Professional Documents
Culture Documents
Rogue Detection & Management
Rogue Detection & Management
A rogue is essentially any device that is sharing the same spectrum but is not in our
control. It is dangerous in the following scenarios:
when setup to use the same SSID as the corporate network.
when detected on wired network.
Ad-hoc rogue.
setup by outsiders with malicious intent.
The rogue device includes rogue Access Points (APs), wireless router, rogue clients and
rogue ad-hoc network.
Rogue detection allows the network administrator to monitor and eliminate this security
concern. The Cisco Unified Network Architecture provides rogue identification and
containment solution without need for expensive & hard to justify overlay network tools.
Rogue detection is not bound to any regulation & no legal adherences is required for its
operations but rogue containment has legal issues that can put the provider at
disadvantage if left to operate automatically.
ATTACKS LAUNCHED THROUGH ROGUE APs:
ARP poisoning, DHCP attacks, STP attacks, DOS attacks etc.,
Mapping the network for targeted attacks.
Scanning hosts on the network for targeted attacks.
Man-In-Middle attack & data sniffing on wired network.
Rogue detector AP
Passive Approach:
An AP can operate as rogue detector, which allows it to be placed on trunk port so it can hear all wired side connected VLANs.
The Rogue detector AP listens to the ARP packets in order to determine the Layer2 address of the identified rogue clients or APs sent by the
controller.
If the MAC address of rogue client or AP is also heard over the wired network, then the rogue is determined to be on the wired network.
When the Rogue is detected on the wired network, the alarm severity for that rogue AP is raised to Critical. But this method is not successful in
identifying rogue client behind a device using NAT.
Rogue detector AP can detect up to 500 rogues and 500 rogue clients. If the rogue detector is placed on trunk with too many rogue devices, then
the limit will exceed causing scalability issues. To overcome the scalability issue we need to keep the Rogue detector AP in the Distribution or
Access Layer of the network.
RLDP (Rogue Location Discovery Protocol)
Active Operation:
RLDP active approach is used when the rogue AP has no authentication configured. It instructs an active AP to move to the rogue channel
and connect to the rogue as client.
During this time the active AP sends the de-authentication messages to all the other clients & then shuts down the radio interface and it
will associate to the rogue AP as a client.
The AP then tries to obtain an IP address from the Rogue AP using DHCP. When the IP address is obtained the AP then sends an UDP packet
on port 6352 that contains the local AP and the rogue connection information to the controller through the rogue AP.
If the controller receives this (RLDP) packet, the alarm is set to notify the network administrator that the rogue AP was discovered on the
wired network.
Caveats of RLDP:
RLDP works only with the open rogue APs broadcasting their SSID with authentication and encryption disabled.
RLPD requires the managed AP acting as client is able to obtain the IP address via DHCP from the rogue network.
Manual RLDP can be used to attempt and RLDP trace on a rogue multiple number of times.
During the RLDP process, the AP is unable to serve its clients. This impacts the performance and connectivity of the Local mode APs. Hence
RLDP can be selectively enabled only on the monitor mode APs only.
RLDP does not attempt to connect to the Rogue AP operating at the 5Ghz DFS channel.
Containment initiated on a rogue AP with no clients will only use De-Auth frames sent to the broadcast address.
Containment initiated on a rogue AP with clients will use De-Auth frames sent to broadcast address and unicast frames to the client
address as depicted below.
Containment packets are sent at the power level of the managed AP and the lowest enabled data rate. Min of 2 packets every 100ms.
CONFIGURATION OF ROGUE DETECTION
GUI: Rogue detection is enabled by default on the controllers. To obtain the details of the Rogue go to MONITOR -> ROGUES
CLI: To obtain the details of the Rogue entry on the CLI enter show rogue ap detailed <Mac_Address>
GUI: Configure channel scanning for Rogue detection. For a local/Hreap mode/Monitor mode AP there is an option under RRM configuration
which allows the user to choose which channel is scanned for rogues. Depending on the config, the AP scans all channel/country channel/DCA
channel for rogues To configure go to Wireless > 802.11a/802.11b > RRM > General.
CLI: To configure channel scanning on the CLI enter config advanced 802.11a monitor channel-list <channel-list>
GUI: Configure Rogue detector AP, go to Wireless > All APs. Choose the AP name and change the AP mode.
CLI: To configure Rogue detector AP on the CLI enter config ap mode rogue <AP_name> & make switch port to trunk connected to AP
GUI: Configure Rogue containment, go to Monitor > Rogues > Unclassified. Update status to contain and choose the max no of APs to
contain.
CLI: To configure Rogue containment on the CLI enter config rogue client contain <MAC_address> <no of Aps to contain>