Rogue Access Point

Don’t leave WIPS to the will of the force…

By Steve Harrison

Screen Shot 2017-09-11 at 8.02.18 AM

Introduction

This is the second in a series of blog posts that focus on wireless security and technology at Cisco Meraki.

Wireless LANs are widely critical to the way companies work and are used to transact sensitive data (e.g. point of sale).  A Wireless Intrusion Prevention System (WIPS), such as Cisco Meraki Air Marshal, gives companies the ability to ensure they are protected against threats to these WLANs.  This blog post shows how Air Marshal protects against one such threat, namely a rogue access point.

What is a Rogue Access Point?

A rogue access point is an AP that is connected to a company’s physical network infrastructure but is not under that company’s administrative control. This could arise if an employee or student naively brought in a home WiFi-enabled router and connected it to the company’s infrastructure to provide wireless network access. This act introduces multiple threat vectors to the company, such as:

  1. Insecure wireless standards – the rogue AP might only support a deprecated and insecure encryption standard, such as WEP. Or even worse, be purposefully configured with open association and authentication.
  2. Inappropriate attachment – the user could also physically attach the AP to a network port in a secure area of the network, or in an area without appropriate firewalling between it and sensitive information.
  3. Inappropriate location – the AP could be placed close to the perimeter of a building, meaning that someone could listen in on the company’s network.

This is by no means an extensive list of threat vectors introduced by this potentially innocuous action. So, it’s very clear that rogue access points are something we need to protect our business critical WLAN and networks from!

What makes a rogue access point rogue?

Cisco Meraki defines a rogue access point as an AP that is both “seen” on the LAN and is broadcasting SSIDs that are visible to the APs that make up the corporate wireless infrastructure.

In order to identify a rogue AP, all currently available Meraki access points leverage their dedicated “listening” radio to continuously monitor the RF. However, older APs without a dedicated listening radio can also be configured to utilize their access radios at specific times to scan for rogue access points, as shown below:

Screen Shot 2017-09-11 at 8.03.04 AM

Air Marshal listens for 802.11 beacon frames sent out by APs that are “visible” to the corporate APs, then all the BSSIDs (advertising MAC address of the SSID) that the access point sees are categorized as either “Rogue SSID” or “Other SSID”.  

Screen Shot 2017-09-11 at 8.03.19 AM

In order to classify an SSID as rogue, we also need to look at the MAC addresses of frames on the wired side of the corporate APs. This is done by simply listening to the broadcast frames that the access point already receives. If the wired MAC and the broadcast BSSID MAC match on the 3rd and 4th bytes of the MAC address (typically wired and wireless MAC addresses are contiguous), and the rest of the bytes differ by 5 bits or less, then the AP is classified as rogue. This comparison is achieved by applying an XOR to the MAC addresses in binary form, as shown below in a rogue access point:

Screen Shot 2017-09-11 at 8.03.30 AM

With this information in hand, we can safely say that this access point is connected to the same wired infrastructure as the Meraki access points and that it is actively advertising at least one SSID. So, we can assume that this is a threat to the corporate infrastructure that needs to be mitigated!

Note: If you have wireless APs that advertise SSIDs and form part of your legitimate corporate infrastructure, then you can prevent Air Marshal from containing them by whitelisting them:

Screen Shot 2017-09-11 at 8.03.47 AM

How can Air Marshal protect against rogue access points?

In order to protect your corporate infrastructure from rogue access points, Air Marshal uses a technique called “containment”.  When a Meraki AP is containing a rogue SSID, it uses three frame types:

  1. Broadcast 802.11 deauthorization frame – this entails the Meraki AP spoofing the MAC address/BSSID of the rogue SSID and transmitting an 802.11 deauthorization to the broadcast MAC address (FF:FF:FF:FF:FF:FF). This is, in essence, the AP masquerading as the rogue AP and telling all the clients that were connected to the rogue point and in range of the Meraki AP to disconnect from the BSSID.
  2. Targeted 802.11 deauthorization frame – this entails the Meraki AP again spoofing the MAC of the BSSID of the rogue SSID and transmitting an 802.11 deauthorization to the MAC address of the clients that are associated with it. Again this is, in essence, the Meraki AP masquerading as the rogue access point and specifically telling the clients that are connected to the rogue to disconnect from the SSID. It is assumed that since the Cisco Meraki AP can “see” the association and authorization frames of the rogue SSID-client relationship, then the client will also receive this deauthorization frame from the Meraki AP.
  3. Reciprocal targeted 802.11 deauthorization and disassociation frames – this entails the Meraki AP spoofing the MAC address of all clients that were connected to the rogue SSID and transmitting a deauthorization frame for each of them to the BSSID of the rogue access point. Finally, the Meraki AP masquerades as each client that was connected to the rogue AP and sends deauthorization and disassociation frames to the BSSID of the rogue SSID. This ensures that more modern 802.11 clients with battery-saving capabilities are also disconnected from the rogue SSID, as they might have ignored the deauthorization messages “from” the rogue SSID if they were “sleeping”, saving battery life.  

Screen Shot 2017-09-11 at 8.04.14 AM

This behavior is shown in the below packet capture:

Screen Shot 2017-09-11 at 8.05.15 AM

Note: As containment renders any standard 802.11 network completely ineffective, extreme caution should be taken to ensure that containment is not being performed on legitimate networks nearby. This action should only be taken as a last resort. Please also see the Cisco guidance note on de-authentication technology for more information.

Conclusion

The Meraki Air Marshal system is a best-in-class WIPS solution that includes real-time detection, remediation, and alerting capabilities (please see the references section for more information on the elements we haven’t discussed). This also includes the ability to define pre-emptive policies that will take action to contain rogue APs using the containment mechanisms discussed above.

The entire Meraki wireless portfolio contains APs with dedicated listening radios that act as full-time sensors, running as Air Marshal scanners. By utilizing Meraki APs and the Meraki dashboard, network administrators can create a robust WIPS policy, and easily deploy a powerful network to deliver enterprise-grade security in a WLAN environment.

References

For more information on Air Marshal please see following additional references:
https://documentation.meraki.com/MR/Monitoring_and_Reporting/Air_Marshal
https://meraki.cisco.com/lib/pdf/meraki_whitepaper_air_marshal.pdf
https://meraki.cisco.com/lib/pdf/meraki_datasheet_airmarshal.pdf
https://documentation.meraki.com/MR/Monitoring_and_Reporting/Air_Marshal_Containment
https://documentation.meraki.com/MR/Monitoring_and_Reporting/Mitigating_a_Spoof