Security, WIDS/WIPS and Aruba ECS

Frequent Contributor I

Mobile Phone Hotspot Control

How will a mobile phone hotspot be treated within an environment that has Aruba installed?

Since it isn't a rogue per se and it isn't a bridge or adhoc how will Aruba see it, classify it and handle it?

A school system is having issues with students setting up their phones as mobile hotspots and allowing other kids to attach to it and then getting around the web filters.

I want to make sure we can address this with a proposed Aruba implementation including WIP.

Michael McNamee
Sr. Network Engineer - SecurEdge Networks

Detecting Mobile Phone Hotspots

The Aruba Access Points, and thus controller will detect those type of Mobile WIFI hotspots (e.g. MIFI hotspots) as " interferring access points ". Since there is no wired component on the mobile phone, it will not be clasifield as ROGUE on the controller or by the APs.

The controller will provide you with information on the number/name of APs that can 'hear' this device advertising, the relative signal strength, and ALSO the number of clients attached. The client list is also recorded to provide a list of MAC addresses of clients that are associated to this device. You can thus quickly find popular hotspots with a few mouse clicks.

Our Airwave application can take the correlation a step further(e.g. automating it further) by looking at the # of APs that can hear the mobile phone (More Aruba APs hearing the mobile phone hotspot, typically means its 'inbetween' the APs, and thus inside your building), the signal strength(higher means its in your building) is also recorded and displayed which can be used in rule-sets to automatically determine if the device is close enough to your own infrastructure (e.g. inside your building) to be of concern.

Airwave also allows an automated email alert to be generated immediately when hotspots pop up and meet the criteria above. (lets say -65 dBm or stronger, AND a minimum of 3 APs 'hearing' the hotspot = send me an email) You can then have Airwave/Controller/Aruba APs take action on devices that meet the criteria that indicates to you that they are within your premises.

On another note, if your organization utilizes a fixed set of client equipment(e.g. laptops) you could classify all your assets as Valid Clients within the Aruba controller, all the SSIDs you advertise as VALID, and then invoke our WIP functionality to protect Valid stations from communicating with all but the authorized Valid WLAN (your infrastructure). Once student owned devices (the norm today) are introduced this functionality becomes unscalable though.

A Layer 8 approach may also be a good idea in such environments. The same policies that keep students from chatting/texting on Mobile phones in class should be extended to data use as well. Violating the layer 8 policy = immediate confiscation (like the old days) should act as a detterent as well as the strategies outlined above. ;)
Aruba Employee

RE: Mobile Phone Hotspot Control

Today, using AirWave 7.1, you can write rogue classification rules combining all of the data you have available, including signal strength, number of APs that can "hear" it, Manufacturer, SSID, etc. The rules themselves can classify the device as a suspected rogue, rogue, or contained rogue. The contained rogue classification is special as this will cause AirWave to reach down to the Aruba controller and turn on containment for that AP. This makes the entire process automatic. No student will be able to reliably use the hotspot AP.
Alternately, a less hostile approach would be to use AirWaves VisualRF component to locate these hotspot APs and send someone out to confiscate the device.

Coming in ArubaOS 6.0 these classification features are trickling down from AirWave into the controllers themselves. The possibiliites will be slightly more limited but the result will be the same. In addition, we will be updating our containment technology to be able to reliably contain more of these devices simultaneously without interfering with authorized networks on the same channels.


Other Mobile Hotspots...Protection against them as well

On a related note, the same principles we discussed above can also be utilized as defense against the usage of *FREE* software based APs (like Windoze 7 Connectify) that will inevitably also trickle into the classroom. :D
Search Airheads
Showing results for 
Search instead for 
Did you mean: