Ruijie Community

Title: How to configure rouge [Print this page]

Author: GTAC-Daisy    Time: 2019-8-20 11:25
Title: How to configure rouge
Overview
Compared with wired network, WLAN is convenient to deploy, flexible to use, cost-efficient and easy to expand, and is thus applied more and more widely. However, due to the openness of WLAN channel, the wireless networks are susceptible to a wide array of threats such as unauthorized APs, ad-hoc networks and different kinds of protocol attacks.
Therefore, security has become an important factor inhibiting the development of WLAN.
WIDS (Wireless Intrusion Detection System) provides early detection of malicious attacks and intrusions and helps the network administrator to proactively discover the hidden defects of network and take necessary countermeasures.   
Currently, WIDS mainly provides the following features:   
·  Rogue device detection, countermeasure
·  IDS attack detection  
·  Frame filtering (black list and white list)  
·  User isolation   
Basic concept of rogue device countermeasure
Rogue device: Unauthorized or malicious device on the network. It can be an illegal AP, illegal bridge or unauthorized Ad-hoc device.   
Rogue AP: An unauthorized or malicious AP on the network, such as an unauthorized AP, misconfigured AP or an attacker operated AP.
Rogue AP Countermeasure is used to attack fake authentication release frame sent by rogue AP address in the list to countermeasure rogue AP.
I. Requirements
Monitor Rogue AP and configure countermeasures.
II. Network Topology
   
III. Configuration Tips
1. Configure device mode
2. Configure countermeasure
IV. Configuration Steps
1. Configure AP as monitor or hybrid mode
       AC(config)# ap-config ap220-e
       AC(ap-config)# device mode monitor    or   AC(ap-config)# device mode hybrid
Note:
Monitore mode:  monitor/attack rogue AP only
Hybrid mode:  monitor/attack rogue AP and forward user date as normal AP (less monitor performance)
2. Configure countermeasure rogue ap static list
Firmware version 11.X
AC (config)#ap-config AP220-I ----->enter ap-config mode
AC(config-ap)#device mode monitor
AC(config-ap)#scan-channels 802.11b channels 1 2 3 4 5 6 7 8 9 10 11 12 13  --->configure the scanning channel of 2.4G
AC(config-ap)#scan-channels 802.11a channels 149 153 157 161 165  --->configure the scanning channel of  5G
AC(config)#wids ----->enter wids mode
AC(config-wids)#countermeasure enable   ----->enable countermeasure
AC(config-wids)#countermeasures channel-match ----->enable channel-based containment
AC(config-wids)#countermeasures mode config ----->choose the countermeasures mode

AC(config-wids)#device attack mac-address 061b.b120.700c  ----->add static list of attack, add rogue AP bssid:061b.b120.700c. you can scan rogue AP with wirelessmon to confirm the bssid.
Appendix:
Base on the circumstance that AP740-I has three RF cards, we can use radio 1 and radio 2 for wifi service, and use radio 3 to countermeasure other rouge aps. The graphic configurations are shown below:
AC (config)#ap-config AP740-I ----->entwe into the specific ap
AC (config-ap)#radio-type 3 802.11b ----->config the third RF card to be 2.4g
AC (config)#ap-config AP740-I ----->enter ap-config mode
AC(config-ap)#device mode monitor radio 3 ----->choose the radio 3 to be the countermeasure role
AC(config-ap)#scan-channels 802.11b channels 1 2 3 4 5 6 7 8 9 10 11 12 13  --->configure the scanning channel of 2.4G
AC(config-ap)#scan-channels 802.11a channels 149 153 157 161 165  --->configure the scanning channel of  5G
AC(config)#wids ----->enter wids mode
AC(config-wids)#countermeasure enable   ----->enable countermeasure
AC(config-wids)#countermeasures channel-match ----->enable channel-based containment
AC(config-wids)#countermeasures mode config ----->choose the countermeasures mode

AC(config-wids)#device attack mac-address 061b.b120.700c  ----->add static list of attack, add rogue AP bssid:061b.b120.700c. you can scan rogue AP with wirelessmon to confirm the bssid.
Countermeasure mode concept
Use this command to configure the device countermeasures mode. Use the no form of this command to restore the default setting.
countermeasures mode { all | adhoc | config | rogue | ssid }
no countermeasures mode { all | adhoc | config | rogue | ssid }
Optional configuration(You can use below commands when countermeasure is inefficient)
1. Unknown STA Detection (unicast countermeasure).
Ruijie#configure terminal
Ruijie(config)#wids
Ruijie(config-wids)#device unknown-sta dynamic-enable ----->enable the unknown STA detection and containment function

Ruijie(config-wids)#device unknown-sta mac-address 1234.1234.1234----->configure the unknown STA list entry
2. Add an entry to the permissible list
Ruijie#configure terminal
Ruijie(config)#wids
Ruijie(config-wids)# device permit mac-address 1234.1234.1236----->configure the permissible MAC list 1234.1234.1236
Ruijie(config-wids)# device permit ssid test----->configure the permissible SSID list test

Ruijie(config-wids)# device permit vendor bssid 1234.1234.1236----->configure the permissible vendor list
3. Configure countermeasure parameters
Ruijie#configure terminal
Ruijie(config)#wids
Ruijie(config-wids)#countermeasures interval 2000-----> configure countermeasures interval 2000ms
Ruijie(config-wids)#countermeasures ap-max 256---> configure the maximum number of contained devices once,ranging from 1 to 256. The default maximum number of countered devices is 30.
Ruijie(config-wids)#countermeasures rssi-min 5   --->configure the minimum containment RSSI,ranging from 0 to 75(This value is not recommended to set too small)
Ruijie(config-wids)#device detected-ap-max 100   --->configure the maximum number of detected APs,ranging from 1 to 4096.

Ruijie(config-wids)#device aging duration 1000  --->configure the aging duration of the detected devices,ranging from 500 to 5000 seconds.
V. Verification
Wireless users can not connect to rogue APs or packets loss.






Welcome to Ruijie Community (https://community.ruijienetworks.com/) Powered by Discuz! X3.2