Security

Reply
Highlighted
Frequent Contributor I

My RAPIDS Setup

I had a hard time figuring out the best way to deploy RAPIDS as there weren't any clear-cut examples or simple-to-follow best practices out there, so now that I have things sorted out for my environment, I want to share my setup and gotchas.

 

I'll post the details as a solution but I'll attach Aruba's published RAPIDS document (which I found here: https://community.arubanetworks.com/t5/Software-User-Reference-Guides/AirWave-8-0-and-RAPIDS/ta-p/255076) as a quick reference.

Tim Haynie, ACMX #508, CWNE #254, ACCP, CCNP R/S, CCNP Wireless, CCNA Security, CCDA
Frequent Contributor I

Re: My RAPIDS Setup

  1. Add all your switches to Airwave. Without your switches in Airwave, RAPIDS is pretty useless.
    1. Add switches at each level of your hierarchy: core, distribution, access for best detection.
    2. Make sure Airwave is able to fetch the ARP and bridge forwarding table. If you use Cisco switches like my current employer does, you must use SNMP v2c until HPE resolves defect DE33138.
  2. AMP Setup > General section
    1. Historical Data Retention > Rogue AP Discovery Events: 90 days. Not sure what the default is, but this seemed reasonable.
    2. Performance > RAPIDS Processing Priority: Low. You don't want Airwave being overwhelmed by rogue AP processing.
  3. RAPIDS "Setup" section
    1. Wired-to-Wireless MAC Address Correlation: 8 bits, the recommended value. However, even 8 bits doesn't seem to be enough, as an Aruba AP's Ethernet and Wi-Fi MACs differ by more than 8 bits.
    2. Wireless BSSID Correlation: 5 bits. The recommended 4 bits is not enough in my opinion as a dual-radio rogue AP with 16 BSS capability would result in RAPIDS identifying the same rogue as two devices.
    3. Automatically OS scan rogue devices: Yes. Make sure your SOC is aware of this, as they will start seeing lots of NMAP-style behavior originating from Airwave once your turn this on.
    4. Delete Rogues not detected for: 14 days. The recommended value.
    5. Wired-to-Wireless Time Correlation Window: 360 minutes. The recommended value is 240, but I wanted a slightly larger window just in case. The default ARP and bridge forwarding table reading is 4 hours (240 minutes), so make sure your correlation window is at least that large.
    6. Ignore Rogues by Signal Strength: Yes, -80. The recommended value. You will get a lot of false positives and your RAPIDS database will be enormous if you don't use this.
  4. RAPIDS "Rules" section. Remember rules are evaluated top to bottom, making ordering important.
    1. Rule Name: SSID Contains Company or SSID name
      1. Classification: Suspected Rogue
      2. Threat Level: 10
      3. Enabled: Yes
      4. Detecting AP count: 3
      5. Signal Strength Maximum: 0
      6. Signal Strength Minimum: -80. See "Other Considerations" for more info on why we have this.
      7. SSID (one per line):
        *yourcompany*
        *yourssid*
    2. Rule Name: Detected Wireless and Wired
      1. Classification: Rogue
      2. Threat Level: 9
      3. Enabled: Yes
      4. Detected on WLAN: Yes
      5. Detected on LAN: Yes
      6. Detecting AP count: 3
      7. Signal Strength Maximum: 0
      8. Signal Strength Minimum: -54. See other considerations for more info.
    3. Rule Name: Detected Wirelessly
      1. Classification: Suspected Neighbor
      2. Threat Level: 3
      3. Enabled: Yes
      4. Detected on WLAN: Yes
    4. Rule Name: Wired Devices
      1. Classification: Suspected Valid
      2. Threat Level: 2
      3. Enabled: Yes
      4. Detected on LAN: Yes
  5. Other important notes:
    1. Every time you make a change to the rule definitions or ordering, you must click "Save and Apply" followed by "Apply Changes now". If you do not do that, your rule changes will not take effect, even if you clicked the Save button in the rule definition.
    2. Airwave is broken when it comes to reading Cisco switches using SNMP v3, preventing the ability to read the bridge forwarding table. Defect DE33138, TAC case 5339677458. This has been broken since at least 2017, probably longer, and even as of Airwave 8.2.9.0 it is still broken. I will strike this once I have a confirmed working version. Until then, you must use SNMP v2c.
    3. Even though we set a threshold of -80 for "Ignore Rogues by Signal Strength", you can still wind up with a Discovery Event with a blank signal strength from a garbled beacon frame, causing a false positive. Specifying the signal strength minimum in the first two rules helps with additional filtering by forcing the rule to only match Discovery Events that have a real signal strength.
    4. The reason I have a high minimum signal strength specified for the "Detected Wireless and Wired" rule is because I found that IAP VCs will report neighbor APs as though they are wired with a discovery method called "Wireline Aruba Instant Data". The high signal strength requirement gets around that. HPE really ought to fix that, but it seems that even though they've been aware of it for years (based on other forum posts), they've done nothing about it. I'll probably open a TAC case for this as well. Update: TAC case 5339854430. TAC has a patch they can apply which can fix the issue, at least for my version 8.2.9.0 TAC does not have a patch as previously noted. Defect ID DE32845 (or DE21856?). I am waiting on them to provide me the final fixed Airwave version. TAC claims this issue will be fixed in 8.2.10.1. The defect DE21856 was filed in April this year, although I'm not sure which defect ID is correct.
Tim Haynie, ACMX #508, CWNE #254, ACCP, CCNP R/S, CCNP Wireless, CCNA Security, CCDA
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: