I guess I should have clarified – we do rogue detection, but “mitigation” is a physical visit by us or someone from Student Life. If it’s a router or other device plugged into a port in the room, we disable that port until the students communicate with us. It’s just the automatic mitigation that isn’t worth it.
Thomas Carter Network & Operations Manager / IT Austin College 900 North Grand Avenue Sherman, TX 75090 Phone: 903-813-2564 www.austincollege.edu<http://www.austincollege.edu/> From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Enfield, Chuck Sent: Monday, October 28, 2019 12:55 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID My main reason for worrying about people broadcasting our SSIDs is usability. The $64 question for security is whether or not the Aruba IDS would detect a well-executed evil twin attack. If the twin uses not just your ESSID but a valid BSSID from one of your APs in an area where the “spoofed” AP can’t detect it, would the IDS figure it out? If so, then there may be some value in enabling automatic mitigation. From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Sidharth Nandury Sent: Monday, October 28, 2019 12:56 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID Thank you for the response. Thomas, I'm definitely going to share the FCC announcement with my management and security officer to ensure that they are aware of this. That being said, we are not trying to prevent anyone from using a hotspot, but like Chuck mentioned are trying to protect our users from connecting to counterfeit "well-known" campus SSIDs. My thought is to only add "well-known" SSIDs in our list of protected networks. Chuck, Airwave can be an option for alerting, but as you said, it needs manual intervention. If our security officer decides to go against implementing this, my next suggestion would be using Airwave for manual intervention. Something else I can think of is the polling intervals duration and immediacy of action. If there is a malicious individual trying to broadcast a known-network, wouldn't we want to have immediate action to be taken, rather than having to wait for the airwave polling interval, receive an email notification, turn around and maybe have some kind of text alert to immediately alert us to take action? Thoughts? Regards, Sid On Mon, Oct 28, 2019 at 12:08 PM Enfield, Chuck <cae...@psu.edu<mailto:cae...@psu.edu>> wrote: Most of the time if somebody is using one of your well-known SSID’s on campus it’s either out of ignorance or benign experimentation. Rouge mitigation of those devices is unlikely to attract the attention of the FCC, and even if it does, I doubt you’ll get in any trouble for it. The FCC has cracked down on property owners acting like they own the spectrum within their facilities. I suspect an effort to protect users from what may reasonably be characterized as “counterfeit” networks would be viewed in a different light. They may still tell you to knock it off, but penalties seem really unlikely. On the other hand, have you considered an Airwave alert to bring these device to your attention and mitigating by manual intervention? If your institution is anything like ours you’ll see very few of these. From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Thomas Carter Sent: Monday, October 28, 2019 11:53 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID The short answer is don’t do this. The longer answer is the FCC frowns on rogue mitigation: https://nakedsecurity.sophos.com/2015/08/19/fcc-fines-company-750000-for-disabling-conference-hotspots/<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnakedsecurity.sophos.com%2F2015%2F08%2F19%2Ffcc-fines-company-750000-for-disabling-conference-hotspots%2F&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539367454&sdata=YsBhtcqVWA9GD6aFnYun6U3xXmLKXiKv6FcNeW2cxjU%3D&reserved=0> Look at the notice from the FCC down about ½ the page. Thomas Carter Network & Operations Manager / IT Austin College 900 North Grand Avenue Sherman, TX 75090 Phone: 903-813-2564 www.austincollege.edu<https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.austincollege.edu%2F&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539377449&sdata=cHC14Zo%2BU96LwtnPeQ576WtRUGOIDPx7yawwtNOd8ro%3D&reserved=0> From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Sidharth Nandury Sent: Monday, October 28, 2019 10:34 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] Aruba Wireless - IDS: Protect-SSID All, We have been asked to look into rogue WAP detection and mitigation. We are an Aruba shop for wireless and are running v6.5.4.12. After doing some research and looking at Airheads posts, it lead to me a configuration called "Protect SSID" in the IDS profile. Though I have successfully tested this in a lab environment and it seems to be "protecting" valid SSID's (ones that I have configured), I am a little apprehensive about simply turning this on due to the ramifications that it might cause. I am wondering if anyone here has used this setting to help with mitigating rogue SSID broadcasts and protecting your clients connecting to these rogue WAPs. I would also love to hear about any pitfalls with turning this on, and any other gotchas that I might need to keep in mind other suggestions about rogue WAP detection and mitigation, I would love to hear them. Please feel free to reach me off this list if you wish. Please let me know if any additional information is needed on my end. Thank you for your time. Regards, Sid -- [Image removed by sender. Denison University Logo]<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkprotect.cudasvc.com%2Furl%3Fa%3Dhttps%253a%252f%252fdenison.edu%26c%3DE%2C1%2C3SbNFzUhQ1cH6_YJ_S_MgdUv2bQAdcJE20ihzEFSulcA0CnvyieJIGu9ddNCYI_GLMy3AeMp5gwCHqsuqX7y9OwV8bxgkwk9opmVKUTS%26typo%3D1&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539387447&sdata=DzhumnCqm7zqzKg71OLD9rcE3cG2923ns6JyHnren5I%3D&reserved=0> Sidharth S. Nandury Network Engineer Information Technology Services 100 West College Street, Granville, OH 43023<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkprotect.cudasvc.com%2Furl%3Fa%3Dhttps%253a%252f%252fdeniso.nu%252f2qF6h7M%26c%3DE%2C1%2CV2G7R1vyiWtcQB3ly-PYWUU7J291jCALtZFeYgmVv7l6iR94Bj0GCw4pPxgnV9rzPPH5KQbHIsZ86gYOQYd220ayxc-jaIweLjo63_CGS2XiXalaq6Q3ABGJ%26typo%3D1&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539397440&sdata=I39Qbc7sH2S3QccWxxRauhVKsQvxNd1gSucKT5m1Wj8%3D&reserved=0> | Fellows 003C<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkprotect.cudasvc.com%2Furl%3Fa%3Dhttps%253a%252f%252fdenison.edu%252fmap%26c%3DE%2C1%2C6MitBRcDdjxKiLUIU8aEWs_xpSvvxfkXvM3JRSDnEQbhnszUrJ7-F8fgTWsTq6b6Oj2VtrycdyDJ-9o_dPzhBisePSMH5rwoNy2P-FlEB4eMgrpeKQ%2C%2C%26typo%3D1&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539397440&sdata=WsVdpxq38Z3kGyAumM6RgBFrGqCUTwbXYGRh42ButhA%3D&reserved=0> Office: 740-587-5533 | Mobile: 516-314-4413 nandu...@denison.edu<mailto:nandu...@denison.edu> https://denison.edu/campus/technology<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkprotect.cudasvc.com%2Furl%3Fa%3Dhttps%253a%252f%252fdenison.edu%252fcampus%252ftechnology%26c%3DE%2C1%2CoLheI3NnrW-G-FZl319tjZwIagvq8A0Zh9NSrzKAm6ySX_zHxtyhxT3mrGS_cc4QXV289aOvH2idRvYnktvQLg8jIr3IeldKH-qcOvJ3TWQ0PA%2C%2C%26typo%3D1&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539407434&sdata=5T5759dzDpTB0YJB6HtPTD%2FMMxEWlv0%2BN3WN1K5PMwM%3D&reserved=0> Please consider the environment before printing this email. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkprotect.cudasvc.com%2Furl%3Fa%3Dhttps%253a%252f%252fwww.educause.edu%252fcommunity%26c%3DE%2C1%2CiyHWPoELYm0sy5dXaVv7Ez_A8r2zHFQyfTUG2dakocGNuhYkE7XGVKiX88z9WlqprbrBrSKw-0QXKT_H-p3EPuUwLGvjmwy83Mz98Hrscw%2C%2C%26typo%3D1&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539417433&sdata=hiZygKpaQGYnMT1oUXF0vS2f1R2z5%2B22vlX%2FobTuNuE%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539417433&sdata=HoTa%2Ft3w54yPnQyjZzzKBvmVjLhUT3C%2F%2BvZLYO8yN8k%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539427424&sdata=M2iGUfcmkT4beZqOkTsO7RjdfZOn3KuVa95LWk4rubg%3D&reserved=0> -- [Image removed by sender. Denison University Logo]<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdenison.edu&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539437418&sdata=AvykympX%2Bp4Uw1e2g9cN1ArefsaVoFiQkuZLAOV%2FeVg%3D&reserved=0> Sidharth S. Nandury Network Engineer Information Technology Services 100 West College Street, Granville, OH 43023<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdeniso.nu%2F2qF6h7M&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539437418&sdata=cSBe27pjPwTwa4trNDA7uNughcOZ%2F37ZaaRlf%2BzNmFs%3D&reserved=0> | Fellows 003C<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdenison.edu%2Fmap&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539447408&sdata=FEYOroV1z8qFlHIG4VXU%2F7imRFAt7bbXua19vz68Hns%3D&reserved=0> Office: 740-587-5533 | Mobile: 516-314-4413 nandu...@denison.edu<mailto:nandu...@denison.edu> https://denison.edu/campus/technology<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdenison.edu%2Fcampus%2Ftechnology&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539447408&sdata=5XfzSmCeAzDDqrMckIjFXdpwVZnhf%2FqFgjqMZD2FMsQ%3D&reserved=0> Please consider the environment before printing this email. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccae104%40PSU.EDU%7C4b37afea33a44d07033308d75bc7b030%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637078785539457405&sdata=yCMHjDAH36%2FF%2BVVmfaA0P7egGvbMC21osWSwNwfLgIo%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.educause.edu%2fcommunity&c=E,1,X5BTndE6jzI3xHS8JpRbNvId3-Q9BZ0hdj7C8ObqbVrEgHgQnymic0d7Y0c7UZmcNJXyoFhzXonCcBlu_6aOyFkJou9KulEl_DuttwAafFZjJK8,&typo=1> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community