07-19-13 Expert Day

Reply
Aruba Employee
Posts: 148
Registered: ‎11-25-2009

Why should a customer deploy AMs?

AMs should be deployed in extremely high security environments or environments that require wireless containment.  AMs will detect attacks and rogues faster since they are dedicated to scanning channels.  AMs excel at containment and will make it a priority.  APs will prioritize client traffic over scanning or containment especially voice calls and video traffic. Because of this, AMs are recommended for customers planning to run wireless containment.  AM data is used in conjunction with AP data to determine threats.  The APs spend most of their time watching for issues on their channels while the AMs will be scanning everywhere.  Most customers do not need AMs.

AMs:

                Scan more channels including the 4.9 GHz band and 5 GHz band in 5 mhz increments
                AMs are required for containment.  APs can help with containment but will not have the time to successfully contain devices by themselves.
                Faster rogue detection
                No scan interruption for voice calls or video streams

AMs are not required for most customers.  Our hybrid AP scanning will scan through all of the regulatory channels in ~5 minutes with the default scan times.  Somewhat surprisingly our APs actually give better IDS attack detection coverage than our AMs because they are always performing IDS detection where your network is.  APs give you 100% IDS attack detection on the channels where your network resides. 

 

Feature

How APs work

How AMs work

Channels scanned

All regulatory channels* including those outside of your domain. 

The scanned channels are configured as ‘scan mode’ in the ARM profile that is part of the radio profile.

 

  • non-11n APs only scan their regulatory domain

All regulatory channels + Rare channels (4.9 GHz) and 5 mhz scanning in the 5.0 GHz space for rogues configured in between standard channels.  In raw MHz that is 2412-2484 and 4900 through 5895 in 5 MHz increments.

 The scanned channels are configured as ‘scan mode’ in the AM scanning profile that is part of the radio profile.

Scanning method

Approx. every 10 seconds the AP changes channel from the client serving (home) channel to one of the other scanning channels.  It will stay off the home channel for less than 100 ms so that it doesn’t miss sending any beacons. 

 

It spends ~70 ms on the scanned channel.  The exact timing varies slightly so that the scanning doesn’t always hit the same 70 ms off channel which could cause it to continually miss beacons from some rogues. Rogue scanning is also able to discover rogues from probe responses and other non-beacon frames.

AOS 6.0, Divides the channels into four buckets (active, regulatory, all regulatory and rare).  The AM will spend 500 ms, 250 ms, 200 ms and 100ms respectively on each type of channel.  Channel dwell times are configurable in the AM scanning profile that is part of the radio profile. 

The AM will scan through all of the channels giving more priority to active and regulatory than other channels.  That means an active channel is likely to be scanned multiple times before a rare channel.  Note: this order changes if a rogue is being contained

Wireless Containment

Supplementary. AMs are strongly recommended for deployments that want reliable wireless containment.  They should be considered required for any containment bakeoff.

 

An AP with clients will not change channel to contain an off channel rogue.  If the rogue happens to be on the same channel as the AP then it will aide in containment even if there are clients associated to it.  Containment of rogues on the same channel as APs is highly effective.  If the ‘rogue aware’ option is enabled in the ARM profile and there are no clients on the AP then the AP will change channels to contain the rogue.

When a rogue is marked for containment the AM will constantly hop back to the rogue channel for containment while scanning.  If there is a rogue on channel 1 the channel scan would look roughly like 1, 6, 1, 2, 1, 11, 1, 3, 1, 6, 1...  The important thing is that the AM will keep hoping back to the rogue containment channel.  And it will not spend 100% of its time on the rogue channel since it needs to continue looking for rogues.  We can’t let one contained rogue stop all scanning and keep the AM from discovering other rogues.  Because of this it is important to perform containment tests with more than one AP.

Tarpitting

Supported but the caveats from above apply.

Supported

IDS signature attack detection

100 % coverage of the network infrastructure.  Since it is the client serving AP performing the detection, it is naturally always on the same channel as the network.  It is fully scanning for IDS attacks against the AP.  IDS detection is also performed while scanning for rogues on other channels.  But when the AP is on that other channel, there is no AP on the home channel serving up the network to be attacked.

Less than 100% IDS coverage of the wireless network.   This is inherent to all overlay sensors.  They change channels to scan all of the rf band.  Depending on the channel scanning method the sensor can spend as little as 20% of its time on the network channel.  Because we weight channels with activity more heavily our AMs will spend more time looking for attacks against the network.  Note: Moto allows for manual configuration of scanned channels/dwell times and does some dynamic adjustment.

Supported IDS signatures

All signatures.  Some signatures like our AP spoofing detection actually require the AP to be in hybrid mode to detect the attack.

90%+ of signatures.  AP spoofing detection and Premature EAP success/failure attack only work on hybrid APs because they require additional information that only an AP will have.

Wired coorelation

Full functionality.  The AP or AM can build up the list of gateway MAC addresses and share it with other APs/AMs for use in classification.

Same as an AP.

Wired containment

Full functionality.  APs or AMs can perform wired containment (ARP poisoning) when they are on the same network as the contained device that they have heard wirelessly.  If the AP/AM that is hearing the rogue is not on the same vlan as the rogue it will be unable to perform ARP poisoning. 

Same as an AP.

Protected Area/Deployment method

Because the APs are serving the wireless network you get built in scanning anywhere you have wireless network connectivity. 

Generally recommended in a 4:1 ratio of APs to AMs.  Because of different building materials and layouts attention must be paid to where the AMs are located to make sure you don’t get coverage holes.

Will scanning ever be paused?

Depends on how you configure your controller.  Scanning can be paused for Voice, Video, high throughput or power save aware (old client drivers).  These are configurable in the ARM profile.  Please see the VRD for specific recommendations.  Scan pausing can increase the amount of time it takes to discover a rogue but no rogue will be undiscoverable.

No

Is the scanning PCI compliant?

Yes

Yes


 

Vinod Kumaar AVM ACMX, ACDX
Principal Network Engineer
Customer Advocacy | Aruba Networks Inc.

Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the bottom right hand corner of the post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: