Sunday, May 29, 2011

A Personal Update, a Study plan update, then time to give you yet something else to worry about from a wireless security perspective.

Hi Guys

This is going to be a bit of a Hodge-Podge Blog post, I intend to cover off a few things that have been happening to me recently and a few useful observations I have made. Feel free to skip over the sections you really don't care about :)

But first let's get down to what you all came here to see: Wireless stuff!!! Including a very interesting security feature for WLC that I promise your going to want to hear about. Stick with this article guys to the end of the wireless section and I think you will be impressed


OK, So I wanted to talk today about The Cisco Wireless Controller and just what the heck this little window means:

Wow! The word Rogue hey, does not exactly sound inviting, It's not like "Active Puppy's" or "Active Chocolate Factories"

no no, It is far more sinister: ROGUE

Despite the name, a Rogue AP is simply an AP that the Wireless Controller does not recognize and is not part of it's own wireless network, a Rogue AP could be as harmless as a neighboring businesses wireless network.

Active Rogue Clients is simply the number of devices on each rogue network (quite nifty that you can see that, you can get a rough idea of how big someone elses wireless network is).

Adhoc Rogues are simply wireless networks setup using an Ad-Hoc Topology, which is a special kind of PC-to-PC topology for wireless were no access point is required.

Rogues on Wired network we will be discussing later in this post.


But if a rogue is detected by a lot of AP's, it could potentially be a hostile access point that someone has sneaked in to your office and plugged in. How can you tell the difference? Simply click on detail and have a look at how many AP's are picking up this rogue network:


As you can see, you will be told the number of detecting radios for a particular SSID,

(The Mac Address and SSID have been obsficated by what appears to be a ten year old with Crayons (I.e. Me))

A low number of detecting radios indicates that the AP is probably not within too close a range, if only one AP is detecting, it is probably outside of the building/network area, but depending on how many AP's you have in the area and how many you have in your network altogether, plus where you live, even 2 or 3 detecting radios is OK.

In my screenshot I removed the word "Rogue on Wire' from this details page that normally shows up, I will discuss that in a moment! This is the best way to tell if a Rogue is hostile and we will get to that in a moment!

Your AP's are constantly scanning for these rogue networks over a 180 second period, with 60ms spent on each channel. This period can be adjusted in the following controller option:

Wireless -> General -> 802.11A/N or 802.11B/G/N -> RRM -> General -> Monitor scan interval

If you have enough access points, you can even dedicate an AP to making it's only job picking up other networks, this a mode that the AP can be in and is called "Monitor Mode"

to change an AP to monitor mode, navigate to the following on the WLC:
  • Go to Monitor Tab
  • Scroll down to "Access Point Summary"
  • Click on "Detail" next to "All AP's"
  • Click on the hyperlink of the AP you want to change the mode of
  • First page you will see "AP Mode" where you can select Monitor from
This will place the AP into a dedicated monitor mode, it will not service clients but will sit and scan for you.

So now you know what each of those terms means. Let's move on to "Rogue on Wired"

Rogue on wired is a term that refers to an instance were the Wireless controller KNOWS that the Access point is plugged into your wired network without authorization because it can see ARP requests on the wired network it is connected to, to Wireless clients that it can see on the rogue network! Let's use a hypothetical example

User Bob thinks he is a l33t hax0r who loves third-party-vendor-X and thinks c1$sc0 sucks and is too cool to use your nice Cisco Unified Wireless Network so plugs a third-party access-point into your network without authorization, he starts up a wireless network called jun1p3rR0ckz. Because he is sup3r l33t he turns on WPA2 because he knows that WEP is just no good.

With our Cisco Solution, Not only can we detect Bob is there, but we can prevent him from associating to his own Access Point at all, rendering it completely useless. Even though he is using WPA, it does not matter, we can still completely stop him from using that wireless access point.

How? Let's examine

OK, so the first step is: we need to detect that Bob is actually on our network, When we setup our Cisco Solution, we set aside an access point to act as our "Rogue Detector."
This device sits on the wired network and is constantly sniffing traffic on the wire for ARP requests. It notes down the list of MAC addresses that each ARP request is advertising

"Who has 192.168.1.1? Tell 192.168.1.3?"
"00:00:ca:f3:f3:f3 has 192.168.1.1"

To define an AP as a rogue, simply set its mode to Rogue Detector just like we did when we changed the mode of the AP from Local to monitor (see above)

Meanwhile, the other AP's on the Wireless controller (and indeed other wireless controllers if you have more than one, this information is shared across controllers) is building a list of Active Rogues just like we mentioned.

