Just adding to the discussion, having been at this for a while. Make sure that 
your “no rogue” enforcement- in whatever form that takes- is backed up by 
clearly articulated policy that is endorsed by your CIO or equivalent. Make 
sure that policy is well communicated, and that your entire distributed 
computing/network support/ helpdesk staff are educated on it. Over time, strong 
alliances in this regard greatly reduce the number on rogues you’ll see to 
begin with, and it’s wonderful to find a rogue in your monitoring software and 
simply pick up the phone and ask a person in another department to please go 
find it and remove it. If you can develop those mature, high-functioning 
relationships, you greatly reduce the need for technical remedies.

In the dorms, try to make sure that your no rogue policy is agreed to by every 
student before they get a network login. Try to educate dorm directors and RAs 
on the topic, and why the policy is needed. I’ve called Dorm Directors when 
offending students ignore voice mail and email, and these folks have great 
interest in helping to get to the problem user for the greater good.

Researchers are perpetually going to be a headache. There is a lot of momentum 
in engineering schools on all sorts of wireless technology, and this group will 
have its own set of circumstances with rogues to navigate. Recognize them as a 
separate demographic, as you may need to bend, amend, and break policy in the 
name of academic activity. But you may also help enable fantastic wireless 
breakthroughs if you can find a workable balance.

The more rogues you scrutinize over time through whatever monitoring tools you 
have available combined with a thorough understanding of your entire networking 
environment, the better you get at pinpointing who has what device in play, or 
whether said device is worth trying to deal with, through a combination of 
detective skills and log data. I have mitigated at least 40 rogues this 
semester alone without leaving my desk and without blasting out deauths. Phone, 
email, and a 10,000 foot view are also effective tools once you know what to 
look for.

Regards,


Lee Badman (mobile)

On Oct 28, 2019, at 7:43 PM, Jake Snyder <jsnyde...@gmail.com> wrote:

 Generally speaking there are 3 scenarios where you can safely use containment.

On wire rogue:  I own the network it's plugged in to.
If you can prove that the AP is plugged into your network against policy you 
can contain, since the network they are connecting to is yours.  However, this 
is not a good use of airtime, and is much more effective at wired side 
containment method.

Owned devices: I own the device connecting to another network.
If you own a device, and you see it connected to something that is not yours, 
you can contain it since you are interacting with a device your organization 
owns.  However, if it's a BYOD or employee/student device you are containing 
then that's likely not ok.

Pentesting: I have legal authorization from the device/network owner to contain.
You are a wireless pentester and have permissions to contain any device that is 
owned by and authorized by your customer.


I recorded my thoughts on the matter here:

https://www.youtube.com/watch?v=7e--Y-KjsEQ


Monitor and report, but action needs to be deliberate and targeted.  Otherwise, 
you are asking for a fine from the FCC.

Jake





On Oct 28, 2019, at 11:55 AM, Enfield, Chuck 
<cae...@psu.edu<mailto:cae...@psu.edu>> wrote:

My main reason for worrying about people broadcasting our SSIDs is usability.

The $64 question for security is whether or not the Aruba IDS would detect a 
well-executed evil twin attack.  If the twin uses not just your ESSID but a 
valid BSSID from one of your APs in an area where the “spoofed” AP can’t detect 
it, would the IDS figure it out?  If so, then there may be some value in 
enabling automatic mitigation.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Sidharth Nandury
Sent: Monday, October 28, 2019 12:56 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

Thank you for the response.

Thomas,
I'm definitely going to share the FCC announcement with my management and 
security officer to ensure that they are aware of this. That being said, we are 
not trying to prevent anyone from using a hotspot, but like Chuck mentioned are 
trying to protect our users from connecting to counterfeit "well-known" campus 
SSIDs. My thought is to only add "well-known" SSIDs in our list of protected 
networks.

