Wireless Intrusion Prevention Techniques

This chapter contains the following topics:

About Wireless Intrusion Prevention Techniques

A large number of Wi-Fi devices Access Points (APs) and clients-are commonly present in the vicinity of an enterprise. While most are legitimate devices, belonging either to the enterprise or businesses around it, manually tracking the presence of any threat-posing devices among them or Wi-Fi connections violating the enterprise security policy is impractical.

Arista Wireless Intrusion Prevention System (WIPS) can automate that process and protect enterprise networks from Wi-Fi-based vulnerabilities and attacks. It can also track the physical location of Wi-Fi devices on enterprise premises.

Arista WIPS uses a variety of patented techniques to classify Wi-Fi devices automatically and accurately as follows.
  • Authorized: Owned and officially deployed by the enterprise,
  • External: Legitimate Wi-Fi devices in the enterprise vicinity, and
  • Rogue: Unauthorized Wi-Fi devices on the enterprise network.
This serves as the foundation for enforcing Wi-Fi security policies. Based on the accurate device classification, Arista WIPS can automatically block threat-posing Wi-Fi devices and connections (shown in red in the figure below).

You can enable automatic intrusion prevention using Arista CV-CUE, by navigating to CONFIGURE > WIPS > Automatic Intrusion Prevention or from DASHBOARD > WIPS.

Depending on the type of threat, intrusion prevention can be defined in the following ways.

Access Point Prevention

To automatically block all connections to threat-posing APs such as rogue APs, banned APs, and misconfigured APs.

Client Prevention

To automatically prevent client connections based on the type of client involved, e.g., authorized, guest, rogue, external, banned, and the type of AP (or client) to which it tries to connect. Thus, Client Prevention can block various types of threat-posing Wi-Fi connections, e.g., an authorized client could be blocked from connecting to an external AP that is a Wi-Fi hotspot while allowing other external clients to connect to that AP; an unauthorized client could be blocked from connecting to an authorized AP while allowing authorized clients to connect to that AP.

Threat Prevention

Arista WIPS can also be configured to automatically protect enterprises from malicious Wi-Fi-based attacks such as:
  1. ARP spoofing/MAC spoofing: In ARP spoofing, an attacker sends a spoofed ARP reply, on behalf of an authorized AP, for a legitimate connection request by a Wi-Fi client. The reply contains the spoofed MAC address of the legitimate AP and links with the legitimate IP address, thus establishing the connection between them. The attacker can potentially receive all the data intended for the legitimate user.
  2. Honeypot: In a honeypot or man-in-the-middle attack, an unauthorized AP, in the vicinity of an enterprise, tries to lure authorized enterprise clients to connect to it by broadcasting the same SSID as an authorized one, but at a higher RSSI. An attacker could also launch multiple honeypots ( aka multipot) simultaneously to evade security.
  3. DoS Attack: By using a variety of techniques, an attacker can flood an enterprise network with a number of junk Wi-Fi frames or frames that consume a significant amount of airtime, starving legitimate APs and clients from transmitting, thus, disrupting the Wi-Fi service of the legitimate users.
Such severe attacks/threats can make the user information vulnerable. Arista WIPS automatically classifies the APs in the vicinity as authorized, rogue, or external in compliance with the AP auto-classification policy. Classification helps to alert the system of any vicious activity by an AP other than the authorized ones by defining Intrusion Prevention Levels. To safeguard, WIPS has some Intrusion Prevention Methods:
  • Inline: It is the background scanning done by the third radio of an AP. An inline technique is majorly acquired in the absence of WIPS or when automatic intrusion prevention is turned off. When a client sends a request for connection, the AP detects the client as- rogue or authorized as per the client auto-classification policy already defined. If it is rogue, the AP keeps on discarding the request packets on the driver level itself but if it is an authorized client the AP itself authenticates it. This happens for both open and encrypted APs.
  • De-Auth: This technique is useful to prevent the authorized connection by sending the de-auth packets in compliance with the 802.11 messaging format for disconnecting the unauthorized ones. When a misbehaving client connects to a rogue AP and tries to access the network, the authorized AP senses the unauthorized connection and unicasts a de-auth packet to the client. By sending de-auth packets, the connection is disrupted with the rogue AP. For encrypted Adhoc client prevention, where prevention beacons are sent can also be prevented using the same technique. This can also happen in offline mode. Offline Mode- When an AP is in online mode, it keeps on receiving and storing the data of all the rogue or misconfigured connections in a list as defined by AP auto-classification. So, even when the AP goes into offline mode, this list helps to detect the rogue APs and automatically prevent any activity from them.
  • Wireless ARP Prevention: ARP poisoned packets are sent over a network when the multipot attack happens where the transit between multiple APs is so fast that the de-authentication technique is not effective. So, the WIPS sensor sends a spoofed de-authentication packet with a spoofed MAC address over the wireless medium, thus, preventing any authorized clients to connect to a rogue AP.
  • Wired ARP: Any activity from a rogue AP should be detected and disabled. When any unauthorized activity is detected, poisoned ARP packets are sent on open Adhoc or wired connections as well. Wired ARP technique also takes place when the defined intrusion prevention level capacity becomes full. For example, if we had selected "Block" level which prevents one channel per radio and a threat posing device is detected then we switch to wired ARP. With this technique, ARP poisoning packets are sent from the wired interface to prevent any wireless clients to connect to the secured wired network through a rogue AP. The packets are unicasted to the authorized client, thus, not affecting the other connections.
  • Selective NAV: The prevention technique is used for Dos attacks. DoS attacks can prove harmful as they disrupt the legitimate receiver from any services. To mitigate this attack, WIPS allows the APs to allow a definite time slot for the clients. In this way, the rogue AP trying to flood the network with useless packets never gets a chance to connect.
  • Cell Splitting: Cell splitting is used to prevent encrypted ad hoc Wi-Fi mode where fake beacons are sent with random cell id so that the clients in ad hoc mode think that the preventing device is the ad hoc owner while the id keeps on changing randomly where the owner actually never settles on a particular cell id.