Now, when the WLC and the Rogue Detector AP notice that a MAC address is appearing both on the wired network, and as an active rogue client.. GOTCHA! Your on my network without authorization. The WPA security fails to protect as the management 802.11 frames are not encrypted

You will see the following log message on your summary page:
Security Alert: Rogue with MAC Address: 00:00:ca:f3:f3:f3 has been detected on the wired network

If you click on "Active Rogue AP's" you can see what SSID has this Rogue Wired User on it, plus WLC will helpfully inform you that this is a THREAT!



Wow, that is pretty good, but it gets even better.
Click on the the Wireless network, this will tell us what AP's can "see" this SSID (detecting radio) so if we know were our own AP's are located (which we should as you should name your access points based on location!) we even know roughly the area Bob is in. Then, Scroll down to the Update Status Drop Box and select "Contain"

You must then choose how many AP's you want to dedicate to containing this SSID, the more AP's you use, the further away the SSID can be (but if it is in your building, just one AP should be fine) The controller will automatically choose the AP's that are actually detecting the SSID, so the AP's that can "See" the SSID junp1rr0ckz are the ones that are used to contain it, an AP can contain up to 3 SSID's at a time, here is the best part: It continues to function as a normal AP for it's own clients.

Go ahead and update the status, then click Apply

You will be warned that there may be legal ramifications for this, if your doing this to a network that is not actually hostile, your performing a Denial of Service Attack on legitimate users, Be careful!

Once you click apply, the Wireless network will immediately be contained, now no matter what User Bob Does, even though he does have WPA2, he will immediately disassociate from his AP, the containment function works by spoofing management frames telling the AP that the client has disassociated constantly, If Bob was using a Cisco access point (which he is not because he has no taste) his log files would show a constant associate/disassociate attempt, but the effect for User Bob on his wireless network is profound, Windows will simply say "unable to connect" and he will not even be able to join the wireless network.

So now we have seen what Bob is up to, we got his Mac-Address (so we can work out it was him), a rough idea of where he is (based on the detecting AP) and we have stopped him and his malicious ways,

Bob is caught in the act of trying to get his AP onto the network, completely caught by suprise as he had no idea it was The Cisco Network protecting itself.

Bob is prosecuted then shipped to a Mexican Prison and forced to Metal Work and weld WIC Slot blanking plates in the prison workshop as special punishment just for him.

Note that Cisco has a solution (they always do!) to protect you from these kind of attacks called Management Frame Protection, let's cover that off in a later blog post.

Those of you only interested in Wireless should probably stop reading now, the rest is all personal guff :)


-------------------------------------------------------------------------------------------------



Personal
So as those of you who know me in Real Life (TM) I have taken on a role at another Integrator called Data #3 (http://www.data3.com.au).

As usual, the opinions expressed in this blog do not reflect those of my employer, This blog is not affiliated with Data #3 in any way shape or form Especially in regard to Vendor Alignment: I am a Cisco Fan Boy through and through, I 110 percent believe at the moment they make the best product, but this has no reflection on the policies at Data #3, who integrate for a variety of vendors :).

I am really excited about this role as they seem to be making lots of wave's from a Cisco perspective, they have some REALLY good engineers working over east and in WA, great sales team, good management and a really good, positive company culture.

I think I can bring a heck of a lot of value too. I have finally learnt that repeatable, process-driven implementations are the key to a succesful project and the key to a good integrator. Therefore I am trying my best to make CUCM's, CME (and indeed any other networking technology that I can) easier for me to:

  • Propose
  • Design
  • Deploy

Obviously the key tools I use to do this can't be revealed, but what I will say to any other employees in integrator land out there is this:

The easier you can produce designs and proposals, the quicker you can put builds together, the less tedious tasks you have, the better your projects will go and the quicker you can complete them. Not only that, but by having tools to template your tasks in your job, your installs will go much smoother! As if you don't reinvent the wheel every time you implement the same project, you are aware of any "Gotchas" or "bugs" in your template-based installs.

