How to configure rouge

Overview

Compared with wired network, WLAN is convenient to deploy, flexible to use, cost-efficient and easy to expand, and is thus applied more and more widely. However, due to the openness of WLAN channel, the wireless networks are susceptible to a wide array of threats such as unauthorized APs, ad-hoc networks and different kinds of protocol attacks.

Therefore, security has become an important factor inhibiting the development of WLAN.

WIDS (Wireless Intrusion Detection System) provides early detection of malicious attacks and intrusions and helps the network administrator to proactively discover the hidden defects of network and take necessary countermeasures.   

Currently, WIDS mainly provides the following features:   

·  Rogue device detection, countermeasure

·  IDS attack detection  

·  Frame filtering (black list and white list)  

·  User isolation   

Basic concept of rogue device countermeasure：

Rogue device: Unauthorized or malicious device on the network. It can be an illegal AP, illegal bridge or unauthorized Ad-hoc device.   

Rogue AP: An unauthorized or malicious AP on the network, such as an unauthorized AP, misconfigured AP or an attacker operated AP.

Rogue AP Countermeasure is used to attack fake authentication release frame sent by rogue AP address in the list to countermeasure rogue AP.

I. Requirements

Monitor Rogue AP and configure countermeasures.

II. Network Topology

   

III. Configuration Tips

1. Configure device mode

2. Configure countermeasure

IV. Configuration Steps

1. Configure AP as monitor or hybrid mode

       AC(config)# ap-config ap220-e

       AC(ap-config)# device mode monitor    or   AC(ap-config)# device mode hybrid

Note:

Monitore mode:  monitor/attack rogue AP only

Hybrid mode:  monitor/attack rogue AP and forward user date as normal AP (less monitor performance)

2. Configure countermeasure rogue ap static list

Firmware version 11.X：

AC (config)#ap-config AP220-I ----->enter ap-config mode

AC(config-ap)#device mode monitor

AC(config-ap)#scan-channels 802.11b channels 1 2 3 4 5 6 7 8 9 10 11 12 13  --->configure the scanning channel of 2.4G

AC(config-ap)#scan-channels 802.11a channels 149 153 157 161 165  --->configure the scanning channel of  5G

AC(config)#wids ----->enter wids mode

AC(config-wids)#countermeasure enable   ----->enable countermeasure

AC(config-wids)#countermeasures channel-match ----->enable channel-based containment

AC(config-wids)#countermeasures mode config ----->choose the countermeasures mode

AC(config-wids)#device attack mac-address 061b.b120.700c  ----->add static list of attack, add rogue AP bssid:061b.b120.700c. you can scan rogue AP with wirelessmon to confirm the bssid.

Appendix:

Base on the circumstance that AP740-I has three RF cards, we can use radio 1 and radio 2 for wifi service, and use radio 3 to countermeasure other rouge aps. The graphic configurations are shown below:

AC (config)#ap-config AP740-I ----->entwe into the specific ap

AC (config-ap)#radio-type 3 802.11b ----->config the third RF card to be 2.4g

AC (config)#ap-config AP740-I ----->enter ap-config mode

AC(config-ap)#device mode monitor radio 3 ----->choose the radio 3 to be the countermeasure role

AC(config-ap)#scan-channels 802.11b channels 1 2 3 4 5 6 7 8 9 10 11 12 13  --->configure the scanning channel of 2.4G

AC(config-ap)#scan-channels 802.11a channels 149 153 157 161 165  --->configure the scanning channel of  5G

AC(config)#wids ----->enter wids mode

AC(config-wids)#countermeasure enable   ----->enable countermeasure

AC(config-wids)#countermeasures channel-match ----->enable channel-based containment

AC(config-wids)#countermeasures mode config ----->choose the countermeasures mode

AC(config-wids)#device attack mac-address 061b.b120.700c  ----->add static list of attack, add rogue AP bssid:061b.b120.700c. you can scan rogue AP with wirelessmon to confirm the bssid.

Countermeasure mode concept：

Use this command to configure the device countermeasures mode. Use the no form of this command to restore the default setting.

countermeasures mode { all | adhoc | config | rogue | ssid }

no countermeasures mode { all | adhoc | config | rogue | ssid }

Optional configuration：(You can use below commands when countermeasure is inefficient)

1. Unknown STA Detection (unicast countermeasure).

Ruijie#configure terminal

Ruijie(config)#wids

Ruijie(config-wids)#device unknown-sta dynamic-enable ----->enable the unknown STA detection and containment function

Ruijie(config-wids)#device unknown-sta mac-address 1234.1234.1234----->configure the unknown STA list entry

2. Add an entry to the permissible list

Ruijie#configure terminal

Ruijie(config)#wids

Ruijie(config-wids)# device permit mac-address 1234.1234.1236----->configure the permissible MAC list 1234.1234.1236

Ruijie(config-wids)# device permit ssid test----->configure the permissible SSID list test

Ruijie(config-wids)# device permit vendor bssid 1234.1234.1236----->configure the permissible vendor list

3. Configure countermeasure parameters

Ruijie#configure terminal

Ruijie(config)#wids

Ruijie(config-wids)#countermeasures interval 2000-----> configure countermeasures interval 2000ms

Ruijie(config-wids)#countermeasures ap-max 256---> configure the maximum number of contained devices once,ranging from 1 to 256. The default maximum number of countered devices is 30.

Ruijie(config-wids)#countermeasures rssi-min 5   --->configure the minimum containment RSSI,ranging from 0 to 75(This value is not recommended to set too small)

Ruijie(config-wids)#device detected-ap-max 100   --->configure the maximum number of detected APs,ranging from 1 to 4096.

Ruijie(config-wids)#device aging duration 1000  --->configure the aging duration of the detected devices,ranging from 500 to 5000 seconds.

V. Verification

Wireless users can not connect to rogue APs or packets loss.