Security, WIDS/WIPS and Aruba ECS

Reply
Frequent Contributor II
Posts: 125
Registered: ‎11-06-2007

Unsecure AP and Suspected Unsecure AP

I hope this new threat can clarify some doubts about Unsecure AP.

It would be fine if someone could clarify what's the logical steps Aruba follow to clasify one non Aruba AP plugged into the network as Unsecure or Suspected Unsecured.

1.- What are the conditions to clasify an AP as unsecured?, should the Aruba Monitor which detects ap wired mac different from Aruba monitor which detects BSSID in the air?.

2.- When is an ap classified as suspected unsecure AP instead of unsecure AP?.
Guru Elite
Posts: 20,992
Registered: ‎03-29-2007

Rogue AP

From the ArubaOS 3.4 Manual:

1. An AP is considered to be a rogue AP if it is both unauthorized and plugged
into the wired side of the network. To correctly classify an AP as a rogue, an Aruba AP must be able to both hear the AP and be a member of its wired broadcast domain, ie, VLAN.

2. A suspected rogue AP is plugged into the wired side of the network, but may
not be an unauthorized device.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 125
Registered: ‎11-06-2007

Re: Unsecure AP and Suspected Unsecure AP

cjoseph

Thank you for your post, but in my opinion it's not deep enough.

1.- I already know that rogue is classified when an aruba monitor is able to hear the Ap both at wired and wireless side, but in previous versions to be true that, the aruba monitor that hears the rogue AP in the air should be differente than the aruba monitor which hear that rogue AP in the wired side, so you need 2 aruba monitors in the same broadcast domain to classify a rogue AP. Is it the same logic with ArubaOS 3.x?.

2.- Sorry but I continue misunderstanding the process to classify as suspected rogue, is it an ap heard in the wired side but not in the wireless?
Guru Elite
Posts: 20,992
Registered: ‎03-29-2007

Classification

1. A SINGLE Aruba AP MUST be able to hear it on BOTH the wired as well as Wireless SIDE. That single AP must be able to hear that AP send an ARP for the default gateway on that subnet. The AP is then immediately classified as a rogue.

2. The "suspected rogue" classification is when we detect that there is a rogue AP, but the method we use is less reliable. in that case we make it a "suspected rogue" with a certainty of 50%. if we use another method that is also not 100% reliable, this is added to the 50% certainty to make it as high at 95%. Methods that will trigger a "suspect-rogue" classification are:

- A wired MAC address (not a gateway MAC address) is the destination MAC of a frame transmitted from the AP.
- The AP is classified as a rogue through Overlay Classification. Overlay Classification is classification through valid/rogue APs. We will essentially use the wired-mac table of other valid and rogue APs as equivalents of the wired MACs that we see on our network. When this match is triggered, we make a note of the AP that helped in this process, and this info will be displayed as the Helper-AP. Overlay classification is disable by default (wms ap-policy overlay-classification)


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 125
Registered: ‎11-06-2007

Re: Unsecure AP and Suspected Unsecure AP

Colin,

In first place, thank you very much for your information, very helpful, below some questions I still have.



1. A SINGLE Aruba AP MUST be able to hear it on BOTH the wired as well as Wireless SIDE. That single AP must be able to hear that AP send an ARP for the default gateway on that subnet. The AP is then immediately classified as a rogue.

This is a great new, in ArubaOS 2.5.4 the aruba monitor which heard the rogue in the air should be different than the monitor which heard in the wired side, much better now.

What's happen if the rogue AP doesn't send ARP for default gateway?, may be it has already cached the default gateway MAC address.

2. The "suspected rogue" classification is when we detect that there is a rogue AP, but the method we use is less reliable. in that case we make it a "suspected rogue" with a certainty of 50%. if we use another method that is also not 100% reliable, this is added to the 50% certainty to make it as high at 95%. Methods that will trigger a "suspect-rogue" classification are:

- A wired MAC address (not a gateway MAC address) is the destination MAC of a frame transmitted from the AP.

What does it mean?, the aruba monitor hears the rogue in the air but the aruba monitor doesn't hear the rogue mac in the wired side and .....

wired MAC address (rogue's MAC?) is the destination MAC of a frame transmitted from the AP (which one? rogue ?), sorry but I don't understand the meaning, who is hearing that frame?

- The AP is classified as a rogue through Overlay Classification. Overlay Classification is classification through valid/rogue APs. We will essentially use the wired-mac table of other valid and rogue APs as equivalents of the wired MACs that we see on our network. When this match is triggered, we make a note of the AP that helped in this process, and this info will be displayed as the Helper-AP. Overlay classification is disable by default (wms ap-policy overlay-classification)

I think the last paragraph is more clear for me, if the monitor doesn't hear the rogue MAC address in the wire, it uses the table of valid and rogue MAC previously used, and if a match exists on an entry in that table (other rogue) it classify the new one as suspected rogue, ísn' it?


Guru Elite
Posts: 20,992
Registered: ‎03-29-2007

Rogue AP

Jgarciav,

A great deal has changed between how ArubaOS 2.x and ArubaOS 3.x does rogue detection. I spoke about how rogue detection is done in general, but there is a great amount of detail. If you login to the support site, and search the knowledgebase for rogue, you will find articles like:

How do I troubleshoot a rogue AP?
How does Rogue AP detection work?
How does Overlay Rogue AP Classification work?
How do I change the access point classification mode from rogue to interfering?
Different Rogue Types in output of ‘show wms rogue-ap ’ command
How are rogue false positives reduced in ArubaOS 2.x?
How does Aruba classify Rogues?
In output of ‘show wms rogue-ap’ what are different types of match methods?

As you can see, there is alot of information and the knowledgebase has many more answers than I could provide here.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: