When it comes to the management and security of wireless networks, I want a lot of things. I want new things, and I want legacy things that aren’t going away to get better. I want slick, I want fast and I want effective. I want powerful, feature-rich, and a say in what features are worth devoting UI resources to. I want it all, baby- and here’s my latest rant on the topic. You’re going to love this.
Before I drop the bomb, lets set the stage.
I had the privilege of hanging out with the fellows from 7signal at the recent Wireless Field Day 5 event, and seeing how they do WLAN RF health characterization, as well as getting a peek at what AirTight is up to. Being a long-time Cisco wireless customer, my mushy brain cant help but bring everything back to my vendor for comparison; but more on this in just a bit.
In my spare time, I’ve been having more fun than a person should be allowed to with the addicting Wi-Fi Pineapple (along with some tricks from the much-revered BackTrack Linux.) And at work, we’re gearing up for thousands of students to flood back into the dorms, which means Rogue Hunting Season is neigh. Put all this together and feed it into the “It’s Easy For Me To Demand Things From Other People That I Can’t Do” engine, and out pops the following wireless support and security gem:
Wouldn’t it be cool if…
- You could take one of your in-service APs and turn it into a virtual client that associates with other APs? (stay with me, I know you’ve heard this part before)
- Synthetic testing with said virtual client was possible: do my DHCP and RADIUS servers work? Can I reach the Internet? Can I reach other locations, from each of my SSIDs?
- The virtual client AP could report on nearby rogue networks, after I set a min threshold value, (getting closer to the money shot) and tell- Is the SSID open or protected?
- My virtual client could associate to the open SSIDs, and report back what the public IP is of the rogue? (I could find it then through MAC or ARP tables if on my own network- doesn’t need to be automated)
- Here’s the LAGNIAPPE, baby- If the rogue SSID was encrypted, I’d like my virtual client to execute Aircrack-NG, Reaver, Fern, or whatever. Somehow, the power of my management system harnessed to this virtual client/pen testing-mode AP would give me a big-assed, infinite dictionary from hell and lots of power to crack. Then I could go back to the “find the public IP” step, which to me is the ultimate and definitive “game over” versus a lot of wireside detection systems that are so-so with their success rates.
I know there are lots of ways to do “wireless support”, but I am enamored with the force-multiplying capabilities of a well-constructed virtual client mode for installed APs (as I imagine them working). I’ve been beating the drum for Cisco to consider basic virtual client functionality for years, to no avail.
But now I want even more- I want a “virtual client AP meets BackTrack Linux, and they have offspring” mode.
I’m not asking for too much, am I?
wirednot 
Oh, yeah!
Well said. You’d think turning an AP into a virtual client would be a ‘no-brainer’ – but NO… someone in WLAN vendor’s PLM groups just doesn’t get it.
If we keep harping – perhaps we can get what Wireless LAN Professionals want within the next decade or so.
I would assume you mean a particular vendor. 🙂 For example, Airdefense, which I mentioned before, had so-called “AP Testing” functionality for quite a while. You define a test scenario that may include several checks and fire flexble alarms when something is wrong. One can also run tests on demand, on schedule, or as a part of triggered reaction to another alarm.
Tests include things like PSK/RADIUS auth, host unavailability (ping/traceroute/arp) or availability (when it shouldn’t: ACL issue or wrong VLAN assignment, etc), download/upload speeds, captive portal testing, etc.
The implementation is far from being ‘wow’, there are some awkward limitations, but it’s been there for a while. On the positive side, this can work non-disruptive on WING5 APs in so-called “radio-share mode”, unless you need to go off-channel, of course.
My assumption was based on Wireless LAN *Access Point* vendors – not those of a dedicated WIPS.
As with Keith, I want advanced functions toggle-able in my pricey APs, without an overlay or dedicated sensors.
>>’On the positive side, this can work non-disruptive on WING5 APs in so-called “radio-share mode”, unless you need to go off-channel, of course.’
So, yes, it’s an extra licensed feature, but no, it’s not extra hardware (neither APs nor appliances).
Will that do?
What you’re asking for in the first 2/3 has been available for years from any decent WIPS vendor. 7signal did nothing really revolutionary (not that I’ve found in those videos) – look at AirDefense (now part of Motorola) for example.
What you’re asking for in the last two bullet points is ILLEGAL. A person comes to your campus with Android phone that has hotspot mode enabled …next thing you know – you’re being sued. 🙂 Cisco/Airmagnet tried doing this, got scorned by all other wireless vendors out there: every single customer has heard the spooky stories of the potential legal implications of owning Cisco WIPS 🙂
This is exactly why you need all those complex wired-side detection and RTLS systems – you can really ensure that the rogue is a rogue, and remove them in a compliant way.
Pretty much, just like with a burglar in your house – would love to shoot them, but you (generally) can’t 🙂
Not sure I agree- associating to an open AP on your network and in violation of your policy is illegal? Same same on secure APs on your network… Arguably it’s “illegal” to put them where they are forbidden. Point is, it’s not so black and white, or I’m not understanding the statement.
As far as I understood, you propose associating to any SSID with RSSI >= dBm, and scanning it. Plus, if it’s encrypted – hacking your way into it.
As I said, many of those SSID may be not rogues, but legitimate neighbours, even if you physically own all the land in the radius of a few miles around 🙂 Simple example – SoftAP on an Android phone for tethering purposes. This is why you need multiple fingerprinting and locationing techniques: to PROVE your hyptothesis that AP really is on your network (and then locate-confirm-remove).
If you only associate to SSIDs that look like yours – you’ll be fine (mostly).
well, looks like comment form eats angle brackets. The above should read “any SSID with RSSI >= [threshold] dBm”
Hey now- “hacking” is a little strong… or maybe not. In case it didn’t come through, this wasn’t meant to be 100% serious. At the same time, there is a lot to think about, depending on your humor, ethic, and imagination. Some rogues are so blatantly obvious that my far-fetched proposal above would actually work fine against them- others would certainly be sailing you off into waters you don’t want to be in. Thanks for pointing that out!
Well, if someone tried to aircrack my phone, I would consider that hacking 🙂
No worries – we all learn from each other, and the more we learn, the more we realize how much more stuff is out there to learn 🙂
BTW, get ready for some reverse action from your students, just look at these:
bcmon.blogspot.com
pwnieexpress.com/products/pwnpad
Soon, you will run your BackTrack from your pocket.
yeah, its pretty frightening actually- thankfully most of my students aren’t that ambitious but as you point out, with the right tools they don’t need to be!
Pingback: Here’s What I Want NOW From My Wireless Management System
Streetwise from Epitiro looks close.