Intrusion Prevention Level

Arista WIPS offers four levels of automatic intrusion prevention, listed below.

 
Level Number of channels-per-radio prevented
Block 1
Disrupt 2
Interrupt 3
Degrade 4

Each automatic intrusion prevention level defines the number of channels-per-radio that an AP can prevent. To detect an intrusion, an AP radio scans all the channels in its frequency band of operation, spending 120 ms on each channel. One scan cycle is the time it takes an AP radio to complete scanning all the channels once. At each level, Arista WIPS can prevent up to 10 intruding devices.

Consider an AP whose intrusion prevention level is set to "Block". Suppose this AP detects an intrusion on channel 36. Since the level is set to "Block", the AP can prevent one channel per band—in this case, channel 36. Then, during its scan cycle, the AP "visits" channel 36 more frequently, sending deauthentication packets to block the unwanted communication on channel 36. (Intrusions subsequently detected on other channels are put in a "Pending" list.) If the intrusion prevention level is set to "Disrupt" and the AP detects intrusions on two channels, then it divides the time it spends sending deauthentication packets between the two channels. This disrupts the unwanted communication on each of the two channels but does not block it completely. "Disrupt" is, therefore, a weaker form of prevention than "Block"; some packets belonging to the intruding device may get through. This logic extends to "Interrupt" and "Degrade" as well—these levels respectively interrupt and degrade the unwanted communication; they do not disrupt or block it.

So the trade-off is between the effectiveness of intrusion prevention and its coverage—in terms of the number of channels across which threats can be prevented. Larger the number of channels-per-radio prevented, the weaker the prevention since the AP has to divide the time it spends sending deauthentication packets among a larger number of channels. Choose the intrusion prevention level based on the needs of your Wi-Fi environment. By default, the intrusion prevention level is set to "Disrupt".

Authorized Wi-Fi Policy

 

Arista Wireless Intrusion Prevention System (WIPS) uses a variety of patented techniques to automatically and accurately classify Wi-Fi Access Points (APs) and clients as follows.
  • Authorized: Owned and officially deployed by the enterprise,
  • External: Legitimate Wi-Fi devices in the enterprise vicinity, and
  • Rogue: Unauthorized Wi-Fi devices on the enterprise network.
An Authorized Wi-Fi Policy forms the basis of this automatic device classification; it can be defined in terms of:
  • The characteristics of the official enterprise Wi-Fi network, e.g., SSID name, whether or not the SSID is a guest SSID, the type of authentication and encryption used, a mapping of SSIDs to specific enterprise subnetworks they are allowed to run on, allowed vendors, etc.
  • A pre-classification of Wi-Fi APs as potentially authorized or rogue based on whether or not they are connected to one of the monitored enterprise subnetworks (enabled by default), or based on the Received Signal Strength Indicator(RSSI) with which those APs are visible to Arista WIPS.
You can implement an authorized Wi-Fi policy in two ways: either using the SSID Profile settings to validate the configuration running on your Arista Wi-Fi APs or by creating an Authorized Wi-Fi Profile for each SSID. Each method is described below.

