Home

AirWave 8.0 and RAPIDS User Guide

1. Name the Rules Intuitively Using detailed names that outline the criteria of a rule can be very helpful for locating information on the rogue list and rogue detail pages There are a number of places where you can see the name of a classifying rule but cannot see the detailed criteria Configuring Neighbor and Valid Rules Configuring valid rules is equal to importance as configuring Rogue detection rules Configuring Valid rules can help filter out a large number of devices that are not threats Review the list of detected devices Create suspect neighbor or neighbor rules based on the neighboring SSID manufacturer and the fact that it is not connected to the wired network AirWave 8 0 and RAPIDS User Guide Chapter 5 Rules Recommendations 15 AirWave allows you to specify VLANs and Interfaces that can be ignored in wired Rogue Discovery events and in upstream device determination These settings configured on the RAPIDS gt Setup page are particularly useful to customers who have switches in AMP The ports on those switches contain either special interface labels or multiple VLANs In the case of multiple VLANs imagine that the user has two VLANs one acting as the corporate and the other acting as a guest Use the Ignore Events from VLAN s setting so that the guest VLAN wired Rogue Discovery Events can be ignored because they are not critical see Figure 5 Figure 5 gnore Events Filtering Options Ignore Ad hoc Rogues Yes N
2. e Filter Rogues Discovered by Remote APs on page 9 e Wired to Wireless Time Correlation Window on page 10 e Triggers on page 10 Wired to Wireless MAC Address Correlation 0 8 bits The Rogue MAC Address Correlation setting is used to correlate wireless discovery events with wired MAC addresses The recommended setting is eight bits If the two addresses are within the bit mask they will be combined into one device record in RAPIDS A setting of eight bits will match addresses that have the same first eight characters 00 11 22 33 44 XX Four bits will match addresses that have the same first nine characters Newer SOHO device LAN MAC addresses tend to be fairly far from the radio addresses A setting of eight will combine more devices The higher you set this value the more likely you will see an incorrect correlation Wireless to Wireless BSSID Correlation 0 8 bits The wireless BSSID correlation setting is used to correlate BSSIDs from a single physical radio into one record The recommended setting is four bits Generally BSSIDs increment by one on a radio and will be very close together Because of this we recommend four instead of eight as the setting for wireless to wireless correlation Delete Rogues not Detected for 0 14 Days If a rogue device has not been detected for the specified number of days it is likely that the device is gone The recommended setting is 14 days Removing it from RAPIDS automatically will decrease t
3. environment will be heavily based on your security requirements but there are some general best practices to keep in mind Figure 4 RAPIDS gt Rules Rule name Classification Threat Level Enabled DO fw wire Neighbor 5 Yes O e Aruba Lab APs running encryption Valid 5 Yes 2 amp Detected Wirelessly and on LAN Rogue 7 Yes m amp Rogue Classified by AOS Rogue 8 Yes Signal Strength gt 80dbm Suspected Neighbor 5 Yes ek Operating System Matches Suspected Valid 5 Yes Je Signal strength gt 35dBm and heard by more than 8 AP Suspected Rogue 5 Yes e MeshOS APs with Encryption are valid Valid 5 Yes CJ e Fingerprint scan Rogue 5 Yes DO e EBCAPs Valid 5 Yes CJ amp detected wirelessly Suspected Neighbor 5 Yes e TestMAC Rogue 3 Yes D EricTest Suspected Rogue 5 Yes Rule Guidelines This section contains the following topics Order is Important on page 15 Name the Rules Intuitively on page 15 Configuring Neighbor and Valid Rules on page 15 Protect Your SSID on page 16 Order is Important Adding rules in the correct sequence is important because rules are implemented from the top of the list to the bottom of the list The first rule in the list that matches will determine the classification of a device Make sure that the most detailed rules are at the top of the list If new information comes in and updates the device the rule will be classified up the list of rules but not down
4. 3 Walled Scans notas 13 Fingerprint SCANS e escisiones dit detente blssestdgesse tono beens a e Eae cease 13 Polling Routers and Switches ooo 13 Chapter 5 Rules Recommendations 12 2 2 2 00 00 oon ec ence cece nec et ec eceeeeees 15 AMET AAA A AR AIN AA aac eene soseceee se 15 Order 1s Important Jste teed sect ean tess fees beck oido toldo nit 15 Name the Rules Intuitively occ 15 Configuring Neighbor and Valid Rules 2 2 2 2 eee ee 15 Protect Your SSID tati dr tr ll li ta atra 16 Chapter 6 Recommended Rogue Response Workflow oooooooocccccocococococococcccocococococono 17 Common Rogue Response Scenarios oo 17 Rogue Connected to Wire es os foes dewetze dla 17 Rogues Detected Wirelessly ooo 17 Using VisualRF to Detect a Wireless Rogue _ 00 00 0000 0 0 ooo ccc eect e naaraana 17 Ad Hoc Rogues ns 18 AirWave 8 0 and RAPIDS User Guide Contents iii iv Contents AirWave 8 0 and RAPIDS User Guide Chapter 1 Overview This document provides best practices for leveraging the Rogue Access Point Detection RAPIDS module of the AirWave Wireless Management Suite AWMS to secure your network RAPIDS is designed to identify and locate wireless threats by leveraging all of the information available from the infrastructure see Figure 1 RAPIDS takes the information it collects and feeds it through a customizable set of classification rules isolating the threat devices based on your security concems RAPIDS can
5. AirWave 8 0 and RAPIDS aruba NETWORKS User Guide Copyright 2014 Aruba Networks Inc Aruba Networks trademarks include nrwave Aruba Networks Aruba Wireless Net works the registered Aruba the Mobile Edge Company logo Aruba Mobility Management System Mobile Edge Architecture People Move Networks Must Follow RFProtect Green Island All rights reserved All other trademarks are the property of their respective owners Open Source Code Certain Aruba products include Open Source software code developed by third parties including software code subject to the GNU General Public License GPL GNU Lesser General Public License LGPL or other Open Source Licenses Includes soft ware from Litech Systems Design The IF MAP client library copyright 2011 Infoblox Inc All rights reserved This product includes software developed by Lars Fenneberg et al The Open Source code used can be found at this site http www arubanetworks com open_source Legal Notice The use of Aruba Networks Inc switching platforms and software by all individuals or corporations to terminate other vendors VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies in full Aruba Networks Inc from any and all legal actions that might be taken against it with respect to infringe ment of copyright on behalf of those vendors Warranty This hardware product i
6. SNMP Polling Periods Most enterprise APs support wireless scanning but IOS APs are one notable exception IOS APs use a proprietary protocol to transfer the rogue discovery information AWMS can be configured to poll Wireless LAN Solution Engine WLSE servers for rogue discovery See the AirWave User Guide for WLSE polling setup instructions AMC Scans The AirWave Management Client AMC provides another option for customers with APs that do not report wireless discovery data or do not have full AP coverage The AMC is a client application that runs in Windows XP It passively listens for beaconing APs and reports them back to the RAPIDS engine via an XML interface Wired Scans Fingerprint Scans This section explains HTTP scans SNMP scans and HTTP SNMP fingerprint scans The Device Setup gt Discover page defines the network scans that are run AirWave recommends running daily device discovery scans on any networks likely to have APs or rogues The scans look at the credential challenges and rejections from the device to determine the model The HTTP rogue scans should not have the correct rogue credentials The HTTP scan requires that the rogue have an HTTP interface available on the scanned IP address Similarly the SNMP scan requires a SNMP interface on the scanned IP address HTTP SNMP fingerprint scans provide another valuable data point to RAPIDS There are a number of ways a hacker can circumvent these scans but what is found is certa
7. be configured to alert administrators via email SNMP traps or syslog messages after a threat is identified Figure 1 RAPIDS Overview 1 LEVERAGE EXISTING 2 CLASSIFY DEVICES BASED 3 ALERTS INFRASTRUCTURE ON YOUR POLICIES amp REPORTS Data Sources Customizable Rules Alerts Reports Router Switch Polling Correlate Wired Wireless Email By Network SNMP HTTP Fingerprint Scans Reduce false positives SNMP By Region Enterprise APs Protect your SSID Syslog Schedulable Enterprise Controllers Programmatically filter neighbors Email Laptop Client Utility XML AirWave 8 0 and RAPIDS User Guide Chapter 1 Overview 5 6 Chapter 1 Overview AirWave 8 0 and RAPIDS User Guide Chapter 2 Determining Your Security Needs The first step to securing your network is determining what constitutes a security threat worth investigating Every company and organization has a different set of security needs There are a number of factors to consider when determining a security risk Some of the most common factors are e Compliance requirements PCI HIPAA SOX etc e Deployed environments e Cost of removing threats The next step is to determine what the appropriate response to detected threats are e How quickly should the rogue devicebe removed from the network e Should the user who placed the rogue be educated about the dangers of rogue devices e Should the device be confiscated e How does your organization feel about wireless contain
