For those who regularly read our blog often and listen to our podcast, you already know I spent a little more than a week in lovely Regina, Saskatchewan to teach SANS 617: Wireless Ethical Hacking, Penetration Testing, and Defenses. While we were there we noticed some very interesting wireless traffic during several of the course exercises.
The wireless traffic was traced to a local business (in close proximity to the training site), that apparently implemented a WIDS with Rogue AP Containment. As the week progressed, we got more info on the story: the wireless had been installed for nearly a year but only turned up since the Friday before class. There was apparently great confusion about the WIDS configuration and results were being misinterpreted. Regardless of the situation the students got some great real world examples and traffic captures. The local company was also very responsive to our concerns and we all worked together to attempt to resolve the issues.
What did this mean to the class? Well, the class uses 3 different APs configured by the instructor for use with some of the labs. When I set mine up, I did the right thing; I set them on the 3 non-overlapping channels of 1, 6 and 11. When fired up, the WIDS with Rogue-AP Containment started firing off De-authentication and Disassociation floods to all of the clients, spoofing the BSSIDs of the class APs. Certainly this is an effective containment method in order to keep clients in your organization from connecting to unknown APs introduced into the environment. This also made it difficult for the students and instructor to remain connected to, or generate traffic on, the class APs.
As the week went on, the students were able to make several observations ad assumptions about the situation. We also had a discussion about the appropriate deployment of Rogue-AP containment methods: If you don't do it right, you can essential create denial of service attacks against legitimate, third party networks. In many jurisdictions, denying service to a legitimate service that is not your own is considered a crime. So, here are a few of the lessons that the class was able to make over the week:
1.) De-authentication and Disassociation floods to all of the clients can be effective. Not perfectly so, but just enough to be annoying to have folks call your Help Desk to report that their network isn't working or is slow. Our class network wasn't working, but the regional municipal wireless provider worked at a snail's pace. A block away outside of the range of the WIDS, the municipal wireless worked like a champ.
2.) Properly test and configure Rogue-AP containment if you wish to use it in your environment. Turning it on before a weekend and not monitoring the wireless traffic afterwards is probably not in your best interest, especially if means you are breaking the law as a result.
3.) Consider all of your options when deploying a WIDS. Based on cost, know the risks and rewards for both. Do you go with an integrated solution using the existing infrastructure to do WIDS and serve clients at the same time, or an overlay deployment adding a separate infrastructure on top of the client serving network, or a hybrid approach?
4.) If implementing an integrated solution be careful about your deployment or consider a hybrid approach. In an integrated solution, the radios in the APs when serving client become locked on those predefined channels and no longer hop, looking for Rogues on other channels. If you have deployed your APs with WIDS on channels 1, 6 and 11, the APs will only have insight to (and launch containment against) rogues on those channels when serving clients. In a hybridized approach, depending on individual solutions, APs containing two separate radios may be segregated to different tasks; one radio for serving clients and the other channel hopping and performing containment.
5.) When WIDS with Rogue AP Containment is deployed in an integrated fashion (without a hybridized approach) while serving clients, it is possible to install "Rogue APs" in the environment on different channels. For example, APs with WIDS serving clients are installed at channels 1, 6 and 11, they will be unable to detect or perform containment against Rogue APs on other channels, such as 3, 7 and 10. Ultimately this was how we were able to use the 3 class APs, as the WIDS had no way to see our APs on channels other than 1, 6 and 11. This is something to take into consideration during deployment and is certainly something that want to test in your environment, or while performing a wireless assessment. This is certainly a "feature" that can be leveraged by the bad guys with minimal effort.
After all was said and done the students had a great, albeit frustrating, time figuring out what was going on with the classroom wireless network. This was an educational exercise dealing with real world deployments and associated problems. Learning from someone else's "mistakes" has it's benefits. Go forth and deploy secure wireless networks. Be careful with your Rogue AP Containment!