Embed Size (px)
Citation preview
Copyright © 2012, Meraki, Inc. 1 of 14
Meraki Solution Guide: Air Marshal
Version 1.0, July 2012 This document describes the importance of securing your network from
wireless attacks and outlines how you can use Meraki’s Air Marshal capabilities to protect your network and alert your administrator in the event of any intrusions.
2 of 14
Copyright
© 2012 Meraki, Inc. All rights reserved.
Trademarks
Meraki® is a registered trademark of Meraki, Inc.
www.meraki.com 660 Alabama St. San Francisco, California 94110
Phone: +1 415 632 5800 Fax: +1 415 632 5899
Meraki Solution Guide: Air Marshal
3 of 14
Table of Contents
1 Securing Your Airspace .................................................................................................................... 4
2 Configuring Wireless Scanning ......................................................................................................... 5
3 Monitoring Wireless Threats .......................................................................................................... 6
4 Wireless Threat Classification ......................................................................................................... 8
5 Threat Remediation Policies .......................................................................................................... 10
6 Configuring Threat Alerts .............................................................................................................. 12
7 Dedicated WIPS vs. Hybrid Scanners .............................................................................................. 13
Meraki Solution Guide: Air Marshal Securing Your Airspace
4 of 14
1 Securing Your Airspace
WLAN networking is increasingly becoming a critical component of enterprise networking. Secure and reliable Internet access is heavily relied upon for corporate communication in a variety of verticals including financial services, retail, distributed enterprise, and service provider provisioned hotspots. Due to the widespread usage of Wi-Fi and variety of use cases (e.g. POS, corporate communications, warehouse inventory, asset tracking, Wi-Fi services for targeted advertising), the wealth of information transmitted across the wireless medium has skyrocketed. As such, data transmitted over the wireless medium increasingly contains sensitive personal and financial data. Unfortunately, the tremendous growth in wireless has been accompanied with an increasingly widespread ability to obtain open-source hacking tools that can compromise your WLAN network through a litany of methods including snooping wireless packets, impersonation of client devices and access points, and denial of service attacks on your infrastructure.
Meraki APs provide powerful wireless intrusion scanning capabilities, enabling detection and classification of different types of wireless threats including rogue access points and wireless hackers. Built-in capabilities include part-time opportunistic scanning as well as real-time intrusion detection using access points that have been designated to run in 'Air Marshal' mode. Enabling Air Marshal mode enables the AP to run in a dedicated scanning mode, allowing it to be deployed as an overlay WIPS sensor. Air Marshal APs come pre-configured with highly optimized scanning algorithms that will monitor the surrounding airspace in real-time for wireless attacks. Users can define intuitive auto-containment policies to facilitate pre-emptive action against rogue devices. Once a threat has been detected, your access point includes a threat remediation engine that drives Air Marshal to enact a number of powerful policies including manually disabling specific rogue APs, intelligent auto-disablement of APs matching a pre-defined criteria, and different tiers of e-mail alarms based on the type of threat in your airspace.
Using Meraki’s APs in Air Marshal mode, it is possible to design an airtight network architecture that is completely protected from wireless attacks. The remainder of this document describes the setup and configuration process for Air Marshal, along with a threat classification index that describes some of the attacks that are frequently seen in WLAN environments.
Meraki Solution Guide: Air Marshal Configuring Wireless Scanning
5 of 14
2 Configuring Wireless Scanning
A Meraki AP will run wireless scans opportunistically when it is not serving clients. You can also schedule 'mandatory' scans to be run at pre-specified time intervals that can be set as frequently as once a day.
For users requiring more accurate and real-time wireless threat assessments, it is possible to place an AP in Air Marshal mode. While acting as an Air Marshal, an AP will use its radios as dedicated scanners to monitor its surrounding environment in real-time. For the dual-radio APs, this includes both the 2.4GHz and 5GHz frequencies.
Air Marshal mode can be switched on by selecting the relevant APs on the Access Points page.
By selecting the relevant AP and tagging it with the keyword 'airmarshal', it is possible to designate this AP as a dedicated WIPS scanner. This Air Marshal AP will now be a dedicated sensor performing scans of the surrounding environments for threats, the results of which will be displayed on the WIPS page in real-time. The Air Marshal AP will not be able to serve clients unless this mode is switched off. To switch an Air Marshal AP into regular AP mode, simply remove the ‘airmarshal’ tag.
Health status of Air Marshal AP Select an AP and
tag it ‘airmarshal’
Shield icon indicates Air Marshal status
Figure 1 – Configuring Air Marshal
Meraki Solution Guide: Air Marshal Monitoring Wireless Threats
6 of 14
3 Monitoring Wireless Threats
The Air Marshal page will display an overview of the threat remediation policies and alerts you have set in place, as well as a list of the most current wireless threats.
The location of a wireless rogue AP can be triangulated and displayed on a map if it has been seen by multiple APs in your network. It is also possible to display the rogues on a custom floor plan if you have uploaded one. It is recommended that you have at least 3 APs for accurate rogue detection and triangulation (with at least one of these APs running in Air Marshal mode).
On the second half of the WIPS page, you can navigate through a list of wireless threats to identify which APs may be an actual threat vs. false positives. After an analysis, you can choose to whitelist known rogues and disable any malicious rogues that may be causing interference to your network. Each wireless rogue classification includes details such as the broadcast MAC address, which AP it was seen by, the manufacturer of the rogue AP, and other information such as its VLAN domain. You can use this information to decide which threat may be serious and either
Rogue AP triangulation
Number of Air Marshal APs
Threat List
Additional info on each threat
Figure 2 – Monitoring Threats
Threat Analysis
Meraki Solution Guide: Air Marshal Monitoring Wireless Threats
7 of 14
disable the rogue or set specific threat remediation policies (more details are available in the 'Threat Remediation Policies' section)
Meraki Solution Guide: Air Marshal Wireless Threat Classification
8 of 14
4 Wireless Threat Classification
The WIPS page identifies wireless threats on the network and classifies them into different categories:
1. Rogue SSIDs. These critical-level wireless threats can originate from three sources:
a. Wired LAN intrusions. These are Rogue APs that are located on the same wired LAN as any of the APs on your network. This indicates that someone has physical access to your wired network and is using it to broadcast a wireless signal. Not only is this AP using your wired infrastructure and therefore utilizing your WAN resources, but the attacker who set up this AP could also have access to wired resources on your LAN. It may be a false threat that has originated as a result of an AP mistakenly plugged into your network by someone with innocent intent. If you decide that the device is a threat, it should be contained and also physically located and removed from your network.
b. Keyword Matches. These are APs that are seen broadcasting SSIDs that either match contain or exactly match a token keyword you have specified on the Air Marshal page.
c. Ad-Hoc networks. These are smartphone or mobile devices that are accessing your network and allowing ad-hoc access to your network via peer-to-peer linking. An ad-hoc networks opens up a back door to your own network, allowing unauthorized clients to access your network via an authorized client (with no means of tracking who these users are).
2. Other SSIDs. These come from SSIDs that are seen being broadcasted by other APs in the area. The source may be APs that are located in surrounding neighborhoods or offices and therefore the intent is most likely not malicious.
3. AP Spoof. An AP spoof is an AP copying your MAC address as well your SSID. An AP spoof means that someone is deliberately impersonating your network and should be treated with the highest level of severity.
4. Malicious Broadcasts: Denial-of-Service (DOS) attack messages that are being sent continuously to your clients beyond a certain acceptable threshold. DOS attacks are attempts to prevent clients from associating with your AP by sending an excessive number of broadcast reauthorization messages to clients. This should be considered a high-level threat and the source devices in the vicinity should be physically located and removed from your network.
5. Packet Floods: Packet floods are wireless client or AP floods that are sending an excessive number of packets to your AP. Packets are monitored and classified based on multiple categories including beacon, authentication and association frames. An excessive number of any category of packets seen within a short time interval will prompt a packet
Meraki Solution Guide: Air Marshal Wireless Threat Classification
9 of 14
flood. Filters are automatically applied for intelligent detection and to eliminate false positives from commonly seen device behavior.
Figure 3 - Detecting Intrusions
Devices in ad-‐hoc mode can connect to a client AP and create a gateway for wireless hackers
Rogue APs on the wired LAN can compromise your entire wired and wireless network
A Rogue AP in the vicinity can spoof your SSID and trick clients into a false association; they can also launch Denial of Service (DoS) attacks against your infrastructure.
Configure Air Marshal to detect, notify and remediate rogue APs, ad-‐hoc devices, and wired rogues across multiple sites
Unauthorized hackers can connect through rogue devices and steal information
Meraki Solution Guide: Air Marshal Threat Remediation Policies
10 of 14
5 Threat Remediation Policies
There are a number of manual actions or automated policies that can be set as a response to the detection of certain types of wireless threats based on their severity. When you choose to 'contain' a rogue SSID, the Meraki AP will spoof the broadcast SSID MAC address of the wireless rogue AP and constantly send deauthentication frames to all devices attempting to authenticate to the rogue, rendering it unusable by any third party clients.
LAN Containment
When the option for 'auto-containment when on LAN' is selected, your Air Marshal AP will automatically send broadcast deauthorization messages to any client trying to associate with a wired Rogue SSIDs, essentially disabling access to this rogue. This action will be taken in real-time, as soon as any Rogue AP is seen on the same wired network as your own AP. This policy measure should only be used when you are certain that you want to stop any other APs connected to your wired network from broadcasting, as you may disable employees’ or students' APs in your environment.
Specify exact or keyword matches
Configure LAN containment
Manual Containment/Whitelist
Figure 4 – Setting Remediation Policies
Meraki Solution Guide: Air Marshal Threat Remediation Policies
11 of 14
SSID Keyword Containment
By specifying a keyword, any nearby rogue AP broadcasting an SSID that contains this keyword will be automatically contained, and clients will no longer be able to associate with it. For example, if “Acme” is specified as a keyword and a Rogue SSID begins broadcasting an SSID named “AcmeCorp”, it will automatically be contained and clients will not be able to associate with it. This can be helpful in detecting people who are trying to copy your network with similar names and ‘trick’ clients into associating with their own AP.
You can choose to specify the ‘exact match’ box if you wish for only exact SSID spoofs to be auto-contained upon detection. For example, if “Acme123456” is specified and the ‘exact match’ box is selected, only a Rogue SSID with the name “Acme123456” will be contained. This should be used if you only want to restrict rogue APs with exactly the same name as your own.
Manual Containment from Threats List
It is possible to navigate through a list of wireless threats and monitor rogue APs, malicious broadcasts and packet floods in real-time. Each wireless threat includes details such as the broadcast MAC address of the rogue AP, which AP it was seen by, the manufacturer of the rogue AP, and other information such as its VLAN domain. You can use this information to decide which threat may be serious and either disable the rogue, whitelist it, or set specific threat remediation policies for future containment.
You can also ‘uncontain’ or unblock rogue APs you may have chosen to block in the past.
Meraki Solution Guide: Air Marshal Threat Remediation Policies
12 of 14
Note: There may be legal implications of your containment actions depending on where your network is located. Containment should not be used unless the offending SSID is within your jurisdiction.
Meraki Solution Guide: Air Marshal Configuring Threat Alerts
13 of 14
6 Configuring Threat Alerts
It is possible to configure real-time alarms on intrusions that are detected on your wired and wireless infrastructure in Meraki’s Dashboard. On the Configure à Network Settings page, by checking the ‘An access point detects rogue APs’ box, you can enable real-time alarms on your system:
The following will trigger an alarm:
• A rogue AP seen on the wired LAN
• A rogue AP seen matching keyword in its SSID
• A rogue AP seen matching exact word in its SSID
You can therefore configure your network to monitor and inform you of wireless threats in real time, even if you are not physically monitoring the Meraki dashboard. Having received an alert, you can now view the threat in dashboard and obtain the relevant details about the Rogue AP, including taking further policy actions to contain or whitelist the rogue (if you had an auto-containment policy in place) and/or create new auto-containment policies for future breaches.
Meraki Solution Guide: Air Marshal Dedicated WIPS vs. Hybrid Scanners
14 of 14
7 Dedicated WIPS vs. Hybrid Scanners
An ongoing debate in the world of WLAN security continues, centered around the effectiveness of dedicated WIPS overlay scanners vs. hybrid scanners. Hybrid scanners are APs that perform background or ‘time-sliced’ scanning whilst simultaneously serving clients. A number of areas of debate are highlighted, highlighting the pros and cons of both types of scanning methodologies along with examples:
• Scanning effectiveness. Wireless intrusions come in a variety of flavors and can happen on any channel at any time, potentially lasting for brief time intervals. There are 13 channels in 2.4 and 23 channels in 5 GHz bands. WLAN transceivers are half duplex they don’t transmit and receive at the same time. In typical WLAN scenarios APs are transmitting at 80% of the time and receiving at 20% of the time, leaving marginal room for sensor activation. By decoupling client serving and rogue scanning, it is possible to deploy WIPS sensors in additional areas to provide intrusion coverage beyond your Wi-Fi zone.
• Client performance. Serving clients to pass IP traffic vs. scanning the surrounding airspace for threats are two separate functions. Allocating the same hardware device to perform both will have impacts on client performance. When using hybrid scanners, latency sensitive traffic such as VoIP may be dropped.
• Cost. Using hybrid scanners will be more effective than using dedicated ones in cost-constrained scenarios, but this will come at the risk of compromising the security of your environment.
• Sophisticated Hackers. In the case of hybrid scanners, hackers can use sophisticated techniques such as connecting to the AP and then setting up a rogue on a different channel, or inspecting traffic of the client serving radios and identifying MAC address, vendor, and chipset information to launch more sophisticated attacks.
Ultimately, the choice to deploy hybrid vs. dedicated scanning functions lies with the end customer. It is highly recommended that the customer evaluate the ease of configuration and the reliability of the implementation of different vendors’ WIPS platform when choosing a solution. It is imperative to design a secure network topology to address the broad range of security elements including Layer 3-7 firewalls, network access control (NAC), group policies and bandwidth limits, secure sign-on using industry standards such as 802.1x, and finally, a robust and sound WIPS system such as Air Marshal. Designing for security will future-proof the network in the age of wireless threats and enable the highest possible efficiency in your corporate WLAN environment, ensuring you maximize your ROI during the depreciable life of your WLAN infrastructure.