8. e last step in the workflow examples below is to delete the rogue from RAPIDS If the rogue is rediscovered then it will be recreated and reclassified in RAPIDS Occasionally the rogue device tums out to be an approved AP that is not managed by the IT team If that happens update the Notes field with appropriate information about the rogue and reclassify it as a valid device Common Rogue Response Scenarios This section contains the following topics Rogue Connected to Wire on page 17 Rogues Detected Wirelessly on page 17 Using VisualRF to Detect a Wireless Rogue on page 17 Ad Hoc Rogues on page 18 Rogue Connected to Wire RAPIDS will report the switch and port number for devices that are discovered on the wire Review the list of switches and determine the edge switch Login to the switch and disable the port 1 2 3 Physically trace the cable and remove the rogue device 4 Ifthe rogue device can be related to an employee educate them on the dangers of rogue devices 5 Delete the rogue from RAPIDS Rogues Detected Wirelessly Wireless devices that are detected as rogues can be more difficult to track down than rogues that are detected on wired networks If your organization permits wireless containment and you have devices capable of performing wireless containment the first step is to configure the wireless containment device Using VisualRF to Detect a Wireless Rogue If VisualRF is installed l
9. erties View Edit Display Y Labels v Y Rogues gt If the rogue device can be related to an employee educate them on the dangers of rogue devices and then delete the rogue from RAPIDS If the rogue turns out to be a valid neighboring device update the classification to Neighbor acknowledge the device and then update the Notes field with investigation information including who located the device when it was located and the neighboring company that the device belongs to Ad Hoc Rogues Ad Hoc rogues can be difficult to locate Such rogues are highly mobile temporary devices that are often the result of non malicious but misconfigured laptops Some wireless drivers will use the radio MAC address when in ad hoc mode It is recommended to search historical clients on AMP for the ad hoc MAC address If the ad hoc rogue is found as a client you will know the historical users of the laptop and can contact them to properly configure the laptop Follow the process in Rogues Detected Wirelessly on page 17 above if the MAC address is not found as a user 18 Chapter 6 Recommended Rogue Response Workflow AirWave 8 0 and RAPIDS User Guide
10. he number of devices requiring investigation and tracking If a device is detected again it will be recreated and any alerts that have been defined will fire again Automatically Perform an OS Scan Rogue Devices The recommended setting is Yes When enabled RAPIDS will automatically perform an OS scan of devices with an IP address The scans take approximately one minute per IP address Do not enable this option if your wired security team has concerns about running port scans on clients Filter Rogues Discovered by Remote APs This is an Aruba specific feature designed to ignore devices heard by Remote APs Remote APs are often installed at home of an employee The recommended setting is Yes The corporate security team has no ability to make any changes to neighboring devices and there are no corporate wired ports that need to be monitored AirWave 8 0 and RAPIDS User Guide Chapter 3 Recommended Setup Options for RAPIDS 9 Wired to Wireless Time Correlation Window Use this option to specify a time frame for wired and wireless correlation The recommended setting is 240 minutes RAPIDS discovery events detected wirelessly and on a LAN will only match if the wireless and LAN discovery events occur during this time frame We recommend that this value match the polling period for bridge forwarding which is four hours by default With this configuration any rogues seen on the wired and wireless network will be classified as such if the disc
11. ice Classified Y Severity Normal Conditions Matching conditions all Any Available Conditions Classification Device Confidence Threat Level Type Add New Trigger Condition Option Condition Value Classification gt v Rogue Y Threat Level _ v gt le v v Tri Restricti Folder Office Include Subfolders Yes No Group All Groups X Alert Notifications Notes 4 Additional Notification Options Y Email LJ NMS Sender Address RAPIDS company com Enter multiple email addresses of the form user domain separated by spaces commas or semicolons Recipient Email Addresses securityfcompany com 4 Logged Alert Visibility By Role vi Add Cancel AirWave 8 0 and RAPIDS User Guide Chapter 3 Recommended Setup Options for RAPIDS 11 12 Chapter 3 Recommended Setup Options for RAPIDS AirWave 8 0 and RAPIDS User Guide Chapter 4 Configuring Rogue Scans RAPIDS has four main detection mechanisms e Wireless Enterprise AP scans AMC scans e Wired HTTP SNMP fingerprint scans Router switch scans Wireless Scans Enterprise AP Scans The first step to getting wireless discovery information is adding your supported controllers and APs into AWMS AWMS will automatically start polling the controllers and APs via SNMP for rogue discovery information once they are monitored The rogue data polling interval is configured on the Groups gt Basic page under the
12. inly a rogue worth investigating Polling Routers and Switches Configuring Router Switch polling is achieved by adding routers and witches to groups as monitored devices The group has configurable wired polling periods on the Groups gt Basic page see Figure 3 AirWave 8 0 and RAPIDS User Guide Chapter 4 Configuring Rogue Scans 13 Figure 3 Routers and Switches Routers and Switches Read ARP Table 4 hours v Read CDP Table for Device Discovery 4 hours v Read Bridge Forwarding Table 4 hours v Interface Up Down Polling Period 5 minutes v Interface Bandwidth Polling Period 15 minutes v Interface Error Counter Polling Period 30 minutes v Poll 802 3 error counters Yes No Poll Cisco interface error counters Yes No Use Q Bridge Forwarding Table For Generic Switches Yes No RAPIDS uses the Read ARP Table and the Read Bridge Forwarding Table Depending on the data returned by the routers or witch RAPIDS can gather IP addresses LAN MAC addresses OUI scores LAN vendor and switch ports After RAPIDS has an IP address for a device it can perform an operating system scan and discover the likeliest operating system of a device Operating system scans can be run on demand from the RAPIDS gt Rogue APs page using Modify Devices or on the Rogue detail page 14 Chapter 4 Configuring Rogue Scans AirWave 8 0 and RAPIDS User Guide Chapter 5 Rules Recommendations The specific rules that will work best in your
13. l meaning users to accidentally attempt to login to the foreign system using their corporate credentials Once the attacker has those credentials they can easily access the wireless network Wireless With More Than Three Detecting APs The number of detecting APs is another method for determining if a rogue is inside your premises If only a few APs detect the device it is very likely outside of the network and is a neighboring AP If it is heard by a large number of APs there is a much higher chance that the device is inside the building Determining the number of detecting is a good method to use for campuses with single tenants Shared office buildings might have neighbor APs on the floors above or below them that will be detected by a number of core APs AirWave 8 0 and RAPIDS User Guide Chapter 2 Determining Your Security Needs 7 8 Chapter 2 Determining Your Security Needs AirWave 8 0 and RAPIDS User Guide Chapter 3 Recommended Setup Options for RAPIDS RAPIDS has a number of configurable options The sections below outline a number of the recommended settings that will help you get the most out of RAPIDS The recommended settings are general and might not apply to all customers e Wired to Wireless MAC Address Correlation 0 8 bits on page 9 e Wireless to Wireless BSSID Correlation 0 8 bits on page 9 e Delete Rogues not Detected for 0 14 Days on page 9 e Automatically Perform an OS Scan Rogue Devices on page 9
14. ment e How long should rogue discovery information be stored Many organizations believe wireless containment constitutes a breach of FCC regulations and is illegal while others feel that it is within their rights to contain any wireless network within their facility Please consult with your legal department to determine your enterprise s guidelines Common Security Threat Red Flags Wired and Wireless Any unmanaged device plugged into the wired network and broadcasting a signal is worth investigating Investigating such a device is a good solution for dense environments like cities or large office buildings Wireless Above gt 75 Signal Any device broadcasting with a signal quality that is sufficiently strong will be investigated A strong signal often indicates that a device is inside your organization s walls Investigating devices that are broadcasting at a signal strength of gt 80 signal can be beneficial for campuses that are fairly remote and will not see a lot of legitimate neighbor devices Wireless With a Managed SSID Enterprise s SSIDs are typically managed by your IT department No unauthorized access points should be using SSIDs AirWave strongly recommends that any device using enterprise SSIDs should be classified as a rogue and investigated immediately Attackers will often deploy Honey Pot APs using managed SSIDs in an attempt to lure valid clients to associate with them and attempt to login It is very easy for wel