I have probably already said too much! But Regardless, my new mantra in my professional life is this:

"How can I improve this process and make it easily repeatable, how can I better organize myself and my environment to improve this process"

Here is a really simple example that I am sure tons of you already do: My inbox/email is now 100 percent organised, I have to-do and completed folders, and then subfolders for each of my customers underneath, this alone has made it so easy to organise my information and much easier to track outstanding work that no jobs I have to do have slipped through the cracks.

For those of you who haven't quite twigged to what the heck I am going on about, go look up CUCM rapid deployment guide, that is a perfect example of how to make your CUCM deployments easier! (Although I have taken it and customized it, as I think it's Partition and CSS plan is utterly rubbish, no E.164 dialing!!)


Data #3 do a heck of a lot of UCS and Wireless work, as you guys probably already know my area of expertise is Voice, Routing and Switching and security. So what am I going to do about it? I will cover that off in my study section.

Study
"An investment in knowledge pays the best interest" - Benjamin Franklin

I saw the quote above on http://slashdot.org and folks I believe it. Every time I have sat down and studied a new topic, almost like magic a few weeks later I have had some problem come out of nowhere and be eerily similar to the exact technology I have just been learning about. It actually sometimes freaks me out!

So with the huge amount of UCS and Wireless Data #3 do I have decided to embark on my CCNA wireless to begin with, followed by my CCNP wireless. IF CCIE Wireless Coursework is available after that for the new lab, then yes: I will go for the CCIE Wireless, but I am getting quite a bit ahead of myself, Let's get CCNA Wireless out the way first hey!

The CCNA Wireless so far has been very interesting and concentrates quite a bit more on the Wireless Controller architecture of wireless (also known as Cisco Unified Wireless Network Architecture) quite a bit more than I thought it would. I think Cisco have (rightfully) realized that Wireless is bound to overtake wired as the primary form of network access come 2015. It is almost inevitable, one day our kids will stare in amazement when we tell them we had to "plug" our machines into the "wired network" for internet.

Therefore, a single Access point and it's configuration is just not that relevant, a single access-point just does not cut it as a primary network access device. The tech part of this section will detail one of the new things I learnt in my CCNA Wireless Journey

I am finally starting to get Cisco UCS, After many false starts I stumbled across some coursework that has been very helpful, Kevin Murphy has also been really helpful in getting my head around UCS and patiently answered my UCS-related questions. One of my "Ah-Ha!" moments came as Kevin explained the role FC and FCOE plays in the UCS topology at the side of the road in Perth City! Kevin Get a blog up and I will link to it!!

The problem for studying with UCS is that the UCS component is not THAT complicated, but to understand the full benefits and troubleshoot all the problems for your customers you need to understand:

A storage Vendor (Pick your favorite) and there products
VMWare

With this in mind, I want to try and do my VCP and a storage vendor cert. I have signed up for a Netapp now account. If you work for a partner you get a complete training package and all the coursework is available online. Pretty Nifty!






5 comments:

  1. Thankyou, was a good read mate. I think it's great your taking your wireless exams as i couldn't agree more that it's the way everything is going. It's nice reading about someone who's so motivated and enthusiastic about their industry and job, I hope I can follow in the same path.

    -Tim

    ReplyDelete
  2. Pete,

    Couldn't agree with your more about templated installs as the key to success. I spend just as much time on optimising the cookie cutter process as I do mastering the technologies. I only wish I had better PERL skills to automate things even further.

    Also, another +1 for Kevin Murphy here. Real awesome guy and really patient with annoying resellers like me.

    -Fletcher

    ReplyDelete
  3. Hey Pete,

    Interesting read.... Is there any restriction on what you can DOS with your Cisco APs? I mean, can a shonky operator potentially DOS the hell out of his neighbour's AP because of channel "theft" ?

    A less aggressive approach would be to just block the MAC of the rogue APs and clients on switchports they are seen on, or just use port security to shut the port down if one of the rogue macs or rogue AP mac's are seen on the port - does this functionality exist?

    Cheers!
    -Shaun

    ReplyDelete
  4. Hi Shaun

    No restrictions on who you can and can't "DOS" with your Cisco AP's, but anyone with a linux box could potentially perform the same "Attack"

    You can indeed block the MAC, or rather shut down the port of the offending Rogue AP, so this functionality certainly does exist!

    Thanks for stopping by!

    ReplyDelete
  5. HI Pete

    Very interesting read, how about adding a little more, what happens if you move an AP to Malicious, does this just block or does it dissrupt

    cheers

    Steve

    ReplyDelete