj-mac. Wired-containment-susp-l3-rogue: Wired containment works fine for a bridge mode rogue AP. But for NAT router AP, IAP cannot judge the relation between Eth MAC and wireless BSSID. However if the gateway mac, of a wireless client, is offset by one character from a rogue APs wired mac address, using the knob, wired-containment-susp-l3-rogue they can be contained. 22

23 Wireless Containment Wireless Containment: When enabled, the system will attempt to disconnect all clients that are connected or attempting to connect to the identified Access Point. There are two containment mechanisms a) Deauthentication: With deauthentication containment, the Access Point or client is contained by disrupting the client association on the wireless interface. The Aruba AP will send de-authentication packets to the AP and the client device. If the client tried to reconnect, the Deauth is sent again, and it keeps doing that. b) Tarpitting: With tarpit containment, the Access Point is contained by luring clients that are attempting to associate with it to a tarpit. The tarpit can be on the same channel or a different channel as the Access Point being contained. When the client device attempts to reconnect to the network, the Aruba AP will respond with a probe response that has some fake data in it to induce the client device to connect to the Aruba AP rather than the rogue device. 23

24 Wireless Containment Types When Deauthentication-only knob is enabled, We will see that Spoofed deauth frames were sent by the AP/AM to client with source as the rogue AP. Similarly, Spoofed deauth frames were sent by the AP/AM to the rogue AP with the source as the client CLI Commands: 24

25 Wireless Containment Types Deauthentication-Only GUI: 25

26 Wireless Containment Types TARPITTING: Detect the rogue and contain using the tarpit. The client should be first deauthenticated and the AP/AM should impersonate the rogue in a fake channel so that the client tries to connect back to the AP/AM. There are basically 2 options available under it: a) tarpit-non-valid-sta: In this method, only non-authorized clients that attempt to associate with an AP is sent to the tarpit. b) tarpit-all-sta: In this method, only non-authorized clients that attempt to associate with an AP is sent to the tarpit. 26

27 Wireless Containment Types 27

28 Manually Override IDS Classification Manual IDS Classification There maybe instances where we would need to manually override IDS classification done by Aruba Instant. IDS reclassification is done using ids-reclassify command. To use the command, we would need to input value of phy-type and classification-type. 18:64:72:cd:76:96# ids-reclassify ap 84:b8:02:c9:56: >>>>>>>> 0 Valid, 2 g 28

29 Other CLI outputs To check the client status connecting to the interfering/rogue Aps To check the signal of a particular client: 29

30 Other CLI outputs Show ap monitor scan-info >>>>>>>> to check the scanning status of AP 30

31 DETECTION AND PROTECTION

32 Detection and protection option Infrastructure Intrusion Detection Description Detect n 40MHz Intolerance Setting Detect Active n Greenfield Mode Detect AdHoc Networks When a client sets the HT capability intolerant bit to indicate that it is unable to participate in a 40MHz BSS, the AP must use lower data rates with all of its clients. Network administrators often want to know if there are devices that are advertising 40MHz intolerance, as this can impact the performance of the network. When devices use the HT operating mode, they cannot share the same channel as a/b/g stations. Not only can they not communicate with legacy devices, the way they use the transmission medium is different, which would cause collisions, errors, and retransmissions. An ad-hoc network is a collection of wireless clients that form a network amongst themselves without the use of an AP. As far as network administrators are concerned, ad-hoc wireless networks are uncontrolled. If they do not use encryption, they may expose sensitive data to outside eavesdroppers. If a device is connected to a wired network and has bridging enabled, an ad-hoc network may also function like a rogue AP. Additionally, adhoc networks can expose client devices to viruses and other security vulnerabilities. For these reasons, many administrators choose to prohibit ad-hoc networks. Detect AdHoc Network Using Valid SSID If an unauthorized ad-hoc network is using the same SSID as an authorized network, a valid client may be tricked into connecting to the wrong network. If a client connects to a malicious ad-hoc network, security breaches or attacks can occur. Detect AP Flood Attack Fake AP is a tool that was originally created to thwart wardrivers by flooding beacon frames containing hundreds of different addresses. This would appear to a wardriver as though there were hundreds of APs in the area, thus concealing the real AP. An attacker can use this tool to flood an enterprise or public hotspots with fake AP beacons to confuse legitimate users and to increase the amount of processing need on client operating systems. 32

33 Detection and protection option Infrastructure Intrusion Detection Description Detect AP Impersonation In AP impersonation attacks, the attacker sets up an AP that assumes the BSSID and ESSID of a valid AP. AP impersonation attacks can be done for man-in-the-middle attacks, a rogue AP attempting to bypass detection, or a honeypot attack. Detect AP Spoofing An AP Spoofing attack involves an intruder sending forged frames that are made to look like they are from a legitimate AP. It is trivial for an attacker to do this, since tools are readily available to inject wireless frames with any MAC address that the user desires. Spoofing frames from a legitimate AP is the foundation of many wireless attacks. Detect Bad WEP This is the detection of WEP initialization vectors that are known to be weak. A primary means of cracking WEP keys is to capture frames over an extended period of time and searching for such weak implementations that are still used by many legacy devices. Detect Beacon Wrong Channel In this type of attack, an intruder spoofs a beacon packet on a channel that is different from that advertised in the beacon frame of the AP. Detect Client Flood There are fake AP tools that can be used to attack wireless intrusion detection itself by generating a large number of fake clients that fill internal tables with fake information. If successful, it overwhelms the wireless intrusion system, resulting in a DoS. 33

34 Detection and protection option Infrastructure Intrusion Detection Detect RTS Rate Anamoly Detect CTS Rate Anamoly Detect Device with a Bad MAC OUI Description The RF medium can be reserved via Virtual Carrier Sensing using a Clear To Send (CTS) transaction. The transmitter station sends a Ready To Send (RTS) frame to the receiver station. The receiver station responds with a CTS frame. All other stations that receive these CTS frames will refrain from transmitting over the wireless medium for an amount of time specified in the duration fields of these frames. Attackers can exploit the Virtual Carrier Sensing mechanism to launch a DoS attack on the WLAN by transmitting numerous RTS and/or CTS frames. This causes other stations in the WLAN to defer transmission to the wireless medium. The attacker can essentially block the authorized stations in the WLAN with this attack. The RF medium can be reserved via Virtual Carrier Sensing using an RTS transaction. The transmitter station sends a RTS frame to the receiver station. The receiver station responds with a CTS frame. All other stations that receive these RTS frames will refrain from transmitting over the wireless medium for an amount of time specified in the duration fields of these frames. Attackers can exploit the Virtual Carrier Sensing mechanism to launch a DoS attack on the WLAN by transmitting numerous RTS and/or CTS frames. This causes other stations in the WLAN to defer transmission to the wireless medium. The attacker can essentially block the authorized stations in the WLAN with this attack. The first three bytes of a MAC address, known as the MAC organizationally unique identifier (OUI), is assigned by the IEEE to known manufacturers. Often, clients using a spoofed MAC address do not use a valid OUI and instead use a randomly generated MAC address. Detect Invalid Address Combination In this attack, an intruder can cause an AP to transmit deauthentication and disassociation frames to all of its clients. Triggers that can cause this condition include the use of broadcast or multicast MAC address in the source address field. 34

35 Detection and protection option Infrastructure Intrusion Detection Detect Overflow EAPOL Key Description Some wireless drivers used in access points do not correctly validate the EAPOL key fields. A malicious EAPOL Key packet with an invalid advertised length can trigger a DoS or possible code execution. This can only be achieved after a successful association exchange. Detect Overflow IE Some wireless drivers used in access points do not correctly parse the vendor-specific IE tags. A malicious association request sent to the AP containing an IE with an inappropriate length (too long) can cause a DoS and potentially lead to code execution. The association request must be sent after a successful authentication exchange. Detect Malformed Frame Association Request Some wireless drivers used in access points do not correctly parse the SSID information element tag contained in association request frames. A malicious association request with a null SSID (that is, zero length SSID) can trigger a DoS or potential code execution condition on the targeted device. Detect Malformed Frame Auth Malformed authentication frames that do not conform to the specification can expose vulnerabilities in some drivers that have not implemented proper error checking. This feature checks for unexpected values in an Authentication frame. Detect Malformed Frame-HT IE The IEEE n HT (High Throughput) IE is used to convey information about the n network. An management frame containing a malformed HT IE can crash some client implementations, potentially representing an exploitable condition when transmitted by a malicious attacker. 35

36 Detection and protection option Infrastructure Intrusion Detection Detect Malformed Frame Large Duration Description The virtual carrier-sense attack is implemented by modifying the MAC layer implementation to allow random duration values to be sent periodically. This attack can be carried out on the ACK, data, RTS, and CTS frame types by using large duration values. This attack can prevent channel access to legitimate users. Detect Misconfigured AP A list of parameters can be configured to define the characteristics of a valid AP. This feature is primarily used when non-aruba APs are used in the network, since the Aruba controller cannot configure the third-party APs. These parameters include WEP, WPA, OUI of valid MAC addresses, valid channels, and valid SSIDs. Detect Windows Bridge A Windows Bridge occurs when a client that is associated to an AP is also connected to the wired network, and has enabled bridging between these two interfaces. Detect Wireless Bridge Wireless bridges are normally used to connect multiple buildings together. However, an attacker could place (or have an authorized person place) a wireless bridge inside the network that would extend the corporate network somewhere outside the building. Wireless bridges are somewhat different from rogue APs, in that they do not use beacons and have no concept of association. Most networks do not use bridges in these networks, the presence of a bridge is a signal that a security problem exists. Detect Broadcast Deauthentication A deauthentication broadcast attempts to disconnect all stations in range. Rather than sending a spoofed deauth to a specific MAC address, this attack sends the frame to a broadcast address. 36

37 Detection and protection option Infrastructure Intrusion Detection Description Detect Broadcast Dissociation By sending disassociation frames to the broadcast address (FF:FF:FF:FF:FF:FF), an attacker can disconnect all stations on a network for a widespread DoS. Detect NetStumbler NetStumbler is a popular wardriving application used to locate networks. When used with certain NICs, NetStumbler generates a characteristic frame that can be detected. Version of NetStumbler changed the characteristic frame slightly. Detect Valid SSID Misuse If an unauthorized AP (neighbor or interfering) is using the same SSID as an authorized network, a valid client may be tricked into connecting to the wrong network. If a client connects to a malicious network, security breaches or attacks can occur. Detect Wellenreiter Wellenreiter is a passive wireless network discovery tool used to compile a list of APs along with their MAC address, SSID, channel, and security setting in the vicinity. It passively sniffs wireless traffic, and with certain version (versions 1.4, 1.5, and 1.6), sends active probes that target known default SSIDs. 37

38 Detection and protection option Client Intrusion Detection Detect Block ACK DoS Detect ChopChop Attack Description The Block ACK mechanism that was introduced in e, and enhanced in nD3.0, has a built-in DoS vulnerability. The Block ACK mechanism allows for a sender to use the ADDBA request frame to specify the sequence number window that the receiver should expect. The receiver will only accept frames in this window. An attacker can spoof the ADDBA request frame causing the receiver to reset its sequence number window and thereby drop frames that do not fall in that range. ChopChop is a plaintext recovery attack against WEP encrypted networks. It works by forcing the plaintext, one byte at a time, by truncating a captured frame and then trying all 256 possible values for the last byte with a corrected CRC. The correct guess causes the AP to retransmit the frame. When that happens, the frame is truncated again. Detect Disconnect Station Attack A disconnect attack can be launched in many ways; the end result is that the client is effectively and repeatedly disconnected from the AP. Detect EAP Rate Anomaly To authenticate wireless clients, WLANs may use 802.1X, which is based on a framework called Extensible Authentication Protocol (EAP). After an EAP packet exchange, and the user is successfully authenticated, the EAP-Success is sent from the AP to the client. If the user fails to authenticate, an EAP-Failure is sent. In this attack, EAP-Failure or EAP-Success frames are spoofed from the access point to the client to disrupting the authentication state on the client. This confuses the clients' state, causing it to drop the AP connection. By continuously sending EAP Success or Failure messages, an attacker can effectively prevent the client from authenticating with the APs in the WLAN. 38

39 Detection and protection option Client Intrusion Detection Detect FATA-Jack Attack structure Detect Hotspotter Attack Detect a Meiners Power Save DoS Attack Detect Omerta Attack Detect Rate Anamolies Description FATA-Jack is an client DoS tool that tries to disconnect targeted stations using spoofed authentication frames that contain an invalid authentication algorithm number. The Hotspotter attack is an evil-twin attack which attempts to lure a client to a malicious AP. Many enterprise employees use their laptop in Wi-Fi area hotspots at airports, cafes, malls etc. They have SSIDs of their hotspot service providers configured on their laptops. The SSIDs used by different hotspot service providers are well known. This enables the attackers to set up APs with hotspot SSIDs in close proximity of the enterprise premises. When the enterprise laptop Client probes for hotspot SSIDs, these malicious APs respond and invite the client to connect to them. When the client connects to a malicious AP, a number of security attacks can be launched on the client. Airsnarf is a popular hacking tool used to launch these attacks. To save on power, wireless clients will "sleep" periodically, during which they cannot transmit or receive. A client indicates its intention to sleep by sending frames to the AP with the Power Management bit ON. The AP then begins buffering traffic bound for that client until it indicates that it is awake. An intruder could exploit this mechanism by sending (spoofed) frames to the AP on behalf of the client to trick the AP into believing the client is asleep. This will cause the AP to buffer most, if not all, frames destined for the client. Omerta is an DoS tool that sends disassociation frames to all stations on a channel in response to data frames. The Omerta attack is characterized by disassociation frames with a reason code of 0x01. This reason code is unspecified and is not used under normal circumstances. Many DoS attacks flood an AP or multiple APs with management frames. These can include authenticate/associate frames, which are designed to fill up the association table of an AP. Other management frame floods, such as probe request floods, can consume excess processing power on the AP. 39

40 Detection and protection option Infrastructure Intrusion Detection Detect TKIP Replay Attack Detect Unencrypted Valid Clients Detect Valid Client Misassociation Detect AirJack Detect ASLEAP Detect Null Probe Response Description TKIP is vulnerable to replay (via WMM/QoS) and plaintext discovery (via ChopChop). This affects all WPA-TKIP usage. By replaying a captured TKIP data frame on other QoS queues, an attacker can manipulate the RC4 data and checksum to derive the plaintext at a rate of one byte per minute. By targeting an ARP frame and guessing the known payload, an attacker can extract the complete plaintext and MIC checksum. With the extracted MIC checksum, an attacker can reverse the MIC AP to Station key and sign future messages as MIC compliant, opening the door for more advanced attacks. An authorized (valid) client that is passing traffic in unencrypted mode is a security risk. An intruder can sniff unencrypted traffic (also known as packet capture) with software tools known as sniffers. These packets are then reassembled to produce the original message. This feature does not detect attacks, but rather it monitors authorized (valid) wireless clients and their association within the network. Valid client misassociation is potentially dangerous to network security. The four types of misassociation that we monitor are: 1) Authorized Client associated to Rogue: A valid client that is associated to a rogue AP. 2) Authorized Client associated to External AP: An external AP, in this context, is any AP that is not valid and not a rogue. 3) Authorized Client associated to Honeypot AP: A honeypot is an AP that is not valid but is using an SSID that has been designated as valid/protected. 4) Authorized Client in ad hoc connection mode: A valid client that has joined an ad hoc network. AirJack is a suite of device drivers for (a/b/g) raw frame injection and reception. It was intended to be used as a development tool for all applications that need to access the raw protocol. However, one of the tools included allowing users to force all users off an AP. ASLEAP is a tool created for Linux systems used to attack Cisco LEAP authentication protocol. A null probe response attack has the potential to crash or lock up the firmware of many NICs. In this attack, a client probe-request frame will be answered by a probe response containing a null SSID. A number of popular NIC cards will lock up upon receiving such a probe response. 40

41 Infrastructure Protection Infrastructure Protection Description Protecting 40MHz High Throughput Devices Protection from AP(s) that support 40MHz HT involves containing the AP such that clients can not connect. Protecting n High Throughput Devices Protection from AP(s) that support HT involves containing the AP such that clients can not connect. Protecting Against AdHoc Networks Protection from an ad-hoc Network involves containing the ad-hoc network so that clients can not connect to it. The basic ad-hoc protection feature protects against ad-hoc networks using WPA/WPA2 security. The enhanced ad-hoc network protection feature protects against open/wep ad-hoc networks. Both features can be used together for maximum protection, or enabled or disabled separately Protection Against AP Impersonation Protection from AP impersonation involves containing both the legitimate and impersonating AP so that clients can not connect to either AP. Protection Against Misconfigured APs Protect Misconfigured AP enforces that valid APs are configured properly. An offending AP is contained by preventing clients from associating to it. 41

42 Infrastructure Protection Infrastructure Protection Protection Against Wireless Hosted Networks Protecting SSIDs Protection Against Rogue Containment Protecting Against Suspected Rogue Containment Protection Against Wired Rogue APs Description Clients using the Windows wireless hosted network feature can act as an access point to which other wireless clients can connect, effectively becoming a Wi-Fi HotSpot. This creates a security issue for enterprises, because unauthorized users can use a hosted network to gain access to the corporate network, and valid users that connect to a hosted network are vulnerable to attacks or security breaches. This feature detects a wireless hosted network, and contains the client hosting this network. Protect SSID enforces that valid/protected SSIDs are used only by valid APs. An offending AP is contained by preventing clients from associating to it. By default, rogue APs are not automatically disabled. Rogue containment automatically disables a rogue AP by preventing clients from associating to it. By default, suspected rogue APs are not automatically contained. In combination with the suspected rogue containment confidence level, suspected rogue containment automatically disables a suspect rogue by preventing clients from associating to it. This feature enables containment from the wired side of the network. The basic wired containment feature in the IDS general profile isolates layer-3 APs whose wired interface MAC addresses are the same as (or one character off from) their BSSIDs. The enhanced wired containment feature can also identify and contain an AP with a preset wired MAC address that is completely different from the AP s BSSID. In many non-aruba APs, the MAC address the AP provides to wireless clients as a gateway MAC is offset by one character from its wired MAC address. This enhanced feature allows to check to see if a suspected Layer-3 rogue AP s MAC address follows this common pattern. 42

43 Client Intrusion Protection Client Intrusion Protection Description Protecting Valid Stations Protecting a valid client involves disconnecting that client if it is associated to a non-valid AP. Protecting Windows Bridge Protecting from a Windows Bridge involves containing the client that is forming the bridge so that it can not connect to the AP. 43

44 THANK YOU!

45 EMEA Atmosphere 2017 Date: May 8-11, 2017 Location: Disneyland, Paris, France WHAT S NEW IN 2017 Vertical Demos: Retail, Healthcare, Hospitality, Education, Large Public Venue Hands on Labs: Airheads will get the chance to work on live lab use cases with our technical teams. Intelligent Spaces Room: The latest in connected digital workplace solutions. Appreciation Party: Its a secret!! Technical Training: Mobility Fundamentals 8.0, Instant AP + Central, ClearPass Level 1, Meridian Fundamentals, AirWave Fundamentals, Aruba Switching Fundamentals for Mobility Atmosphere: ACDX /MX/CX Exam 45