15. o Ignore Rogues by Signal Strength Yes No Minimum Signal Strength Less than or equal to 0 Enter minimum signal strength in dBm Rogues will not be recorded until they exceed this signal strength 80 Ignore Rogues Discovered by Remote APs Discovery events from WMS Offload will always be 10 yes No processed regardless of this setting Ignore IDS Events from Remote APs Yes No Ignore Events from VLAN s MAC addresses seen on these VLANs will not be used for Rogue detection or Upstream Device determination Ignore Events from Interface Label s MAC addresses seen on interfaces with these labels will not be used for Rogue detection or Upstream Device determination Protect Your SSID Only your managed devices should be broadcasting your enterprise s SSID Unauthorized devices broadcasting your SSID pose a significant security risk Hackers will frequently put up rogue APs broadcasting an official SSID in an attempt to trick an unsuspecting user into associating to it Once associated the hacker will attempt to obtain the user s valid network credentials 16 Chapter 5 Rules Recommendations AirWave 8 0 and RAPIDS User Guide Chapter 6 Recommended Rogue Response Workflow After RAPIDS identifies a rogue device the next step is to investigate it and remove it from the network The exact steps and workflow will depend on your organization s security standards Some common workflows are listed below Th
16. ocate the rogue in VisualRF If you are not running VisualRF or it is not up to date navigate to the rogue detail page and investigate the list of discovering devices Using that list of devices and discovered signal strengths you should be able to determine the general location of the rogue device Physically inspect the area where VisualRF has placed the rogues or where you estimate it to be AirWave 8 0 and RAPIDS User Guide Chapter 6 Recommended Rogue Response Workflow 17 Figure 6 Rogues in VisualRF Home Groups APs Devices Floor Plans Setup Import Clients Reports System Audit Log Network gt Sunnyvale gt Building 1 gt Floor 2 Map A ANETWORK Device Setup List AMP Setup RAPIDS VisualRF paters 3 E mon lire 2539 mdps_ a gu TE Gs NORK Ll a 3C AS F4 4C 80 30 Jerk A pr NETV S mean e i NETGEAR 42 AA 6D artardi 8 host SIC ANAMIKA peer SE 24 90 89 31 ED AF DS 3c A9 F E 7 ec fork eal ao o all Ea a ja dais all Ma dl os 35 AC B EN KM a ie md y 2 AP30 a N a L ae AT Y ccai ts61 i E E tenn a ES hes SKHIGASH B vs A 10 08 A9 5A 9D 30 aleusert t SIEANNELI sum anetwor 1i in Se 2 AP32 a FR hz 43 El E ad ANETWORK apor ee Office AP CL es NETGEAR 42 AA 6D Prop
17. overy event is within four hours Users who are concemed about events where a rogue is on both the wired and wireless network might consider increasing this value Increasing this value might yield more classifications of wired wireless correlation than expected Similarly some users might consider setting this value to match the Rogue AP Polling interval which is 30 minutes by default Triggers Triggers are an important and often overlooked part of RAPIDS Detecting rogue devices does not mean much if the security team is not notified about them Triggers are defined on the System gt Triggers page see Figure 2 Add a Rogue Device Classified trigger type to ensure that you are notified of any rogues detected by the system Multiple Rogue Device Classified types can be defined on one server based on the configuration of classification and threat level options The trigger will only send an alert after a rogue device meets the conditions The alert will not continuously sound every time the rogue device is detected AirWave recommends emailing the appropriate individuals when any rogue devices are classified so that the appropriate action can be taken Triggers must be enabled to meet PCI compliance requirements 10 Chapter 3 Recommended Setup Options for RAPIDS AirWave 8 0 and RAPIDS User Guide Figure 2 System gt Triggers gt Add page Trigger Type Rogue Dev
18. s protected by an Aruba warranty For details see the Aruba Networks standard warranty terms and conditions May 2014 0511175 05 AirWave 8 0 and RAPIDS User Guide Chapter 1 Overview AAA AR 5 Chapter 2 Determining Your Security Needs _ 2 0 0 0 0 ooo annann ennn 7 Common Security Threat Red Flags oi pi aia 7 Wired and Wireless is 1 A ed A A di teen 7 Wireless Above gt 75 Signal 0 0 0 0 cece cece cece cece ke ece non eececccueecnuneescccenceenucesccceuceuaues 7 Wireless With a Managed SSID 2 000000 0 000 ec eeeeeeeceeeee teen ee eeeeeeeee 7 Wireless With More Than Three Detecting APS 0 22202 c cece cece eee eee cee ence cece cece eeeeeeee J Chapter 3 Recommended Setup Options for RAPIDS 00 000 0 o ooo cece ence eee 9 Wired to Wireless MAC Address Correlation 0 8 bits 2 2 2 22 2 cece cece ec cece cece cee ceecceecceecseeceeeee 9 Wireless to Wireless BSSID Correlation 0 8 bits 002 0022022 e cele cee cee eee eee nnn cnn 9 Delete Rogues not Detected for 0 14 Days ooo 9 Automatically Perform an OS Scan Rogue Devices 2 2 2 22222 e eee eee 9 Filter Rogues Discovered by Remote APS E a tt ias 9 Wired to Wir less Time Correl tion WindOW 2 lt coss0cacc5c0cds wide s rei iea Cieta 10 o AA A O 10 Chapter 4 Conheurme Rogue Scans are A A it 13 NM E een poate ens Mase 13 Enterprise AP Scans 2 2 22s segs bo A A ies is se Ae 13 CA out teks cect nee eee A E esteem 1

AirWave 8.0 and RAPIDS User Guide

Contents

Download Pdf Manuals

Related Search

Related Contents