Embed Size (px)
Citation preview
Rule Based Rogue Classification in Wireless LANControllers (WLC) and Wireless Control System(WCS)
Document ID: 110263
Contents
Introduction Prerequisites Requirements Components Used Conventions Rule Based Rogue Classification Rule Based Rogue Classification Terminologies Rogue Classification Rules Rogue Classification and Rogue States Rogue States Explained How to Configure Rogue Rules in WLC How to Configure Rogue Rules in WCS Related Information
Introduction
In the Wireless Control System (WCS) 5.0 release, WCS enhanced the Rogue Management functionality fordifferent rogue AP types and provided user−defined rules to automatically classify the rogue APs. WCSapplied rogue AP classification rules to the controllers. This document explains the enhanced RogueManagement functionality and the steps necessary to configure this functionality on the Wireless LANController (WLC) and WCS.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
Knowledge of Lightweight Access Point Protocol (LWAPP)• Knowledge of Wireless LAN Controller Security Solutions•
Components Used
The information in this document is based on these software and hardware versions:
Cisco 4400 Series WLC that runs firmware 5.2• Cisco Aironet 1130 AG Series Lightweight Access Points (LAPs)• Cisco Wireless Control System version 5.2•
The information in this document was created from the devices in a specific lab environment. All of thedevices used in this document started with a cleared (default) configuration. If your network is live, make surethat you understand the potential impact of any command.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Rule Based Rogue Classification
In WCS versions prior to release 5.0, WCS displayed too many rogue access points (APs) in the SecuritySummary page. Even though the rogue states differ, they all appear on one page, sorted by the BSSID/MACaddress of the rogue.
In the WCS 5.0 release, WCS enhanced Rogue Management functionality and introduced new terminologies(Unclassified, Malicious, and Friendly) for different rogue AP types and provided user−defined rules toautomatically classify the rogue APs. WCS applied rogue AP classification rules to the controllers.
WCS enhanced the rogue state management function to keep the rogue state as External once the state ofrogue has been manually changed to External. WCS also updates the External state for the other controllerswhen WCS pulls or handles trap message from the other controllers.
In order to support this feature, both WLC and WCS should be running 5.0 release.
Rule Based Rogue Classification Terminologies
With this new functionality, these new rogue AP types are introduced:
Malicious AP: A detected AP that matches user−defined Malicious rules or has been manuallymoved from Friendly APs.
•
Friendly AP: Existing known, Acknowledge, and Trust Missing Rogue states are classified asFriendly. In addition, detected APs that match user−defined Friendly rules are classified as Friendly.Friendly APs cannot be contained.
•
Unclassified AP: A detected AP that did not match the Malicious or Friendly rules. An UnclassifiedAP can be contained. An Unclassified AP can be manually moved to Friendly by the user.User−defined rules to automatically move Unclassified AP to Friendly or Malicious, for example, ondetection, the SSID is empty. On the next rogue report, a SSID is found, and it turns out to be auser−configured SSID.
•
Rogue Classification Rules
These are classification rules applicable to each of the rogue AP types:
Malicious Rules
Matches managed SSID♦ Matches user configured SSID♦ No encryption on an SSID♦ Minimum RSSI♦ Time duration♦ Number of clients associated♦
•
Friendly Rules
Managed SSID♦ User−configured SSID♦
•
Unclassified Rules•
Does not match Malicious or Friendly rules♦
The user can choose to match all, any, or some of the rule conditions under each rule:
All means match all of the configured conditions for the rule.• Any means match any of the configured conditions for the rule.• Some means match few of the configured conditions for the rule•
For example, under Malicious Rules, the user configures Managed SSID and Minimum RSSI. Then, the userhas the choice to match all or any of the two conditions, or match just the Minimum RSSI condition.
When the controller receives the rogue report, it does this:
Checks if the detected AP is in the user−configured MAC list. If so, classify the AP as a Friendlytype.
•
If the detected AP is not in the list, it starts to apply the rules.• First, it applies Malicious Rules. If Malicious Rules match, it is classified as the Malicious type. If theRLDP/rogue detector determines that this rogue is on network, it marks the rogue state as a Threat.The user can manually contain the AP that changes the rogue state to Contained. If the AP is not onthe network, it marks the rogue state as Alert, and the user can contain it manually.
•
If Malicious Rules do not match, apply Friendly Rules. If Friendly Rules match, then classify it as aFriendly type.
•
If Friendly Rules do not match, classify this AP as Unclassified. If the RLDP/rogue detectordetermines that this rogue is on the network, mark the rogue state as a Threat and classify it as aMalicious type. The user can manually contain the AP that changes the rogue state to Contained. Ifthe AP is not on network, mark the rogue state as Alert, and the user can contain it manually.
•
The user can manually move the AP to a different classification type.•
Rogue Classification and Rogue States
This table shows the different classifications of rogues and the rogue states for each classification.
Rule−basedClassification Type
Rogue StatesMalicious AP Alert Threat Contained Contained
Pending Removed
Unclassified AP Alert Contained Contained PendingRemoved
Friendly APInternal (Known currently) External(Acknowledge currently) Internal Missing(Trust Missing) Alert
Rogue States Explained
Pending � On first detection, the detected AP is put in the pending state for 3 minutes. This time issufficient for managed APs to determine if the detected AP is a neighbor AP.
•
Alert � After the 3−minute time−out, the detected AP is moved to Alert if it is not in the neighbor listor user−configured Friendly MAC list.
•
Threat � The detected AP is found on the network.• Contained � The detected AP is contained.• Contained Pending � The detected AP is marked contained, but the containment action is delayedbecause of unavailable resources.
•
Internal � The detected AP is inside the network, and the user manually configures it as Friendly,Internal, for example, the APs in a lab network.
•
External � The detected AP is outside the network, and the user manually configures it as Friendly,External, for example, the APs that belong to a neighboring network.
•
Trusted Missing � If the user−configured Friendly MAC was detected and is not heard fortrust−timeout duration, the rogue state of the Friendly AP is marked as Trusted Missing.
•
Removed � If the Malicious or Unclassified AP is not heard from all of the controllers forrogue−timeout duration, the rogue state of the AP is marked as Removed.
•
How to Configure Rogue Rules in WLC
In order to configure rogue rules on the Wireless LAN Controller, complete these steps.
Rogue rules can be created from the WLC from the Security > Wireless Protection Policies >Rogue Policies > Rogue Rules page.
1.
In order to create a new rogue policy, click the Add Rule button. The Rogue Rules window appears.Enter a name for the rule. This example uses Rule1. Choose the type of rule. This is an example of aMalicious rule. Click Add. Rule1 is created.
2.
In order to edit this rule, click the rule that was created. The Rogue Rule > Edit page appears. In thispage, check the Enable Rule check box to activate the rule. Choose the Match Operation type andother conditions based on the requirement as in this example.
3.
This is an example of the Friendly rogue rule policy.4.
The output of the rogue rules can be seen at Monitor > Rogues > Malicious AP.5.
Similarly, the output of the Friendly Rules and Unclassified Rules can be viewed at Monitor >Rogues > Unclassified AP and Monitor > Rogues > Friendly AP pages, respectively.
6.
How to Configure Rogue Rules in WCS
Rogue Rule List:WCS provides system level rogue rule setting. In order to configure rogue rules on WCS,complete these steps.
Choose Configure > Controller Template, and then click Security > Rogue AP Rules to access theRogue AP Rules list page.
1.
Click Add Classification Rule on the right top drop−down menu to add a new classification rule.2.
Click the template name to edit the rogue rule. This rule detail page enables you to edit, update therogue AP rule, or delete the rule.
Rogue AP Rule Setting Parameters:On this page, users can enable any condition when they checkthe check box to concatenate any or all of these conditions:
No Encryption♦ Match Managed AP♦ Match User Configured SSID♦ Minimum RSSI♦ Duration♦ Minimum Number Rogue Client♦
This is an example of a Malicious rule:
3.
This is an example of a Friendly rule:
The Rogue AP Rules page lists the all the rules created.4.
The next step is to configure a rule group and apply these rules to the controllers. In order to this, usethe Rogue AP Rule Groups setting on the WCS.
5.
In order to create a new rule group, choose Configure > Controller Template, and then clickSecurity > Rogue AP Rule Groups from the WCS GUI.
6.
The Rogue AP Rule Groups > New Template page enables you to add, update the rogue AP rulegroup, delete the rule, and apply the rule group to the controller. Use the Add/Remove buttons to
7.
choose the rogue AP rules for this rule group. Use the Up/Down buttons to specify the order in whichthe rules are applied. This is an example. Once the rules group is configured, click Save.
Once you save the rule group, it can be applied to controllers. In order to apply the rule group to thecontroller, edit the rule group. Click the rule group name.
8.
Click Apply to Controllers. On the next page, choose the controllers to which this rule is applied.This is an example.
Once the rules are applied to the controllers, you see a Success message on the WCS.9.
Details about the classified APs can be viewed on the Security Summary page. This is an example.10.
Details about the classified APs, specifically Malicious, Friendly, and Unclassified APs, can beviewed when you click the appropriate classification from the Security Summary page. This is anexample for the Malicious APs.
11.
Related Information
Rogue Detection under Unified Wireless Networks• Technical Support & Documentation − Cisco Systems•
Contacts & Feedback | Help | Site Map© 2013 − 2014 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks ofCisco Systems, Inc.
Updated: Jul 01, 2009 Document ID: 110263
