Sunday, February 16, 2014

Airtight Networks: A look at WIPS Part 1: Over the Wire

When it comes to security, I have a personal motto: Think maliciously, act responsibly.  I really enjoy trying to manipulate clients, exploiting behavior and finding ways to prevent it in the "real world".

For protecting wireless networks in the "real world" one of the best tools is is WIPS.  Word on the street is that the Airtight solution is pretty good.  The presentation by Rick Farina at Wireless Field Day 6 was fun for me.  Rick is a great presenter and brought a lot of fun and energy to a security presentation.  For more on the WFD6 presentation, check out what fellow delegate Lee Badman wrote on his personal blog:

Also watch his presentation here:

This is the first of a few posts on Airtight Networks WIPS solution.  Part 1 will cover how Airtight does rogue detection, Part 2 will cover containment and OTA communication and Part 3 will cover common Rogue scenarios and look at how

*I will note that Airtight gave me a C55 AP during my visit during WFD5.  While I'm grateful to them for this, these posts are my own opinion and not influenced by their generosity.

Coming from the Cisco world, I see that Airtight takes a very different approach to identifying on-network rogues. Instead of trying to correlate Wi-Fi traffic to wired traffic by listening on the wire (Rogue Detector), scanning CAM tables on switches, or trying to connect to open access points and sending traffic towards the controller (RLDP),  Airtight sends broadcast (or potentially unicast) frames on a vlans connected to the Sensor/AP and then listens to see if those frames are ever sent over the air.

Let's look at the wired side of my Airtight C55 AP.  For example, here the mac addresses from my WIPS mode AP on my network:

You'll notice that there's the management mac and the rest are mac addresses created by the WIPS-mode AP, one for each vlan that we are doing WIPS on.  Here is what I have my AP configured for:

*Note, VLAN125 is present, just not in the picture.

Spanning the port on the Airtight AP, I'm able to capture some of the packets coming from the WIPS-AP.
For simplicity, i wrote a display filter to clean up the data only from the Airtight AP:

(eth.src > f2:91:4a:7f:00:00 and eth.src < f2:91:4a:7f:ff:ff)

You can see it does a lot of GARP for addresses on the VLANs I am monitoring.  I also observed it sending DHCP requests on the VLANs configured as well:

So what does this give us?  Well, by sending these L2 broadcast messages out, the hope is that a rogue (on network) AP will hear the L2 broadcast and forward this traffic out to clients over the air.  Once this happens, the WIPS wireless radio will hear the packet and be able to see that it is from itself.  This allows the Airtight system to tell that an AP is connected to the network.  From here we can Airtight take action against this rogue network/clients connecting to this network.

What's next?  In part 2 of this series, I'm going to look at how the Airtight WIPS prevents clients from connecting to a Rogue AP, as well as looking at some of the options settings.  For Part 3, I'm going to try my hand at some common scenarios to see where the Airtight system works and where it does.