Using SSID Profile Settings

You may choose to simply leverage the settings of the SSID Profiles in use to validate the configuration running on the enterprise Wi-Fi APs; this can be done by enabling the Use SSID Profiles to verify managed access point configuration option as shown below.

Note: This option is enabled by default. You will have to disable it if you choose to define your enterprise authorized Wi-Fi policy in terms of Authorized Wi-Fi Profiles.

Authorized Wi-Fi Profile per SSID

The figure below shows an Authorized Wi-Fi Profile for a corporate SSID. The SSID must conform to the restrictions set by the profile. For example, the SSID must run on an Arista AP because that is the only allowed AP vendor; similarly, it must use PSK authentication.

When an SSID configuration does not match the authorized Wi-Fi policy, the SSID is marked as a Misconfigured SSID. When an SSID configuration does not follow the security policies of Wi-Fi 6 and 6E, the SSID is marked as Non Compliant. As shown in the figure below, you can filter on the Classification column under MONITOR > WIPS > Access Points to find APs running misconfigured SSIDs.

You can select an AP to see the SSIDs that are misconfigured and to view the reasons for the configuration mismatch. Active APs running misconfigured SSIDs are marked orange on the MONITOR > WIPS and MONITOR > WiFi tabs.

Access Point Auto Classification

Arista Wireless Intrusion Prevention System (WIPS) continuously scans the Wi-Fi frequency spectrum to detect other Wi-Fi devices present in the vicinity.

Whenever a new Wi-Fi AP is detected, it is initially considered to be uncategorized. Arista's unique Marker Packets technology helps determine whether or not the detected AP is connected to the enterprise wired network. If an AP is on the enterprise wired network, it is pre-classified as Potentially Authorized or Potentially Rogue, depending on whether or not the AP complies with the Authorized WiFi Policy. If the AP is not on the enterprise wired network, it is pre-classified as Potentially External. The pre-classification is an advanced setting under Authorized WiFi Policy.

Arista managed APs that are on the wired network and comply with the <Authorized Wi-Fi Policy> are automatically classified as Authorized. The AP Auto-Classification Policy allows you to let the Arista WIPS automatically classify potentially rogue APs as rogue APs and potentially external APs as external APs. By default, the AP auto-classification is enabled. You can edit the policy under CONFIGURE > WIPS > Access Point Auto-Classification.

You can also freeze the list of your authorized APs by using the Authorized AP List Locking feature so that no more APs get automatically classified as authorized.

Client Prevention

Client prevention allows you to choose the types of Wi-Fi client communication you want to prevent.

The types of client communication are based on two factors:
  • The type of the client (Rogue, Authorized, External, or Guest) as determined by Client auto-classification.
  • The device that the client attempts to connect to—Authorized Access Point (AP), other clients, etc.

The examples below show how specific client types and connection attempts can be prevented depending on the use case.

Authorized Client Misassociation

An authorized enterprise Wi-Fi client could attempt to associate with access points in the vicinity of your enterprise. To protect authorized clients on an enterprise Wi-Fi network, you might want to prevent them from associating with any non-authorized APs as shown below.

Client Bridging/ICS

Client bridging is when a laptop connected to the wired network acts as an access point, thereby allowing unauthorized clients access to an enterprise network. Internet Connection Sharing (ICS) is a service that turns a computer into a router to which other clients can connect directly. Both methods compromise the security of an enterprise Wi-Fi network by exposing it to unauthorized access. To prevent client bridging or ICS, you can enable the relevant prevention as shown below.

Unauthorized Associations To Authorized Access Points

For guest Wi-Fi access, suppose that your Client Auto-Classification is configured to re-classify all External and Uncategorized clients connecting to a Guest SSID as "Guest". In that case, you do not want to prevent unauthorized clients from accessing an authorized AP running the Guest SSID because an unauthorized client needs to associate with an authorized AP before it can be marked as a "Guest" client. You can allow such associations by not enabling prevention as shown below.

