Security Management

• Overview
• Rogue Access Point Detection
• Rogue Access Point Blocking
• User Monitoring and Blacklisting
• Identifying the vulnerabilities in WLAN
• Identify adhoc networks, misconfigured APs and enforce security policies
• WLAN Attack Detection and mitigate
• Configure VLANs and access policies

Overview

While a wireless LAN is a definite way to improve data connectivity in an existing premises without having to foot the bills of structured cabling to every desk, there are certain issues which crop up in doing the same. The first and foremost issue faced by administrators in WLAN is that of security. The degree of susceptibility to risk is greater in a wireless network deployments as the medium of transmission is air. The very air-borne nature of the WLANs opens it to intruders and hackers. So, continuous monitoring of the wireless LAN and enforcing wireless LAN security policies are of prime importance. WiFi Manager with dedicated RF Sensors and web based gui makes the entire process of wireless LAN monitoring and security lot simpler.

Rogue Access Point Detection

Rogue Access Point detection is a two step process starting with discovering the presence of an Access Point in the network and then proceeding to identify whether it is a rogue or not.

Step 1: Discovering the AP

WiFi Manager uses the following techniques for AP discovery :

• RF scanning: WiFi Manager uses the RF Sensors and scans the RF spectrum for 802.11 packets. These Sensors quickly detect any wireless device operating in the area and can help WiFi Manager alert the WLAN administrator about that device.


• AP Scanning: Few Access Point vendors have this functionality of detecting neighboring Access Points. If such Access Points are deployed in the WLAN it will automatically discover APs operating in the nearby area and expose the data through its management interface. WiFi Manager makes use of this functionality to discover the wireless devices.


• Wired Side Inputs: WiFi Manager uses multiple protocols to detect devices connected in the LAN, including SNMP, Telnet, CDP (Cisco Discovery Protocol – specific to Cisco devices) etc. Using this wired side scanning WiFi Manager can detect an AP anywhere in the LAN irrespective of its physical location.

Step 2: Identifying whether the discovered AP is a rogue access point or not

Once an AP is discovered, the next step is to identify whether it is a rogue access point or not. One way to do this is to use pre-configured authorized list of APs. Any newly detected AP that falls outside the authorized list would be tagged rogue. Some of the different ways in which IT managers can populate the authorized list are:

• Authorized MAC: IT administrators can import ACL settings to WiFi Manager or type in the MAC address of authorized Access Points in the network. This enables the WiFi Manager to alert WLAN administrators whenever AP with a different MAC is detected.


• Authorized SSIDs: Enterprises would in most cases standardize on the authorized SSIDs that needs to be used. These SSIDs can be fed to the WiFi Manager so that it alerts WLAN administrators whenever an AP with a different SSID is detected.


• Authorized Vendor: Many enterprises standardize their WLAN gear and prefer to add only those vendor devices as they grow. This enables the WiFi Manager to alert WLAN administrators whenever AP from a vendor other than the one standardized is detected.


• Authorized Radio Media Type: Enterprises sometimes standardize on 802.11 a,b,g, or bg Access Points. This enables WiFi Manager to alert WLAN administrators whenever AP with different radio media type is detected.


• Authorized Channel: Sometimes enterprises may want their APs to operate on select channels. This enables WiFi Manager to alert WLAN administrators whenever AP operating in a different channel is detected.

All the above specified "Rogue Detection" criteria can be configured from the Admin tab in WiFi Manager Client.

Rogue Access Point Blocking

Once a rogue AP is discovered the next immediate step is to block the AP from the network so that the authorized clients do not associate with it. WiFi Manager helps identifying and blocking the Switch and Port to which the rogue Access point is connected there by knocking the Access point out of the WLAN. The option to block the Access point is available in the details page of the discovered rogue device.

User Monitoring and Blacklisting

Network administrators should have complete visibility and control on the users using their wireless network.  They should be able to monitor bandwidth usage, association pattern, roaming history and other important details of the users.  They should also be able to identify the unauthorized usage, blacklist those users, and deny them access to WLAN with ease.   WiFi Manager helps WLAN administrators achieve this.  It identifies the users of the WLAN, exposes all the important information about these users, identifies the rogue users and helps blocking WLAN access to those users by updating the access control list on the Access points.

Identifying the vulnerabilities in WLAN

WiFi Manager uses RF sensors to detect almost all known wireless LAN vulnerabilities prior to they become pathways for attacks. Following is the list of vulnerabilities that WiFi Manager can detect.

• Default SSID in use
• AP Broadcasting SSID
• AP with WEP disabled
• Weak WEP IV used
• Adhoc network operating
• Authorized Client Connected to Rogue AP
• AP using hotspot SSID
• NetBIOS Traffic Detected
• EAP disabled

Identify adhoc networks, misconfigured APs and enforce security policies

Over and above the problem of rogue APs, wireless also introduces enterprises to a host of other challenges, the problem of adhoc networks, misconfigured APs, accidental associations with neighboring APs etc., WiFi Manager help identify such issues and address them.  It helps enforce uniform security and configuration policies across the enterprise WLAN.

• Adhoc Networks : Using wifi two or more mobile clients can establish a network among themselves and can start sharing the data.  It is very easy to establish such networks and no special infrastructure is required.  These adhoc networks generally don't mandate any authentication or encryption and as such are very insecure.    Hackers can easily exploit this vulnerability and can take away the data they want.  WiFi Manager can identify such adhoc networks operating in the LAN and can warn the WLAN administrators of the same by raising alarms of various severity.
• Misconfigured APs : Another serious problem to the enterprises are the problem of misconfigured APs.  Access points if not configured properly can make the wireless LAN vulnerable to attacks and can throw open the vital information.  WiFi Manager can help WLAN Administrators identify such misconfigured APs by raising alarms and can also help configure them.
• Neighbouring Access points : It is also important to identify the APs that are not part of the enterprise WLAN but are beaming signals into the campus.  Such neighbouring APs have to be tracked continuously and accidental associations of the enterprise users with such APs has to be prevented.  WiFi Manager helps keeping track of such neighbouring APs and can warn the WLAN administrators if enterprise users get associated to such APs by raising appropriate alarms.

WLAN Attack Detection and mitigate

Wireless LANs are easy targets for a host of attacks. With a WiFi enabled laptop and a handful of open source tools it is easy for one to launch a long list of attacks on any WLAN. WiFi Manager uses RF sensors to detect almost all known wireless LAN attacks and alerts you prior to the attack takes effect. Following is the list of attacks that WiFi Manager can detect. Click on each attack to learn more.

• Duration Attack
• Association Flood Attack
• Disassication Flood Attack
• Authentication Failure Attack
• Authentication Flood Attack
• Deauthentication Flood Attack
• RF Jamming Attack
• EAPOL-Start Attack
• EAPOL-Logoff Attack
• Disassociation Broadcast Attack
• Deauthentication Broadcast Attack
• Access Point Overloaded
• Improper Broadcast Packet Attack

Configure VLANs and access policies

Ensuring that the users of the enterprise LAN get access to only what they are supposed to access is very important.  Defining appropriate SSIDs, mapping them to the existing VLANs and defining different authentication and encryption policy for those SSIDs based on the important of data that will be accessed through them is critical to the successful implementation of WLANs.  WiFi Manager helps defining such security configuration and also helps in enforcing such configurations across hundreds or thousands of Access points deployed across the enterprise WLAN.