Higher Education

One of our computer engineering instructors acquired several new little wireless AP spoofing devices after attending the Ethical Hacker Convention in Atlanta not long ago. He and I have been talking a lot and I need to be able to defeat his devices. One of these little guys scans the local area, grabs SSIDs and their corresponding BSSIDs and can then spoof both SSID and BSSID and also allows you to clone a portal page.

My question is this, how do I need to configure my IDS (either manually or through the wizard) to shut that down? My attempts thus far have not met with success and when I look at my master controller security dashboard I actually see where my own authorized AP's marked for containment (obviously I am doing something wrong here LOL)

Any advice is appreciated!

Try the wizard with the attached parameters.  In the Protected SSID field, put your SSIDs that you want protected (case sensitive).  If you can put a dedicated air monitor in that AP-Group, that would be desired for the best IDS performance.

Hmmm I missed the "Protect SSID" part in prior attempts. I'm going to give it a try and I'll let you know!

So here is the issue, check the attachment. Why are legitimate AP's getting marked for containment? (I used the settings you showed above)

SurfCFCC is our primarry SSID

Let's take a step back.  For now, only enable "Detect Valid SSID Misuse".  Uncheck Protect SSID and remove those SSIDs.

See if that classifies the duplicate APs as rogue without marking the others for contain.  Make sure you change the contain status of your SSIDs, first, though.

Will do, I have a meeting with the instructor this afternoon where we will be testing out his devices and will be able to give feedback then.

Thanks man!!

Ok CJ here is what has happened so far. Using Detect Valid SSID Misuse by its self did not seem to detect anything :-( and Any time I tried to implement either Detect AP Spoofing or Detect AP Impersonation or a combination of the two I would get what I showed you in the attachment earlier in this thread. When I leave them UNchecked, it seems fine but those are two of the things I am looking to protect against.

I don't have AirWave yet so I don't know if there is anything there that can help...

Any other ideas or suggestions to try?

---

@americanmcneil wrote:

Ok CJ here is what has happened so far. Using Detect Valid SSID Misuse by its self did not seem to detect anything :-( and Any time I tried to implement either Detect AP Spoofing or Detect AP Impersonation or a combination of the two I would get what I showed you in the attachment earlier in this thread. When I leave them UNchecked, it seems fine but those are two of the things I am looking to protect against.

 

I don't have AirWave yet so I don't know if there is anything there that can help...

 

Any other ideas or suggestions to try?

---

Detect Valid SSID Misuse should mark the foreign access point as rogue.  That is the first step.  You should be able to find the foreign access point in the dashboard.  It will not do anything unless we have a "Protect" enabled.  Did you see the foreign access point in the dashboard?

Hey Cj, as soon as I get some more Lab time I'll get back to you on this. Its pretty important but as I am sure you know how busy we all get...

Absolutely.

Let us know.

Getting a trial of AirWave tomorrow, will revisit this once AirWave is up and running and I have had a chance to play with it a little!