Client Auto-Classification

Classifying Wi-Fi clients can help you automatically enforce your Wi-Fi security policies.

Usually, clients are classified as:
  • Authorized: These are enterprise-owned, managed clients that are expected to comply with the enterprise security policies, e.g., they are allowed to connect to the enterprise-managed Wi-Fi Access Points (APs) but not to other APs.
  • Guest: These are clients that are brought along by visitors in your organization. Guest clients are normally allowed to connect to the guest Wi-Fi network for Internet access and have limited or no access to the internal network.
  • External: These are unmanaged clients detected in the vicinity of your enterprise. They are normally blocked from connecting to your managed APs but could connect to other APs. Such clients could be typically ignored unless their behavior poses a threat to your enterprise security.
  • Rogue: These are typically unauthorized clients that try to intrude into your enterprise network, for instance, by connecting to a rogue AP. The activity of such clients should be monitored and their unauthorized access should be blocked.
Manually keeping track of the list of clients that are authorized to access your enterprise Wi-Fi network is not scalable and is prone to errors, especially in large organizations. Arista CV-CUE provides a simpler way to automatically classify clients. The client auto-classification policy settings are available under CONFIGURE > WIPS > Client Auto-Classification.

By default, clients are left uncategorized initially and classified based on the type of AP or Wi-Fi network they connect. You can optionally choose to classify any newly discovered client as either External, Authorized, or Guest, and let them be reclassified based on association. Association-based classification can be based on the type of AP that the client connects to. For example, an uncategorized client attempting to connect to any external AP is classified as external.

The examples below show how clients can be auto-classified depending on their association.

Clients Connecting to Authorized Access Points

Depending on the initial classification, the clients connecting to your authorized access points can be reclassified based on their association. A sample screenshot showing the default values is shown below. You can change the settings based on your security policy.

Clients Connecting to Rogue Access Points

A client may attempt to associate with a rogue AP. In such a case, reclassification is based on the initial classification of the client and on the classification of an AP. In this scenario, AP could be rogue or potentially rogue.

Note:Once the client is manually classified as Rogue or Authorized, it is not reclassified automatically unless it is deleted and discovered again.

Banned Device List

You can ban certain Wi-Fi devices from accessing the enterprise network when needed. For instance, if an enterprise laptop gets stolen, its unauthorized access to the enterprise network needs to be restricted.

To prevent such access, you can add those Wi-Fi access points or clients to the Banned Access Points and Banned Clients, respectively. This can be done either by entering the MAC addresses of the individual access points or clients or by uploading a .csv file with the list of comma-separated MAC addresses. The banned devices can be defined only at the topmost or root folder of the location tree.

In addition, you can configure an alert that will warn you if a banned access point or client from the list is detected in the vicinity. Wi-Fi connectivity with a banned access point or client can also be prevented automatically by configuring the relevant intrusion prevention policy.

WLAN Integration

Whether you are using Arista WIPS or transitioning to cloud-based Wi-Fi, integrating the Arista Cloud Wi-Fi server with your on-premises WLAN controller allows you to leverage key advantages of the cloud server while continuing to use your controller-based WLAN.

The Arista cloud-based Wi-Fi server fetches information about access points, clients, and signal strengths from WLAN controllers using Simple Network Management Protocol (SNMP). Arista WIPS can then use this information to automatically classify authorized devices managed by the controller and track Wi-Fi client locations.

Arista supports integration with Aruba Mobility Controllers and Cisco WLC.

Configure WLAN Integration

To add WLAN controllers, go to SYSTEM > WIPS > WLAN Integration in CV-CUE. Select whether you want to add an Aruba or a Cisco controller, and click Add on the Wireless LAN Controllers grid. The Add Controller panel shown in the figure below opens up. Enter the settings (described in the table below) and click Done. Note that, as shown in the figure below, if your controller uses a private IP address, then you will need a Cloud Integration Point to integrate the controller with the Arista Cloud.

On the main WLAN Integration tab, set the Automatic Synchronization Interval; this is the interval that defines how frequently the Arista Cloud fetches information from the controller. Save the settings to complete adding the controller.

Controller Settings

 
Field Description
Controller (IP Address/Hostname) Enter the IP address or hostname of the controller.
Note:If the controller uses a private IP address, you need to select a Cloud Integration Point.
Port Number The controller port number from which data is imported.
Primary Cloud Integration Point (CIP) From the drop-down list, select an Arista device that you want to use as the primary Cloud Integration Point (CIP) for this controller.

Important: You must open port number 3852 in your network from the CIP to Arista cloud.
Secondary Cloud Integration Point (CIP) From the drop-down list, select an Arista device that you want to use as the secondary Cloud Integration Point (CIP) for this controller.

If the primary CIP goes down, the secondary one ensures connectivity of your service to the cloud.
SNMP Version Select SNMP V2 or V3 for the Arista cloud communication with the controller.
Community String User-defined community string using which Arista cloud communicates with the controller. The default value is 'public'.
Import Select to enable the import of data from the controller.
Managed Access Points Select to import managed access point information from the controller.
Managed Clients Select to import information about clients associated with access points managed by the controller.
Unmanaged Access Points Select to import information about access points not managed by the controller.
Unmanaged Clients Select to import information about clients associated with access points not managed by the controller.
Signal Strength Select to import signal strength information from the controller.

Monitor Networks

Under MONITOR > WIPS > Networks, you can see the networks being monitored by WIPS. As shown below, networks that are not being monitored (because they are unreachable) are shown in red.

Card Dataholder Environment (CDE) networks are networks that store, process, or transmit payment card transactions and sensitive cardholder data. CDE networks are in the scope of PCI DSS compliance. You can right-click on a network and change its type from CDE to Non-CDE or vice versa.

Auto-Deletion Settings

Using auto-deletion settings, you can specify parameters to automatically rogues Access Points (APs) and clients.

You can automatically delete the following items:
  • APs
  • Network
  • Clients
  • Alerts
  • Inactive Authorized APs
You must have superuser, administrator, or operator privileges to use auto-deletion settings.

Auto-Delete Access Points, Clients, and Network

You can specify the duration of inactivity after which rogue Access Points (APs) or clients are automatically deleted. For networks, you can define the duration for which the networks are retained on the server. After the specified retention duration, the networks are automatically deleted from the server. If you want to retain manually classified APs or clients, you can specify that in the auto-deletion parameters.

You can also delete authorized but inactive APs from the current location. Click Delete Inactive Authorized Access Points at the bottom of the Access Points tab.

Follow these steps to auto-delete APs, clients, and network:
  1. Got to MONITOR > WIPS > Access Points .
  2. Click Auto Deletion.
  3. From the right pane, define the parameters to delete access points, clients, and network.
  4. Save the settings.

WIPS Advanced Settings

Under CONFIGURE > WIPS > Authorized WiFi Policy, you can define Advanced Settings that allow you to pre-classify Access Points (APs) and define No-Wi-Fi networks.

Access Point Pre-Classification

Pre-classification of access points helps WIPS identify potential authorized and rogue APs. As shown in the figure below, by default, access points connected to a monitored subnet are pre-classified as potentially authorized or rogue. These APs then show up with the appropriate classification on the MONITOR > WIPS tab. This helps if, for instance, an unclassified AP is connected to the network. The AP appears on the MONITOR > WIPS tab. You can then re-classify it appropriately as either rogue or authorized and—for rogue APs—take appropriate action.

You can also have WIPS pre-classify APs based on the signal strength with which they are visible. As shown in the figure below, if you enable signal strength based pre-classification, CV-CUE allows you to define a signal strength threshold. APs with signal strength greater than the threshold are automatically classified as potentially authorized or rogue.

Relying on signal strength based classification alone, however, is not advisable, especially if you plan to enable automatic intrusion prevention. First, if a legitimate AP from a neighboring facility is visible with a signal strength higher than the threshold, then classifying it as rogue could disrupt legitimate Wi-Fi connections to the AP. Therefore, use this classification only if you are sure that no unauthorized Wi-Fi operates in the vicinity of your location. Second, signal strength based classification will not detect rogue APs that operate with a signal strength weaker than the threshold (smartphones running Wi-Fi hotspots, for example).

Define No-Wi-Fi Networks

Security-sensitive environments might need to ensure that no Wi-Fi network operates at certain locations. As shown in the figure below, you can define "No-Wi-Fi" networks for a location, i.e., specify subnets where no Wi-Fi is allowed. If you define such networks, an AP detected on the network at that location is automatically classified as a rogue AP, even if it conforms to the authorized policy.