Suppressing rogue APs

In addition to monitoring rogue APs, you can actively prevent your users from connecting to them. When suppression is activated against an AP, the FortiGate WiFi controller sends deauthentication messages to the rogue AP’s clients, posing as the rogue AP, and also sends deauthentication messages to the rogue AP, posing as its clients. This is done using the monitoring radio.

To enable rogue AP suppression, you must enable monitoring of rogue APs with the on-wire detection technique. See “Monitoring rogue APs”. The monitoring radio must be in the Dedicated Monitor mode.

To activate AP suppression against a rogue AP

1. Go to Monitor > Rogue AP Monitor.
2. When you see an AP listed that is a rogue detected “on-wire”, select it and then select Mark > Mark Rogue.
3. To suppress an AP that is marked as a rogue, select it and then select Suppress AP.

To deactivate AP suppression

1. Go to Monitor > Rogue AP Monitor.
2. Select the suppressed rogue AP and then select Suppress AP > Unsuppress AP.

Using the Rogue AP Monitor

Go to Monitor > Rogue AP Monitor to view the list of other wireless access points that are receivable at your location.

Information Columns Actual columns displayed depends on Column Settings.

Rogue AP — Use this status for unauthorized APs that On-wire status indicates are attached to your wired networks. Accepted AP — Use this status for APs that are an authorized part of your network or Stateare neighboring APs that are not a security threat. To see accepted APs in the list, select Show Accepted. Unclassified — This is the initial status of a discovered AP. You can change an AP back to unclassified if you have mistakenly marked it as Rogue or Accepted.

OnlineActive AP Status Inactive AP Active ad-hoc WiFi device Inactive ad-hoc WiFi device

SSID            The wireless service set identifier (SSID) or network name for the wireless interface.

Security           The type of security currently being used. Type

Channel       The wireless radio channel that the access point uses.

MAC     The MAC address of the Wireless interface. Address

Vendor The name of the vendor. Info

Signal  The relative signal strength of the AP. Mouse over the symbol to view the signal-to-noise Strength           ratio.

Detected The name or serial number of the AP unit that detected the signal. By

On-wire         A green up-arrow indicates a suspected rogue, based on the on-wire detection technique. A red down-arrow indicates AP is not a suspected rogue.

First Seen     How long ago this AP was first detected.

Suppressing

Last Seen	How long ago this AP was last detected.
Rate	Data rate in bps.

To change the Online Status of an AP, right-click it and select Mark Accepted or Mark Rogue.

Configuring rogue scanning

All APs using the same FortiAP Profile share the same rogue scanning settings, unless override is configured.

To enable rogue AP scanning with on-wire detection – web-based manager

1. Go to WiFi & Switch Controller > WIDS Profiles.

On some models, the menu is WiFi & Switch Controller.

2. Select an existing WIDS Profile and edit it, or select Create New.
3. Make sure that Enable Rogue AP Detection is selected.
4. Select Enable On-Wire Rogue AP Detection.
5. Optionally, enable Auto Suppress Rogue APs in Foreground Scan.
6. Select OK.

To enable the rogue AP scanning feature in a custom AP profile – CLI

config wireless-controller wids-profile edit FAP220B-default set ap-scan enable set rogue-scan enable

end

Exempting an AP from rogue scanning

By default, if Rogue AP Detection is enabled, it is enabled on all managed FortiAP units. Optionally, you can exempt an AP from scanning. You should be careful about doing this if your organization must perform scanning to meet PCI-DSS requirements.

Monitoring

To exempt an AP from rogue scanning – web-based manager

1. Go to WiFi & Switch Controller > Managed FortiAPs.
2. Select which AP to edit.
3. In Wireless Settings, enable Override Settings.
4. Select Do not participate in Rogue AP Scanning and then select OK.

To exempt an AP from rogue scanning – CLI

This example shows how to exempt access point AP1 from rogue scanning.

config wireless-controller wtp edit AP1 set override-profile enable set ap-scan disable

end

MAC adjacency

You can adjust the maximum WiFi to Ethernet MAC difference used when determining whether an suspect AP is a rogue.

To adjust MAC adjacency

For example, to change the adjacency to 8, enter

config wireless-controller global set rogue-scan-mac-adjacency 8 end

Monitoring rogue APs                                                                                                  Wireless network monitoring

Rogue AP scanning as a background activity

Each WiFi radio can perform monitoring of radio channels in its operating band while acting as an AP. It does this by briefly switching from AP to monitoring mode. By default, a scan period starts every 300 seconds. Each second a different channel is monitored for 20ms until all channels have been checked.

Monitoring rogue APs                                                                                                  Wireless network monitoring

During heavy AP traffic, it is possible for Spectrum Analysis background scanning to cause lost packets when the radio switches to monitoring. To reduce the probability of lost packets, you can set the CLI ap-bgscan-idle field to delay the switch to monitoring until the AP has been idle for a specified period. This means that heavy AP traffic may slow background scanning.

