Enhance WIPS to detect rogue APs that spoof the SSIDs broadcast

  • 2
  • Idea
  • Updated 4 years ago
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes

Posted 5 years ago

  • 2
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Nick,
I *think* I know what you are asking, but could you please elaborate a bit more?
Photo of Sjoerd de Jong

Sjoerd de Jong, Employee

  • 97 Posts
  • 20 Reply Likes
Isnt this already possible? A WIPS policy does already have the 'enable-ssid detection' checkbox right?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Nope, as far as I know, that just specifies which SSIDs are allowed in your WLAN allowing no others to be seen.

It has nothing to do with specifically/surgically targeting a rogue AP spoofing one of your SSIDs on a different BSSID.

It would be an inappropriate trigger where there are other genuine SSIDs intermixing in your environment - you just wish to protect your own from being spoofed.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
At the moment, I believe that another AP broadcasting one or more of the SSIDs that you do are cannot be used as a condition to trigger the WIPS, ignoring any other SSIDs that may be being broadcast by other APs. In my opinion, it really should.

This could then be used for alerting or auto-remediation.

Also, when auto-remediation is enabled - why can't manual toggling of remediation be possible 'on top' too?
Photo of Paul Levasseur

Paul Levasseur

  • 11 Posts
  • 2 Reply Likes
Hello Nick, in our WIPs policy, we do have a checkbox called: short beacon interval check which is used to detect spoofed BSSIDs. I believe this is what you are asking for, but if not, as Mike asked, more info would be great.

Here's the HiveManager help file on that:

This option can help detect the presence of rogue APs spoofing the MAC addresses of legitimate APs. For example, if the beacon frame from an access point states its beacon interval is 100 TU (time units), the arrival of beacons from that MAC address at consistently shorter intervals might indicate that a second AP is spoofing the MAC address of the legitimate AP and is also sending beacons from the spoofed MAC address. When you enable this detection technique, APs can detect that the interval between beacons is suspiciously shorter than it should be.

Although beacons are transmitted at regularly defined intervals, they do not always arrive with the same regularity. Due to heavy traffic congestion or RF interference, they might be delayed or never arrive at all. To avoid generating false alarms, the intervals for at least 40 beacons must be shorter than expected before triggering an alarm. If the APs then receive 200 consecutive beacons at expected intervals, they clear the alarm.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Not quite, sorry - what about an AP that spoofs one of your SSIDs with a completely different BSSID.

I think a possible issue with the WIPS configuration is that it is not flexible enough...
In my opinion, it needs rules so that you are able to specify complex conditions with AND and OR semantics, and then what it triggers.
The triggered action should be an alert with various severities and if auto-remediation is carried out.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Ultimately, what I want to achieve in my environment is that:

1) If an AP broadcasts any of my SSIDs and it is not authorised to do so, treat it as being rogue and auto-mitigate against it.
This MUST however ignore other APs that broadcast other SSIDs, so the current system of simply specifying approved SSIDs and then auto-mitigating all others seen is far too blunt and inappropriate.

Actually, a quick fix to my specfifc problem would be to change the "Automatically mitigate rogue APs only if they are connected to your network" option to "Automatically mitigate rogue APs only if they are connected to your network or spoof one of your SSIDs". This would allow other conditions to be used informationally.

2) If an unapproved AP is in my network, treat it as being rogue and mitigate against it. (This is possible today.)

3) Where the short beacon interval check is triggered, alert this as a critical intrusion condition.

4) Short preamble checking, WMM checking, BSSID checking and SSID checking etc should be used informationally for administrative purposes, but should definitely not (and should never be!) be a trigger for auto-mitigation.
Photo of wombat

wombat

  • 62 Posts
  • 3 Reply Likes
Nick, any update on this particular functionality?