subject:"Aruba Wireless \- IDS\: Protect\-SSID"

Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

2019-10-29 Thread Sidharth Nandury

Thank you, everyone. This is great information. Looking at Airwave (our
monitoring tool for wireless), and the controller logs, I only have a
couple of rogues on campus based on the parameters we are trying to define
for rogues. I will probably be suggesting a detection and reporting
approach, and manual mitigation if deemed necessary on a case by case
basis. I believe this would keep us away from FCC fines. I am also working
on a write-up for our "official" rogue policy on campus, so, Lee, thank you
for your input. This helps me know whom I should work more closely with.

Thank you once again.

Regards,
Sid

On Tue, Oct 29, 2019 at 7:13 AM Thomas Carter 
wrote:

> I guess I should have clarified – we do rogue detection, but “mitigation”
> is a physical visit by us or someone from Student Life. If it’s a router or
> other device plugged into a port in the room, we disable that port until
> the students communicate with us. It’s just the automatic mitigation that
> isn’t worth it.
>
>
>
> *Thomas Carter*
> Network & Operations Manager / IT
>
> *Austin College*
> 900 North Grand Avenue
> Sherman, TX 75090
>
> Phone: 903-813-2564
> www.austincollege.edu
>
>
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Enfield, Chuck
> *Sent:* Monday, October 28, 2019 12:55 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID
>
>
>
> My main reason for worrying about people broadcasting our SSIDs is
> usability.
>
>
>
> The $64 question for security is whether or not the Aruba IDS would detect
> a well-executed evil twin attack.  If the twin uses not just your ESSID but
> a valid BSSID from one of your APs in an area where the “spoofed” AP can’t
> detect it, would the IDS figure it out?  If so, then there may be some
> value in enabling automatic mitigation.
>
>
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Sidharth Nandury
> *Sent:* Monday, October 28, 2019 12:56 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID
>
>
>
> Thank you for the response.
>
>
>
> Thomas,
>
> I'm definitely going to share the FCC announcement with my management and
> security officer to ensure that they are aware of this. That being said, we
> are not trying to prevent anyone from using a hotspot, but like Chuck
> mentioned are trying to protect our users from connecting to counterfeit
> "well-known" campus SSIDs. My thought is to only add "well-known" SSIDs in
> our list of protected networks.
>
>
>
> Chuck,
>
> Airwave can be an option for alerting, but as you said, it needs manual
> intervention. If our security officer decides to go against implementing
> this, my next suggestion would be using Airwave for manual intervention.
> Something else I can think of is the polling intervals duration and
> immediacy of action. If there is a malicious individual trying to broadcast
> a known-network, wouldn't we want to have immediate action to be taken,
> rather than having to wait for the airwave polling interval, receive an
> email notification, turn around and maybe have some kind of text alert to
> immediately alert us to take action? Thoughts?
>
>
>
> Regards,
>
> Sid
>
>
>
> On Mon, Oct 28, 2019 at 12:08 PM Enfield, Chuck  wrote:
>
> Most of the time if somebody is using one of your well-known SSID’s on
> campus it’s either out of ignorance or benign experimentation.  Rouge
> mitigation of those devices is unlikely to attract the attention of the
> FCC, and even if it does, I doubt you’ll get in any trouble for it.  The
> FCC has cracked down on property owners acting like they own the spectrum
> within their facilities.  I suspect an effort to protect users from what
> may reasonably be characterized as “counterfeit” networks would be viewed
> in a different light.  They may still tell you to knock it off, but
> penalties seem really unlikely.
>
>
>
> On the other hand, have you considered an Airwave alert to bring these
> device to your attention and mitigating by manual intervention?  If your
> institution is anything like ours you’ll see very few of these.
>
>
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Thomas Carter
> *Sent:* Monday, October 28, 2019 11:53 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID
>
>
>
> The short answ

RE: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

2019-10-29 Thread Thomas Carter

I guess I should have clarified – we do rogue detection, but “mitigation” is a 
physical visit by us or someone from Student Life. If it’s a router or other 
device plugged into a port in the room, we disable that port until the students 
communicate with us. It’s just the automatic mitigation that isn’t worth it.

Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu<http://www.austincollege.edu/>

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Enfield, Chuck
Sent: Monday, October 28, 2019 12:55 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

My main reason for worrying about people broadcasting our SSIDs is usability.

The $64 question for security is whether or not the Aruba IDS would detect a 
well-executed evil twin attack.  If the twin uses not just your ESSID but a 
valid BSSID from one of your APs in an area where the “spoofed” AP can’t detect 
it, would the IDS figure it out?  If so, then there may be some value in 
enabling automatic mitigation.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Sidharth Nandury
Sent: Monday, October 28, 2019 12:56 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

Thank you for the response.

Thomas,
I'm definitely going to share the FCC announcement with my management and 
security officer to ensure that they are aware of this. That being said, we are 
not trying to prevent anyone from using a hotspot, but like Chuck mentioned are 
trying to protect our users from connecting to counterfeit "well-known" campus 
SSIDs. My thought is to only add "well-known" SSIDs in our list of protected 
networks.

Chuck,
Airwave can be an option for alerting, but as you said, it needs manual 
intervention. If our security officer decides to go against implementing this, 
my next suggestion would be using Airwave for manual intervention. Something 
else I can think of is the polling intervals duration and immediacy of action. 
If there is a malicious individual trying to broadcast a known-network, 
wouldn't we want to have immediate action to be taken, rather than having to 
wait for the airwave polling interval, receive an email notification, turn 
around and maybe have some kind of text alert to immediately alert us to take 
action? Thoughts?

Regards,
Sid

On Mon, Oct 28, 2019 at 12:08 PM Enfield, Chuck 
mailto:cae...@psu.edu>> wrote:
Most of the time if somebody is using one of your well-known SSID’s on campus 
it’s either out of ignorance or benign experimentation.  Rouge mitigation of 
those devices is unlikely to attract the attention of the FCC, and even if it 
does, I doubt you’ll get in any trouble for it.  The FCC has cracked down on 
property owners acting like they own the spectrum within their facilities.  I 
suspect an effort to protect users from what may reasonably be characterized as 
“counterfeit” networks would be viewed in a different light.  They may still 
tell you to knock it off, but penalties seem really unlikely.

On the other hand, have you considered an Airwave alert to bring these device 
to your attention and mitigating by manual intervention?  If your institution 
is anything like ours you’ll see very few of these.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Thomas Carter
Sent: Monday, October 28, 2019 11:53 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

The short answer is don’t do this. The longer answer is the FCC frowns on rogue 
mitigation:
https://nakedsecurity.sophos.com/2015/08/19/fcc-fines-company-75-for-disabling-conference-hotspots/<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnakedsecurity.sophos.com%2F2015%2F08%2F19%2Ffcc-fines-company-75-for-disabling-conference-hotspots%2F=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539367454=YsBhtcqVWA9GD6aFnYun6U3xXmLKXiKv6FcNeW2cxjU%3D=0>
Look at the notice from the FCC down about ½ the page.


Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu<https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.austincollege.edu%2F=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539377449=cHC14Zo%2BU96LwtnPeQ576WtRUGOIDPx7yawwtNOd8ro%3D=0>

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.

Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

2019-10-28 Thread Lee H Badman

Just adding to the discussion, having been at this for a while. Make sure that 
your “no rogue” enforcement- in whatever form that takes- is backed up by 
clearly articulated policy that is endorsed by your CIO or equivalent. Make 
sure that policy is well communicated, and that your entire distributed 
computing/network support/ helpdesk staff are educated on it. Over time, strong 
alliances in this regard greatly reduce the number on rogues you’ll see to 
begin with, and it’s wonderful to find a rogue in your monitoring software and 
simply pick up the phone and ask a person in another department to please go 
find it and remove it. If you can develop those mature, high-functioning 
relationships, you greatly reduce the need for technical remedies.

In the dorms, try to make sure that your no rogue policy is agreed to by every 
student before they get a network login. Try to educate dorm directors and RAs 
on the topic, and why the policy is needed. I’ve called Dorm Directors when 
offending students ignore voice mail and email, and these folks have great 
interest in helping to get to the problem user for the greater good.

Researchers are perpetually going to be a headache. There is a lot of momentum 
in engineering schools on all sorts of wireless technology, and this group will 
have its own set of circumstances with rogues to navigate. Recognize them as a 
separate demographic, as you may need to bend, amend, and break policy in the 
name of academic activity. But you may also help enable fantastic wireless 
breakthroughs if you can find a workable balance.

The more rogues you scrutinize over time through whatever monitoring tools you 
have available combined with a thorough understanding of your entire networking 
environment, the better you get at pinpointing who has what device in play, or 
whether said device is worth trying to deal with, through a combination of 
detective skills and log data. I have mitigated at least 40 rogues this 
semester alone without leaving my desk and without blasting out deauths. Phone, 
email, and a 10,000 foot view are also effective tools once you know what to 
look for.

Regards,


Lee Badman (mobile)

On Oct 28, 2019, at 7:43 PM, Jake Snyder  wrote:

 Generally speaking there are 3 scenarios where you can safely use containment.

On wire rogue:  I own the network it's plugged in to.
If you can prove that the AP is plugged into your network against policy you 
can contain, since the network they are connecting to is yours.  However, this 
is not a good use of airtime, and is much more effective at wired side 
containment method.

Owned devices: I own the device connecting to another network.
If you own a device, and you see it connected to something that is not yours, 
you can contain it since you are interacting with a device your organization 
owns.  However, if it's a BYOD or employee/student device you are containing 
then that's likely not ok.

Pentesting: I have legal authorization from the device/network owner to contain.
You are a wireless pentester and have permissions to contain any device that is 
owned by and authorized by your customer.


I recorded my thoughts on the matter here:

https://www.youtube.com/watch?v=7e--Y-KjsEQ


Monitor and report, but action needs to be deliberate and targeted.  Otherwise, 
you are asking for a fine from the FCC.

Jake





On Oct 28, 2019, at 11:55 AM, Enfield, Chuck 
mailto:cae...@psu.edu>> wrote:

My main reason for worrying about people broadcasting our SSIDs is usability.

The $64 question for security is whether or not the Aruba IDS would detect a 
well-executed evil twin attack.  If the twin uses not just your ESSID but a 
valid BSSID from one of your APs in an area where the “spoofed” AP can’t detect 
it, would the IDS figure it out?  If so, then there may be some value in 
enabling automatic mitigation.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Sidharth Nandury
Sent: Monday, October 28, 2019 12:56 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

Thank you for the response.

Thomas,
I'm definitely going to share the FCC announcement with my management and 
security officer to ensure that they are aware of this. That being said, we are 
not trying to prevent anyone from using a hotspot, but like Chuck mentioned are 
trying to protect our users from connecting to counterfeit "well-known" campus 
SSIDs. My thought is to only add "well-known" SSIDs in our list of protected 
networks.

Chuck,
Airwave can be an option for alerting, but as you said, it needs manual 
intervention. If our security officer decides to go against implementing this, 
my next suggestion would be using Airwave for manual intervention. Something 
else I can think of is the polling intervals duration and immediacy of actio

Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

2019-10-28 Thread Jake Snyder

Generally speaking there are 3 scenarios where you can safely use containment.

On wire rogue:  I own the network it's plugged in to.
If you can prove that the AP is plugged into your network against policy you 
can contain, since the network they are connecting to is yours.  However, this 
is not a good use of airtime, and is much more effective at wired side 
containment method.

Owned devices: I own the device connecting to another network.
If you own a device, and you see it connected to something that is not yours, 
you can contain it since you are interacting with a device your organization 
owns.  However, if it's a BYOD or employee/student device you are containing 
then that's likely not ok.

Pentesting: I have legal authorization from the device/network owner to contain.
You are a wireless pentester and have permissions to contain any device that is 
owned by and authorized by your customer.


I recorded my thoughts on the matter here:

https://www.youtube.com/watch?v=7e--Y-KjsEQ 
<https://www.youtube.com/watch?v=7e--Y-KjsEQ>


Monitor and report, but action needs to be deliberate and targeted.  Otherwise, 
you are asking for a fine from the FCC.

Jake





> On Oct 28, 2019, at 11:55 AM, Enfield, Chuck  wrote:
> 
> My main reason for worrying about people broadcasting our SSIDs is usability.
>  
> The $64 question for security is whether or not the Aruba IDS would detect a 
> well-executed evil twin attack.  If the twin uses not just your ESSID but a 
> valid BSSID from one of your APs in an area where the “spoofed” AP can’t 
> detect it, would the IDS figure it out?  If so, then there may be some value 
> in enabling automatic mitigation.
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Sidharth Nandury
> Sent: Monday, October 28, 2019 12:56 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID
>  
> Thank you for the response. 
>  
> Thomas,
> I'm definitely going to share the FCC announcement with my management and 
> security officer to ensure that they are aware of this. That being said, we 
> are not trying to prevent anyone from using a hotspot, but like Chuck 
> mentioned are trying to protect our users from connecting to counterfeit 
> "well-known" campus SSIDs. My thought is to only add "well-known" SSIDs in 
> our list of protected networks.
>  
> Chuck,
> Airwave can be an option for alerting, but as you said, it needs manual 
> intervention. If our security officer decides to go against implementing 
> this, my next suggestion would be using Airwave for manual intervention. 
> Something else I can think of is the polling intervals duration and immediacy 
> of action. If there is a malicious individual trying to broadcast a 
> known-network, wouldn't we want to have immediate action to be taken, rather 
> than having to wait for the airwave polling interval, receive an email 
> notification, turn around and maybe have some kind of text alert to 
> immediately alert us to take action? Thoughts?
>  
> Regards,
> Sid
>  
> On Mon, Oct 28, 2019 at 12:08 PM Enfield, Chuck  <mailto:cae...@psu.edu>> wrote:
> Most of the time if somebody is using one of your well-known SSID’s on campus 
> it’s either out of ignorance or benign experimentation.  Rouge mitigation of 
> those devices is unlikely to attract the attention of the FCC, and even if it 
> does, I doubt you’ll get in any trouble for it.  The FCC has cracked down on 
> property owners acting like they own the spectrum within their facilities.  I 
> suspect an effort to protect users from what may reasonably be characterized 
> as “counterfeit” networks would be viewed in a different light.  They may 
> still tell you to knock it off, but penalties seem really unlikely.
>  
> On the other hand, have you considered an Airwave alert to bring these device 
> to your attention and mitigating by manual intervention?  If your institution 
> is anything like ours you’ll see very few of these.
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Thomas Carter
> Sent: Monday, October 28, 2019 11:53 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID
>  
> The short answer is don’t do this. The longer answer is the FCC frowns on 
> rogue mitigation:
> https://nakedsecurity.sophos.com/2015/08/19/fcc-fines-company-75-for-disabling-conference-hotspots/
>  
> <https://nam01.safelinks.prot

RE: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

2019-10-28 Thread Enfield, Chuck

My main reason for worrying about people broadcasting our SSIDs is usability.

The $64 question for security is whether or not the Aruba IDS would detect a 
well-executed evil twin attack.  If the twin uses not just your ESSID but a 
valid BSSID from one of your APs in an area where the “spoofed” AP can’t detect 
it, would the IDS figure it out?  If so, then there may be some value in 
enabling automatic mitigation.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Sidharth Nandury
Sent: Monday, October 28, 2019 12:56 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

Thank you for the response.

Thomas,
I'm definitely going to share the FCC announcement with my management and 
security officer to ensure that they are aware of this. That being said, we are 
not trying to prevent anyone from using a hotspot, but like Chuck mentioned are 
trying to protect our users from connecting to counterfeit "well-known" campus 
SSIDs. My thought is to only add "well-known" SSIDs in our list of protected 
networks.

Chuck,
Airwave can be an option for alerting, but as you said, it needs manual 
intervention. If our security officer decides to go against implementing this, 
my next suggestion would be using Airwave for manual intervention. Something 
else I can think of is the polling intervals duration and immediacy of action. 
If there is a malicious individual trying to broadcast a known-network, 
wouldn't we want to have immediate action to be taken, rather than having to 
wait for the airwave polling interval, receive an email notification, turn 
around and maybe have some kind of text alert to immediately alert us to take 
action? Thoughts?

Regards,
Sid

On Mon, Oct 28, 2019 at 12:08 PM Enfield, Chuck 
mailto:cae...@psu.edu>> wrote:
Most of the time if somebody is using one of your well-known SSID’s on campus 
it’s either out of ignorance or benign experimentation.  Rouge mitigation of 
those devices is unlikely to attract the attention of the FCC, and even if it 
does, I doubt you’ll get in any trouble for it.  The FCC has cracked down on 
property owners acting like they own the spectrum within their facilities.  I 
suspect an effort to protect users from what may reasonably be characterized as 
“counterfeit” networks would be viewed in a different light.  They may still 
tell you to knock it off, but penalties seem really unlikely.

On the other hand, have you considered an Airwave alert to bring these device 
to your attention and mitigating by manual intervention?  If your institution 
is anything like ours you’ll see very few of these.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Thomas Carter
Sent: Monday, October 28, 2019 11:53 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

The short answer is don’t do this. The longer answer is the FCC frowns on rogue 
mitigation:
https://nakedsecurity.sophos.com/2015/08/19/fcc-fines-company-75-for-disabling-conference-hotspots/<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnakedsecurity.sophos.com%2F2015%2F08%2F19%2Ffcc-fines-company-75-for-disabling-conference-hotspots%2F=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539367454=YsBhtcqVWA9GD6aFnYun6U3xXmLKXiKv6FcNeW2cxjU%3D=0>
Look at the notice from the FCC down about ½ the page.


Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu<https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.austincollege.edu%2F=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539377449=cHC14Zo%2BU96LwtnPeQ576WtRUGOIDPx7yawwtNOd8ro%3D=0>

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Sidharth Nandury
Sent: Monday, October 28, 2019 10:34 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

All,

We have been asked to look into rogue WAP detection and mitigation. We are an 
Aruba shop for wireless and are running v6.5.4.12. After doing some research 
and looking at Airheads posts, it lead to me a configuration called "Protect 
SSID" in the IDS profile. Though I have successfully tested this in a lab 
environment and it seems to be "protecting" valid SSID's (ones that I have 
configured), I am a little apprehensive about simply turning this on due to the 
ramifications that it might cause.

I am wondering if anyone here has used this setting to help with mitigating 
rogu

Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

2019-10-28 Thread Sidharth Nandury

Thank you for the response.

Thomas,
I'm definitely going to share the FCC announcement with my management and
security officer to ensure that they are aware of this. That being said, we
are not trying to prevent anyone from using a hotspot, but like Chuck
mentioned are trying to protect our users from connecting to counterfeit
"well-known" campus SSIDs. My thought is to only add "well-known" SSIDs in
our list of protected networks.

Chuck,
Airwave can be an option for alerting, but as you said, it needs manual
intervention. If our security officer decides to go against implementing
this, my next suggestion would be using Airwave for manual intervention.
Something else I can think of is the polling intervals duration and
immediacy of action. If there is a malicious individual trying to broadcast
a known-network, wouldn't we want to have immediate action to be taken,
rather than having to wait for the airwave polling interval, receive an
email notification, turn around and maybe have some kind of text alert to
immediately alert us to take action? Thoughts?

Regards,
Sid

On Mon, Oct 28, 2019 at 12:08 PM Enfield, Chuck  wrote:

> Most of the time if somebody is using one of your well-known SSID’s on
> campus it’s either out of ignorance or benign experimentation.  Rouge
> mitigation of those devices is unlikely to attract the attention of the
> FCC, and even if it does, I doubt you’ll get in any trouble for it.  The
> FCC has cracked down on property owners acting like they own the spectrum
> within their facilities.  I suspect an effort to protect users from what
> may reasonably be characterized as “counterfeit” networks would be viewed
> in a different light.  They may still tell you to knock it off, but
> penalties seem really unlikely.
>
>
>
> On the other hand, have you considered an Airwave alert to bring these
> device to your attention and mitigating by manual intervention?  If your
> institution is anything like ours you’ll see very few of these.
>
>
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Thomas Carter
> *Sent:* Monday, October 28, 2019 11:53 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID
>
>
>
> The short answer is don’t do this. The longer answer is the FCC frowns on
> rogue mitigation:
>
>
> https://nakedsecurity.sophos.com/2015/08/19/fcc-fines-company-75-for-disabling-conference-hotspots/
> <https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnakedsecurity.sophos.com%2F2015%2F08%2F19%2Ffcc-fines-company-75-for-disabling-conference-hotspots%2F=02%7C01%7Ccae104%40PSU.EDU%7C08324b40359f4fff4e1508d75bbeef57%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078747939813699=%2BmbUkc0lcPxK9dvpWp3rNaLDwSqbE26nHJndDrUpdwk%3D=0>
>
> Look at the notice from the FCC down about ½ the page.
>
>
>
>
>
> *Thomas Carter*
> Network & Operations Manager / IT
>
> *Austin College*
> 900 North Grand Avenue
> Sherman, TX 75090
>
> Phone: 903-813-2564
> www.austincollege.edu
> <https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.austincollege.edu%2F=02%7C01%7Ccae104%40PSU.EDU%7C08324b40359f4fff4e1508d75bbeef57%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078747939823692=VfNn41KTdQNM9aSHreit3ld%2FBmhvFsMyyfdMwfcZ008%3D=0>
>
>
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Sidharth Nandury
> *Sent:* Monday, October 28, 2019 10:34 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID
>
>
>
> All,
>
>
>
> We have been asked to look into rogue WAP detection and mitigation. We are
> an Aruba shop for wireless and are running v6.5.4.12. After doing some
> research and looking at Airheads posts, it lead to me a configuration
> called "Protect SSID" in the IDS profile. Though I have successfully tested
> this in a lab environment and it seems to be "protecting" valid
> SSID's (ones that I have configured), I am a little apprehensive about
> simply turning this on due to the ramifications that it might cause.
>
>
>
> I am wondering if anyone here has used this setting to help with
> mitigating rogue SSID broadcasts and protecting your clients connecting to
> these rogue WAPs. I would also love to hear about any pitfalls with turning
> this on, and any other gotchas that I might need to keep in mind other
> suggestions about rogue WAP detection and mitigation, I would love to hear
> them. Please feel free to reach me off this list if you wish.
>
>
>
> Please let me know if

RE: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

2019-10-28 Thread Enfield, Chuck

Most of the time if somebody is using one of your well-known SSID’s on campus 
it’s either out of ignorance or benign experimentation.  Rouge mitigation of 
those devices is unlikely to attract the attention of the FCC, and even if it 
does, I doubt you’ll get in any trouble for it.  The FCC has cracked down on 
property owners acting like they own the spectrum within their facilities.  I 
suspect an effort to protect users from what may reasonably be characterized as 
“counterfeit” networks would be viewed in a different light.  They may still 
tell you to knock it off, but penalties seem really unlikely.

On the other hand, have you considered an Airwave alert to bring these device 
to your attention and mitigating by manual intervention?  If your institution 
is anything like ours you’ll see very few of these.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Thomas Carter
Sent: Monday, October 28, 2019 11:53 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

The short answer is don’t do this. The longer answer is the FCC frowns on rogue 
mitigation:
https://nakedsecurity.sophos.com/2015/08/19/fcc-fines-company-75-for-disabling-conference-hotspots/<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnakedsecurity.sophos.com%2F2015%2F08%2F19%2Ffcc-fines-company-75-for-disabling-conference-hotspots%2F=02%7C01%7Ccae104%40PSU.EDU%7C08324b40359f4fff4e1508d75bbeef57%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078747939813699=%2BmbUkc0lcPxK9dvpWp3rNaLDwSqbE26nHJndDrUpdwk%3D=0>
Look at the notice from the FCC down about ½ the page.


Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu<https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.austincollege.edu%2F=02%7C01%7Ccae104%40PSU.EDU%7C08324b40359f4fff4e1508d75bbeef57%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078747939823692=VfNn41KTdQNM9aSHreit3ld%2FBmhvFsMyyfdMwfcZ008%3D=0>

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Sidharth Nandury
Sent: Monday, October 28, 2019 10:34 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

All,

We have been asked to look into rogue WAP detection and mitigation. We are an 
Aruba shop for wireless and are running v6.5.4.12. After doing some research 
and looking at Airheads posts, it lead to me a configuration called "Protect 
SSID" in the IDS profile. Though I have successfully tested this in a lab 
environment and it seems to be "protecting" valid SSID's (ones that I have 
configured), I am a little apprehensive about simply turning this on due to the 
ramifications that it might cause.

I am wondering if anyone here has used this setting to help with mitigating 
rogue SSID broadcasts and protecting your clients connecting to these rogue 
WAPs. I would also love to hear about any pitfalls with turning this on, and 
any other gotchas that I might need to keep in mind other suggestions about 
rogue WAP detection and mitigation, I would love to hear them. Please feel free 
to reach me off this list if you wish.

Please let me know if any additional information is needed on my end. Thank you 
for your time.

Regards,
Sid

--
[Image removed by sender. Denison University 
Logo]<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkprotect.cudasvc.com%2Furl%3Fa%3Dhttps%253a%252f%252fdenison.edu%26c%3DE%2C1%2C3SbNFzUhQ1cH6_YJ_S_MgdUv2bQAdcJE20ihzEFSulcA0CnvyieJIGu9ddNCYI_GLMy3AeMp5gwCHqsuqX7y9OwV8bxgkwk9opmVKUTS%26typo%3D1=02%7C01%7Ccae104%40PSU.EDU%7C08324b40359f4fff4e1508d75bbeef57%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078747939823692=qW3WQpnzHnGxHSdyUIWUDDQX54Qj4hqn0KUGMX43Ou4%3D=0>

Sidharth S. Nandury
Network Engineer
Information Technology Services

100 West College Street, Granville, OH 
43023<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkprotect.cudasvc.com%2Furl%3Fa%3Dhttps%253a%252f%252fdeniso.nu%252f2qF6h7M%26c%3DE%2C1%2CV2G7R1vyiWtcQB3ly-PYWUU7J291jCALtZFeYgmVv7l6iR94Bj0GCw4pPxgnV9rzPPH5KQbHIsZ86gYOQYd220ayxc-jaIweLjo63_CGS2XiXalaq6Q3ABGJ%26typo%3D1=02%7C01%7Ccae104%40PSU.EDU%7C08324b40359f4fff4e1508d75bbeef57%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078747939833690=tsz1S8ryYniClLHMvGbI6Uwwv%2FSgKtNeZmB2LsKtjC4%3D=0>
 | Fellows 
003C<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkprotect.cudasvc.com%2Furl%3Fa%3Dhttps%253a%252f%252fdenison.edu%252fmap%26c%3DE%2C1%2C6MitBRcDdjxKiLUIU8aEWs_xpSvvxfkXvM3JRSDnEQbhnszUrJ7-F8fgTWsTq6b6Oj2VtrycdyDJ-9o_dPzhBisePSMH5rwoNy2P-FlEB4eMgrpeKQ%2C%2C%26typo%3D1=02%7C01%7Ccae104%40PSU.EDU%7C08324b40359f4fff4e1508d75bbeef57%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078747939833690=huH%2BMuP6m%2FRcMONpNZxEFjMGhOPVk%2BWEwX1gWh8quXA%3D=0>
Office: 74

RE: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

2019-10-28 Thread Thomas Carter

The short answer is don’t do this. The longer answer is the FCC frowns on rogue 
mitigation:
https://nakedsecurity.sophos.com/2015/08/19/fcc-fines-company-75-for-disabling-conference-hotspots/
Look at the notice from the FCC down about ½ the page.


Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu<http://www.austincollege.edu/>

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Sidharth Nandury
Sent: Monday, October 28, 2019 10:34 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

All,

We have been asked to look into rogue WAP detection and mitigation. We are an 
Aruba shop for wireless and are running v6.5.4.12. After doing some research 
and looking at Airheads posts, it lead to me a configuration called "Protect 
SSID" in the IDS profile. Though I have successfully tested this in a lab 
environment and it seems to be "protecting" valid SSID's (ones that I have 
configured), I am a little apprehensive about simply turning this on due to the 
ramifications that it might cause.

I am wondering if anyone here has used this setting to help with mitigating 
rogue SSID broadcasts and protecting your clients connecting to these rogue 
WAPs. I would also love to hear about any pitfalls with turning this on, and 
any other gotchas that I might need to keep in mind other suggestions about 
rogue WAP detection and mitigation, I would love to hear them. Please feel free 
to reach me off this list if you wish.

Please let me know if any additional information is needed on my end. Thank you 
for your time.

Regards,
Sid

--
[Denison University 
Logo]<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fdenison.edu=E,1,3SbNFzUhQ1cH6_YJ_S_MgdUv2bQAdcJE20ihzEFSulcA0CnvyieJIGu9ddNCYI_GLMy3AeMp5gwCHqsuqX7y9OwV8bxgkwk9opmVKUTS=1>

Sidharth S. Nandury
Network Engineer
Information Technology Services

100 West College Street, Granville, OH 
43023<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fdeniso.nu%2f2qF6h7M=E,1,V2G7R1vyiWtcQB3ly-PYWUU7J291jCALtZFeYgmVv7l6iR94Bj0GCw4pPxgnV9rzPPH5KQbHIsZ86gYOQYd220ayxc-jaIweLjo63_CGS2XiXalaq6Q3ABGJ=1>
 | Fellows 
003C<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fdenison.edu%2fmap=E,1,6MitBRcDdjxKiLUIU8aEWs_xpSvvxfkXvM3JRSDnEQbhnszUrJ7-F8fgTWsTq6b6Oj2VtrycdyDJ-9o_dPzhBisePSMH5rwoNy2P-FlEB4eMgrpeKQ,,=1>
Office: 740-587-5533 | Mobile: 516-314-4413
nandu...@denison.edu<mailto:nandu...@denison.edu>
https://denison.edu/campus/technology<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fdenison.edu%2fcampus%2ftechnology=E,1,oLheI3NnrW-G-FZl319tjZwIagvq8A0Zh9NSrzKAm6ySX_zHxtyhxT3mrGS_cc4QXV289aOvH2idRvYnktvQLg8jIr3IeldKH-qcOvJ3TWQ0PA,,=1>

Please consider the environment before printing this email.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.educause.edu%2fcommunity=E,1,iyHWPoELYm0sy5dXaVv7Ez_A8r2zHFQyfTUG2dakocGNuhYkE7XGVKiX88z9WlqprbrBrSKw-0QXKT_H-p3EPuUwLGvjmwy83Mz98Hrscw,,=1>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Aruba Wireless - IDS: Protect-SSID

2019-10-28 Thread Sidharth Nandury

All,

We have been asked to look into rogue WAP detection and mitigation. We are
an Aruba shop for wireless and are running v6.5.4.12. After doing some
research and looking at Airheads posts, it lead to me a configuration
called "Protect SSID" in the IDS profile. Though I have successfully tested
this in a lab environment and it seems to be "protecting" valid
SSID's (ones that I have configured), I am a little apprehensive about
simply turning this on due to the ramifications that it might cause.

I am wondering if anyone here has used this setting to help with mitigating
rogue SSID broadcasts and protecting your clients connecting to these rogue
WAPs. I would also love to hear about any pitfalls with turning this on,
and any other gotchas that I might need to keep in mind other suggestions
about rogue WAP detection and mitigation, I would love to hear them. Please
feel free to reach me off this list if you wish.

Please let me know if any additional information is needed on my end. Thank
you for your time.

Regards,
Sid

-- 
[image: Denison University Logo] 

*Sidharth S. Nandury*
*Network Engineer*
Information Technology Services

100 West College Street, Granville, OH 43023
 | Fellows
003C 
Office: 740-587-5533 | Mobile: 516-314-4413
nandu...@denison.edu
https://denison.edu/campus/technology

*Please consider the environment before printing this email.*

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

RE: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

RE: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

RE: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

RE: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

Aruba Wireless - IDS: Protect-SSID

9 matches

Site Navigation

Mail list logo

Footer information