The following CLI example configures default background rogue scanning operation except that it sets apbgscan-idle to require 100ms of AP inactivity before scanning the next channel.

config wireless-controller wtp-profile edit ourprofile config radio-1 set wids-profile ourwidsprofile set spectrum-analysis enable

end

end

config wireless-controller wids-profile edit ourwidsprofile set ap-scan enable set rogue-scan enable set ap-bgscan-period 300 set ap-bgscan-intv 1 set ap-bgscan-duration 20 set ap-bgscan-idle 100

end

On-wire rogue AP detection technique

Other APs that are available in the same area as your own APs are not necessarily rogues. A neighboring AP that has no connection to your network might cause interference, but it is not a security threat. A rogue AP is an unauthorized AP connected to your wired network. This can enable unauthorized access. When rogue AP detection is enabled, the On-wire column in the Rogue AP Monitor list shows a green up-arrow on detected rogues.

Rogue AP monitoring of WiFi client traffic builds a table of WiFi clients and the Access Points that they are communicating through. The FortiGate unit also builds a table of MAC addresses that it sees on the LAN. The FortiGate unit’s on-wire correlation engine constantly compares the MAC addresses seen on the LAN to the MAC addresses seen on the WiFi network.

There are two methods of Rogue AP on-wire detection operating simultaneously: Exact MAC address match and MAC adjacency.

Exact MAC address match

If the same MAC address is seen on the LAN and on the WiFi network, this means that the wireless client is connected to the LAN. If the AP that the client is using is not authorized in the FortiGate unit configuration, that AP is deemed an ‘on-wire’ rogue. This scheme works for non-NAT rogue APs.

MAC adjacency

If an access point is also a router, it applies NAT to WiFi packets. This can make rogue detection more difficult.

However, an AP’s WiFi interface MAC address is usually in the same range as its wired MAC address. So, the MAC adjacency rogue detection method matches LAN and WiFi network MAC addresses that are within a defined numerical distance of each other. By default, the MAC adjacency value is 7. If the AP for these matching MAC addresses is not authorized in the FortiGate unit configuration, that AP is deemed an ‘on-wire’ rogue.

Limitations

On-wire rogue detection has some limitations. There must be at least one WiFi client connected to the suspect AP and continuously sending traffic. If the suspect AP is a router, its WiFi MAC address must be very similar to its Ethernet port MAC address.

Logging

Information about detected rogue APs is logged and uploaded to your FortiAnalyzer unit, if you have one. By default, rogue APs generate an alert level log, unknown APs generate a warning level log. This log information can help you with PCI-DSS compliance requirements.

Monitoring rogue APs

The access point radio equipment can scan for other available access points, either as a dedicated monitor or in idle periods during AP operation.

 

Monitoring

Discovered access points are listed in Monitor > Rogue AP Monitor. You can then mark them as either Accepted or Rogue access points. This designation helps you to track access points. It does not affect anyone’s ability to use these access points.

It is also possible to suppress rogue APs. See Monitoring rogue APs on page 111.

Monitoring wireless clients

To view connected clients on a FortiWiFi unit

1. Go to Monitor > Client Monitor.

The following information is displayed:

SSID	The SSID that the client connected to.
FortiAP	The serial number of the FortiAP unit to which the client connected.
User	User name
IP	The IP address assigned to the wireless client.
Device
Auth	The type of authentication used.
Channel	WiFi radio channel in use.
Bandwidth Tx/Rx	Client received and transmitted bandwidth, in Kbps.
Signal Strength / Noise	The signal-to-noise ratio in deciBels calculated from signal strength and noise level.
Signal Strength
Association Time	How long the client has been connected to this access point.

Results can be filtered. Select the filter icon on the column you want to filter. Enter the values to include or select NOT if you want to exclude the specified values.

Protecting the WiFi Network

Wireless IDS

WiFi data channel encryption

Protected Management Frames and Opportunisitc Key Caching support

Wireless IDS

The FortiGate Wireless Intrusion Detection System (WIDS) monitors wireless traffic for a wide range of security threats by detecting and reporting on possible intrusion attempts. When an attack is detected the FortiGate unit records a log message.

You can create a WIDS profile to enable these types of intrusion detection:

• Asleap Attack—ASLEAP is a tool used to perform attacks against LEAP authentication.
• Association Frame Flooding—A Denial of Service attack using a large number of association requests. The default detection threshold is 30 requests in 10 seconds.
• Authentication Frame Flooding—A Denial of Service attack using a large number of association requests. The default detection threshold is 30 requests in 10 seconds.
• Broadcasting De-authentication—This is a type of Denial of Service attack. A flood of spoofed de-authentication frames forces wireless clients to de-athenticate, then re-authenticate with their AP.
• EAPOL Packet Flooding—Extensible Authentication Protocol over LAN (EAPOL) packets are used in WPA and WPA2 authentication. Flooding the AP with these packets can be a denial of service attack. Several types of EAPOL packets are detected: EAPOL-FAIL, EAPOL-LOGOFF, EAPOL-START, EAPOL-SUCC.
• Invalid MAC OUI—Some attackers use randomly-generated MAC addresses. The first three bytes of the MAC address are the Organizationally Unique Identifier (OUI), administered by IEEE. Invalid OUIs are logged.
• Long Duration Attack—To share radio bandwidth, WiFi devices reserve channels for brief periods of time. Excessively long reservation periods can be used as a denial of service attack. You can set a threshold between 1000 and 32 767 microseconds. The default is 8200. l Null SSID Probe Response—When a wireless client sends out a probe request, the attacker sends a response with a null SSID. This causes many wireless cards and devices to stop responding.
• Spoofed De-authentication—Spoofed de-authentication frames are a denial of service attack. They cause all clients to disconnect from the AP.
• Weak WEP IV Detection—A primary means of cracking WEP keys is by capturing 802.11 frames over an extended period of time and searching for patterns of WEP initialization vectors (IVs) that are known to be weak. WIDS detects known weak WEP IVs in on-air traffic.
• Wireless Bridge—WiFi frames with both the fromDS and ToDS fields set indicate a wireless bridge. This will also detect a wireless bridge that you intentionally configured in your network.

You can enable wireless IDS by selecting a WIDS Profile in your FortiAP profile.

To create a WIDS Profile

1. Go to WiFi & Switch Controller > WIDS Profiles.
2. Select a profile to edit or select Create New.

WiFi data channel encryption                                                                                          Protecting the WiFi Network

3. Select the types of intrusion to protect against. By default, all types are selected.
4. Select Apply.

You can also configure a WIDS profile in the CLI using the config wireless-controller widsprofile command.

Rogue AP detection

The WIDS profile includes settings for detection of unauthorized (rogue) access points in your wireless network. For more information, see Wireless network monitoring on page 111.

WIDS client deauthentication rate for DoS attacks

As part of mitigating a Denial of Service (DoS) attack, the FortiGate sends deauthentication packets to unknown clients. In an aggressive attack, this deauthentication activity can prevent the processing of packets from valid clients. A WIDS Profile option in the CLI limits the deauthentication rate.

config wireless-controller wids-profile edit default set deauth-unknown-src-thresh <1-65535>

end

The value set is a measure of the number of deathorizations per second. 0 means no limit. The default is 10.

WiFi data channel encryption

Optionally, you can apply DTLS encryption to the data channel between the wireless controller and FortiAP units. This enhances security.

There are data channel encryption settings on both the FortiGate unit and the FortiAP units. At both ends, you can enable Clear Text, DTLS encryption, or both. The settings must agree or the FortiAP unit will not be able to join the WiFi network. By default, both Clear Text and DTLS-encrypted communication are enabled on the FortiAP unit, allowing the FortiGate setting to determine whether data channel encryption is used. If the FortiGate unit also enables both Clear Text and DTLS, Clear Text is used.

Data channel encryption settings are located in the FortiAP profile. By default, only Clear Text is supported.

Configuring encryption on the FortiGate unit

You can use the CLI to configure data channel encryption.

Enabling encryption

In the CLI, the wireless wtp-profile command contains a new field, dtls-policy, with options clear-text and dtls-enabled. To enable encryption in profile1 for example, enter:

config wireless-controller wtp-profile

Protecting the WiFi Network                              Protected Management Frames and Opportunisitc Key Caching support

edit profile1 set dtls-policy dtls-enabled

end

Configuring encryption on the FortiAP unit

The FortiAP unit has its own settings for data channel encryption.

Enabling CAPWAP encryption – FortiAP web-based manager

1. On the System Information page, in WTP Configuration > AC Data Channel Security, select one of:

l Clear Text l DTLS Enabled l Clear Text or DTLS Enabled (default)

2. Select Apply.

Enabling encryption – FortiAP CLI

You can set the data channel encryption using the AC_DATA_CHAN_SEC variable: 0 is Clear Text, 1 is DTLS Enabled, 2 (the default) is Clear Text or DTLS Enabled.

For example, to set security to DTLS and then save the setting, enter

cfg -a AC_DATA_CHAN_SEC=1 cfg -c

Protected Management Frames and Opportunisitc Key Caching support

Protected Management Frames (PMF) protect some types of management frames like deauthorization, disassociation and action frames. This feature, now mandatory on WiFi certified 802.1ac devices, prevents attackers from sending plain deauthorization/disassociation frames to disrupt or tear down a connection/association. PMF is a Wi-Fi Alliance specification based on IEEE 802.11w.

To facilitate faster roaming client roaming, you can enable Opportunistic Key Caching (OKC) on your WiFi network. When a client associates with an AP, its PMK identifier is sent to all other APs on the network. This eliminates the need for an already-authenticated client to repeat the full EAP exchange process when it roams to another AP on the same network.

Use of PMF and OKC on an SSID is configurable only in the CLI:

config wireless-controller vap edit <vap_name> set pmf {disable | enable | optional} set pmf-assoc-comeback-timeout <integer> set pmf-sa-query-retry-timeout <integer>

set okc {disable | enable}

next

end

When pmf is set to optional, it is considered enabled, but will allow clients that do not use PMF. When pmf is set to enable, PMF is required by all clients.