Generally speaking there are 3 scenarios where you can safely use containment.

On wire rogue:  I own the network it's plugged in to.
If you can prove that the AP is plugged into your network against policy you 
can contain, since the network they are connecting to is yours.  However, this 
is not a good use of airtime, and is much more effective at wired side 
containment method.

Owned devices: I own the device connecting to another network.
If you own a device, and you see it connected to something that is not yours, 
you can contain it since you are interacting with a device your organization 
owns.  However, if it's a BYOD or employee/student device you are containing 
then that's likely not ok.

Pentesting: I have legal authorization from the device/network owner to contain.
You are a wireless pentester and have permissions to contain any device that is 
owned by and authorized by your customer.


I recorded my thoughts on the matter here:

https://www.youtube.com/watch?v=7e--Y-KjsEQ 
<https://www.youtube.com/watch?v=7e--Y-KjsEQ>


Monitor and report, but action needs to be deliberate and targeted.  Otherwise, 
you are asking for a fine from the FCC.

Jake





> On Oct 28, 2019, at 11:55 AM, Enfield, Chuck <cae...@psu.edu> wrote:
> 
> My main reason for worrying about people broadcasting our SSIDs is usability.
>  
> The $64 question for security is whether or not the Aruba IDS would detect a 
> well-executed evil twin attack.  If the twin uses not just your ESSID but a 
> valid BSSID from one of your APs in an area where the “spoofed” AP can’t 
> detect it, would the IDS figure it out?  If so, then there may be some value 
> in enabling automatic mitigation.
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Sidharth Nandury
> Sent: Monday, October 28, 2019 12:56 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID
>  
> Thank you for the response. 
>  
> Thomas,
> I'm definitely going to share the FCC announcement with my management and 
> security officer to ensure that they are aware of this. That being said, we 
> are not trying to prevent anyone from using a hotspot, but like Chuck 
> mentioned are trying to protect our users from connecting to counterfeit 
> "well-known" campus SSIDs. My thought is to only add "well-known" SSIDs in 
> our list of protected networks.
>  
> Chuck,
> Airwave can be an option for alerting, but as you said, it needs manual 
> intervention. If our security officer decides to go against implementing 
> this, my next suggestion would be using Airwave for manual intervention. 
> Something else I can think of is the polling intervals duration and immediacy 
> of action. If there is a malicious individual trying to broadcast a 
> known-network, wouldn't we want to have immediate action to be taken, rather 
> than having to wait for the airwave polling interval, receive an email 
> notification, turn around and maybe have some kind of text alert to 
> immediately alert us to take action? Thoughts?
>  
> Regards,
> Sid
>  
> On Mon, Oct 28, 2019 at 12:08 PM Enfield, Chuck <cae...@psu.edu 
> <mailto:cae...@psu.edu>> wrote:
> Most of the time if somebody is using one of your well-known SSID’s on campus 
> it’s either out of ignorance or benign experimentation.  Rouge mitigation of 
> those devices is unlikely to attract the attention of the FCC, and even if it 
> does, I doubt you’ll get in any trouble for it.  The FCC has cracked down on 
> property owners acting like they own the spectrum within their facilities.  I 
> suspect an effort to protect users from what may reasonably be characterized 
> as “counterfeit” networks would be viewed in a different light.  They may 
> still tell you to knock it off, but penalties seem really unlikely.
>  
> On the other hand, have you considered an Airwave alert to bring these device 
> to your attention and mitigating by manual intervention?  If your institution 
> is anything like ours you’ll see very few of these.
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Thomas Carter
> Sent: Monday, October 28, 2019 11:53 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID
>  
> The short answer is don’t do this. The longer answer is the FCC frowns on 
> rogue mitigation:
> https://nakedsecurity.sophos.com/2015/08/19/fcc-fines-company-750000-for-disabling-conference-hotspots/
>  
> <https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnakedsecurity.sophos.com%2F2015%2F08%2F19%2Ffcc-fines-company-750000-for-disabling-conference-hotspots%2F&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539367454&sdata=YsBhtcqVWA9GD6aFnYun6U3xXmLKXiKv6FcNeW2cxjU%3D&reserved=0>
> Look at the notice from the FCC down about ½ the page.
>  
>  
> Thomas Carter
> Network & Operations Manager / IT
> Austin College
> 900 North Grand Avenue 
> Sherman, TX 75090
> Phone: 903-813-2564
> www.austincollege.edu 
> <https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.austincollege.edu%2F&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539377449&sdata=cHC14Zo%2BU96LwtnPeQ576WtRUGOIDPx7yawwtNOd8ro%3D&reserved=0>
>  
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Sidharth Nandury
> Sent: Monday, October 28, 2019 10:34 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID
>  
> All,
>  
> We have been asked to look into rogue WAP detection and mitigation. We are an 
> Aruba shop for wireless and are running v6.5.4.12. After doing some research 
> and looking at Airheads posts, it lead to me a configuration called "Protect 
> SSID" in the IDS profile. Though I have successfully tested this in a lab 
> environment and it seems to be "protecting" valid SSID's (ones that I have 
> configured), I am a little apprehensive about simply turning this on due to 
> the ramifications that it might cause.
>  
> I am wondering if anyone here has used this setting to help with mitigating 
> rogue SSID broadcasts and protecting your clients connecting to these rogue 
> WAPs. I would also love to hear about any pitfalls with turning this on, and 
> any other gotchas that I might need to keep in mind other suggestions about 
> rogue WAP detection and mitigation, I would love to hear them. Please feel 
> free to reach me off this list if you wish.
>  
> Please let me know if any additional information is needed on my end. Thank 
> you for your time.
> 
> Regards,
> Sid
>  
> --
>  
> <https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkprotect.cudasvc.com%2Furl%3Fa%3Dhttps%253a%252f%252fdenison.edu%26c%3DE%2C1%2C3SbNFzUhQ1cH6_YJ_S_MgdUv2bQAdcJE20ihzEFSulcA0CnvyieJIGu9ddNCYI_GLMy3AeMp5gwCHqsuqX7y9OwV8bxgkwk9opmVKUTS%26typo%3D1&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539387447&sdata=DzhumnCqm7zqzKg71OLD9rcE3cG2923ns6JyHnren5I%3D&reserved=0>
> Sidharth S. Nandury
> Network Engineer
> Information Technology Services 
> 100 West College Street, Granville, OH 43023 
> <https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkprotect.cudasvc.com%2Furl%3Fa%3Dhttps%253a%252f%252fdeniso.nu%252f2qF6h7M%26c%3DE%2C1%2CV2G7R1vyiWtcQB3ly-PYWUU7J291jCALtZFeYgmVv7l6iR94Bj0GCw4pPxgnV9rzPPH5KQbHIsZ86gYOQYd220ayxc-jaIweLjo63_CGS2XiXalaq6Q3ABGJ%26typo%3D1&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539397440&sdata=I39Qbc7sH2S3QccWxxRauhVKsQvxNd1gSucKT5m1Wj8%3D&reserved=0>
>  | Fellows 003C 
> <https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkprotect.cudasvc.com%2Furl%3Fa%3Dhttps%253a%252f%252fdenison.edu%252fmap%26c%3DE%2C1%2C6MitBRcDdjxKiLUIU8aEWs_xpSvvxfkXvM3JRSDnEQbhnszUrJ7-F8fgTWsTq6b6Oj2VtrycdyDJ-9o_dPzhBisePSMH5rwoNy2P-FlEB4eMgrpeKQ%2C%2C%26typo%3D1&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539397440&sdata=WsVdpxq38Z3kGyAumM6RgBFrGqCUTwbXYGRh42ButhA%3D&reserved=0>
>  
> Office: 740-587-5533 | Mobile: 516-314-4413 
> nandu...@denison.edu <mailto:nandu...@denison.edu> 
> https://denison.edu/campus/technology 
> <https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkprotect.cudasvc.com%2Furl%3Fa%3Dhttps%253a%252f%252fdenison.edu%252fcampus%252ftechnology%26c%3DE%2C1%2CoLheI3NnrW-G-FZl319tjZwIagvq8A0Zh9NSrzKAm6ySX_zHxtyhxT3mrGS_cc4QXV289aOvH2idRvYnktvQLg8jIr3IeldKH-qcOvJ3TWQ0PA%2C%2C%26typo%3D1&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539407434&sdata=5T5759dzDpTB0YJB6HtPTD%2FMMxEWlv0%2BN3WN1K5PMwM%3D&reserved=0>
> Please consider the environment before printing this email.
> 
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community 
> <https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkprotect.cudasvc.com%2Furl%3Fa%3Dhttps%253a%252f%252fwww.educause.edu%252fcommunity%26c%3DE%2C1%2CiyHWPoELYm0sy5dXaVv7Ez_A8r2zHFQyfTUG2dakocGNuhYkE7XGVKiX88z9WlqprbrBrSKw-0QXKT_H-p3EPuUwLGvjmwy83Mz98Hrscw%2C%2C%26typo%3D1&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539417433&sdata=hiZygKpaQGYnMT1oUXF0vS2f1R2z5%2B22vlX%2FobTuNuE%3D&reserved=0>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community 
> <https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539417433&sdata=HoTa%2Ft3w54yPnQyjZzzKBvmVjLhUT3C%2F%2BvZLYO8yN8k%3D&reserved=0>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community 
> <https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539427424&sdata=M2iGUfcmkT4beZqOkTsO7RjdfZOn3KuVa95LWk4rubg%3D&reserved=0>
> 
>  
> -- 
> <image001.jpg> 
> <https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdenison.edu&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539437418&sdata=AvykympX%2Bp4Uw1e2g9cN1ArefsaVoFiQkuZLAOV%2FeVg%3D&reserved=0>
> Sidharth S. Nandury
> Network Engineer
> Information Technology Services 
> 100 West College Street, Granville, OH 43023 
> <https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdeniso.nu%2F2qF6h7M&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539437418&sdata=cSBe27pjPwTwa4trNDA7uNughcOZ%2F37ZaaRlf%2BzNmFs%3D&reserved=0>
>  | Fellows 003C 
> <https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdenison.edu%2Fmap&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539447408&sdata=FEYOroV1z8qFlHIG4VXU%2F7imRFAt7bbXua19vz68Hns%3D&reserved=0>
>  
> Office: 740-587-5533 | Mobile: 516-314-4413 
> nandu...@denison.edu <mailto:nandu...@denison.edu> 
> https://denison.edu/campus/technology 
> <https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdenison.edu%2Fcampus%2Ftechnology&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539447408&sdata=5XfzSmCeAzDDqrMckIjFXdpwVZnhf%2FqFgjqMZD2FMsQ%3D&reserved=0>
> Please consider the environment before printing this email.
> 
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community 
> <https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539457405&sdata=yCMHjDAH36%2FF%2BVVmfaA0P7egGvbMC21osWSwNwfLgIo%3D&reserved=0>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community <https://www.educause.edu/community>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Reply via email to