Chuck,
Airwave can be an option for alerting, but as you said, it needs manual 
intervention. If our security officer decides to go against implementing this, 
my next suggestion would be using Airwave for manual intervention. Something 
else I can think of is the polling intervals duration and immediacy of action. 
If there is a malicious individual trying to broadcast a known-network, 
wouldn't we want to have immediate action to be taken, rather than having to 
wait for the airwave polling interval, receive an email notification, turn 
around and maybe have some kind of text alert to immediately alert us to take 
action? Thoughts?

Regards,
Sid

On Mon, Oct 28, 2019 at 12:08 PM Enfield, Chuck 
<cae...@psu.edu<mailto:cae...@psu.edu>> wrote:
Most of the time if somebody is using one of your well-known SSID’s on campus 
it’s either out of ignorance or benign experimentation.  Rouge mitigation of 
those devices is unlikely to attract the attention of the FCC, and even if it 
does, I doubt you’ll get in any trouble for it.  The FCC has cracked down on 
property owners acting like they own the spectrum within their facilities.  I 
suspect an effort to protect users from what may reasonably be characterized as 
“counterfeit” networks would be viewed in a different light.  They may still 
tell you to knock it off, but penalties seem really unlikely.

On the other hand, have you considered an Airwave alert to bring these device 
to your attention and mitigating by manual intervention?  If your institution 
is anything like ours you’ll see very few of these.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Thomas Carter
Sent: Monday, October 28, 2019 11:53 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

The short answer is don’t do this. The longer answer is the FCC frowns on rogue 
mitigation:
https://nakedsecurity.sophos.com/2015/08/19/fcc-fines-company-750000-for-disabling-conference-hotspots/<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnakedsecurity.sophos.com%2F2015%2F08%2F19%2Ffcc-fines-company-750000-for-disabling-conference-hotspots%2F&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539367454&sdata=YsBhtcqVWA9GD6aFnYun6U3xXmLKXiKv6FcNeW2cxjU%3D&reserved=0>
Look at the notice from the FCC down about ½ the page.


Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu<https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.austincollege.edu%2F&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539377449&sdata=cHC14Zo%2BU96LwtnPeQ576WtRUGOIDPx7yawwtNOd8ro%3D&reserved=0>

From: The EDUCAUSE Wireless Issues Community Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Sidharth Nandury
Sent: Monday, October 28, 2019 10:34 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID

All,

We have been asked to look into rogue WAP detection and mitigation. We are an 
Aruba shop for wireless and are running v6.5.4.12. After doing some research 
and looking at Airheads posts, it lead to me a configuration called "Protect 
SSID" in the IDS profile. Though I have successfully tested this in a lab 
environment and it seems to be "protecting" valid SSID's (ones that I have 
configured), I am a little apprehensive about simply turning this on due to the 
ramifications that it might cause.

I am wondering if anyone here has used this setting to help with mitigating 
rogue SSID broadcasts and protecting your clients connecting to these rogue 
WAPs. I would also love to hear about any pitfalls with turning this on, and 
any other gotchas that I might need to keep in mind other suggestions about 
rogue WAP detection and mitigation, I would love to hear them. Please feel free 
to reach me off this list if you wish.

Please let me know if any additional information is needed on my end. Thank you 
for your time.

Regards,
Sid

--
[Image removed by sender. Denison University 
Logo]<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkprotect.cudasvc.com%2Furl%3Fa%3Dhttps%253a%252f%252fdenison.edu%26c%3DE%2C1%2C3SbNFzUhQ1cH6_YJ_S_MgdUv2bQAdcJE20ihzEFSulcA0CnvyieJIGu9ddNCYI_GLMy3AeMp5gwCHqsuqX7y9OwV8bxgkwk9opmVKUTS%26typo%3D1&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539387447&sdata=DzhumnCqm7zqzKg71OLD9rcE3cG2923ns6JyHnren5I%3D&reserved=0>

Sidharth S. Nandury
Network Engineer
Information Technology Services

100 West College Street, Granville, OH 
43023<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkprotect.cudasvc.com%2Furl%3Fa%3Dhttps%253a%252f%252fdeniso.nu%252f2qF6h7M%26c%3DE%2C1%2CV2G7R1vyiWtcQB3ly-PYWUU7J291jCALtZFeYgmVv7l6iR94Bj0GCw4pPxgnV9rzPPH5KQbHIsZ86gYOQYd220ayxc-jaIweLjo63_CGS2XiXalaq6Q3ABGJ%26typo%3D1&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539397440&sdata=I39Qbc7sH2S3QccWxxRauhVKsQvxNd1gSucKT5m1Wj8%3D&reserved=0>
 | Fellows 
003C<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkprotect.cudasvc.com%2Furl%3Fa%3Dhttps%253a%252f%252fdenison.edu%252fmap%26c%3DE%2C1%2C6MitBRcDdjxKiLUIU8aEWs_xpSvvxfkXvM3JRSDnEQbhnszUrJ7-F8fgTWsTq6b6Oj2VtrycdyDJ-9o_dPzhBisePSMH5rwoNy2P-FlEB4eMgrpeKQ%2C%2C%26typo%3D1&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539397440&sdata=WsVdpxq38Z3kGyAumM6RgBFrGqCUTwbXYGRh42ButhA%3D&reserved=0>
Office: 740-587-5533 | Mobile: 516-314-4413
nandu...@denison.edu<mailto:nandu...@denison.edu>
https://denison.edu/campus/technology<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkprotect.cudasvc.com%2Furl%3Fa%3Dhttps%253a%252f%252fdenison.edu%252fcampus%252ftechnology%26c%3DE%2C1%2CoLheI3NnrW-G-FZl319tjZwIagvq8A0Zh9NSrzKAm6ySX_zHxtyhxT3mrGS_cc4QXV289aOvH2idRvYnktvQLg8jIr3IeldKH-qcOvJ3TWQ0PA%2C%2C%26typo%3D1&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539407434&sdata=5T5759dzDpTB0YJB6HtPTD%2FMMxEWlv0%2BN3WN1K5PMwM%3D&reserved=0>

Please consider the environment before printing this email.

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkprotect.cudasvc.com%2Furl%3Fa%3Dhttps%253a%252f%252fwww.educause.edu%252fcommunity%26c%3DE%2C1%2CiyHWPoELYm0sy5dXaVv7Ez_A8r2zHFQyfTUG2dakocGNuhYkE7XGVKiX88z9WlqprbrBrSKw-0QXKT_H-p3EPuUwLGvjmwy83Mz98Hrscw%2C%2C%26typo%3D1&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539417433&sdata=hiZygKpaQGYnMT1oUXF0vS2f1R2z5%2B22vlX%2FobTuNuE%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539417433&sdata=HoTa%2Ft3w54yPnQyjZzzKBvmVjLhUT3C%2F%2BvZLYO8yN8k%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539427424&sdata=M2iGUfcmkT4beZqOkTsO7RjdfZOn3KuVa95LWk4rubg%3D&reserved=0>


--
<image001.jpg><https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdenison.edu&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539437418&sdata=AvykympX%2Bp4Uw1e2g9cN1ArefsaVoFiQkuZLAOV%2FeVg%3D&reserved=0>

Sidharth S. Nandury
Network Engineer
Information Technology Services

100 West College Street, Granville, OH 
43023<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdeniso.nu%2F2qF6h7M&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539437418&sdata=cSBe27pjPwTwa4trNDA7uNughcOZ%2F37ZaaRlf%2BzNmFs%3D&reserved=0>
 | Fellows 
003C<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdenison.edu%2Fmap&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539447408&sdata=FEYOroV1z8qFlHIG4VXU%2F7imRFAt7bbXua19vz68Hns%3D&reserved=0>
Office: 740-587-5533 | Mobile: 516-314-4413
nandu...@denison.edu<mailto:nandu...@denison.edu>
https://denison.edu/campus/technology<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdenison.edu%2Fcampus%2Ftechnology&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539447408&sdata=5XfzSmCeAzDDqrMckIjFXdpwVZnhf%2FqFgjqMZD2FMsQ%3D&reserved=0>

Please consider the environment before printing this email.

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539457405&sdata=yCMHjDAH36%2FF%2BVVmfaA0P7egGvbMC21osWSwNwfLgIo%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Reply via email to