sonicos 4.0e rf managementsoftware.sonicwall.com/firmware/beta/documentation/...if left un-managed,...

RF Management in SonicOS 4.0 Enhanced

Document ScopeThis document describes how to plan, design, implement, and maintain the RF Management feature in SonicWALL SonicOS 4.0 Enhanced.

This document contains the following sections:

• “RF Management Overview” section on page 2

– “Why RF Management?” section on page 2

– “Benefits” section on page 2

– “Deployment Prerequisites” section on page 3

• “Enabling RF Management on SonicPoint(s)” section on page 3

• “Using The RF Management Interface” section on page 4

– “Selecting RF Signature Types” section on page 5

– “Viewing Discovered RF Threat Stations” section on page 5

– “Adding a Threat Station to the Watch List” section on page 6

• “Types of RF Threat Detection” section on page 7

• “Practical RF Management Field Applications” section on page 8

– “Before Reading this Section” section on page 8

– “Using Sensor ID to Determine RF Threat Location” section on page 9

– “Using RSSI to Determine RF Threat Proximity” section on page 10

1 SonicWALL SonicOS 4.0 Enhanced RF Management

RF Management Overview

RF Management OverviewThe following section provides a brief overview of the RF Management feature found on SonicWALL security appliances running SonicOS 4.0 or higher. This section contains the following subsections:

• “Why RF Management?” section on page 2

• “Benefits” section on page 2

• “Deployment Prerequisites” section on page 3

Why RF Management?Radio Frequency (RF) technology used in today’s 802.11-based wireless networking devices poses an attractive target for intruders. If left un-managed, RF devices can leave your wireless (and wired) network open to a variety of outside threats, from Denial of Service (DoS) to network security breaches.

In order to help secure your SonicPoint Wireless Access Point (AP) stations, SonicWALL takes a closer look at these threats. By using direct RF management, SonicWALL helps detect threats without interrupting the current operation of your wireless or wired network.

BenefitsSonicWALL RF Management provides real-time threat monitoring and management of SonicPoint radio frequency traffic. In addition to its real-time threat management capabilities, SonicWALL RF Management provides network administrators a system for centralized collection of RF threats and traffic statistics; offering a way to easily manage RF capabilities directly from the SonicWALL security appliance gateway

SonicWALL RF Management is:

• Real-Time - View logged information as it happens

• Transparent - No need to halt legitimate network traffic when managing threats

• Comprehensive - Provides detection of many types of RF threats, including:

– Long Duration Attacks

– Management Frame Flood

– Null Probe Response

– Broadcasting Deauthentication

– Valid Station with Invalid (B)SSID

– Wellenreiter/NetStumbler Detection

– Ad-Hoc Station Detection

– Unassociated Station

– EAPOL Packet Flood

– Weak WEP IV

For complete descriptions of the above types of RF Threat Detection, turn to the “Types of RF Threat Detection” section on page 7.


Enabling RF Management on SonicPoint(s)

Deployment PrerequisitesThe following prerequisites must be met in order to deploy SonicWALL RF Management on your network:

• A SonicWALL PRO 2040, 3060, 4060, 4100 or 5060 appliance

• SonicOS 4.0 or above installed on one of the above SonicWALL PRO series appliances

• One or more SonicWALL SonicPoint(s), provisioned by your SonicWALL PRO series appliance

Enabling RF Management on SonicPoint(s)In order for RF Management to be enforced, you must enable the RF Management option on all available SonicPoint devices. The following section provides instructions to re-provision all available SonicPoints with RF Management enabled.

Step 1 Navigate to SonicPoint > SonicPoints in the SonicWALL security appliance management interface.

Step 2 Click the Configure button corresponding to the desired SonicPoint Provisioning Profile.

Step 3 In the General tab, click the Enable RF Management checkbox.

Next, to ensure all SonicPoints are updated with the RF Management feature enabled, it is necessary to delete all current SonicPoints from the SonicPoint table and re-synchronize these SonicPoints using the profile you just created.

Step 4 Click the button at the bottom right corner of the SonicPoints table.

Step 5 Click the button at the top of the page.

Your SonicPoints will now reboot with the RF Management feature enabled. Be patient as the rebot process may take several minutes.

3SonicWALL SonicOS 4.0 Enhanced RF Management

Using The RF Management Interface

Using The RF Management InterfaceThe RF Management interface (SonicPoint > RF Management) provides a central location for selecting RF signature types, viewing discovered RF threat stations, and adding discovered threat stations to a watch list. This section provides an overview of usage and features for the following RF Management operations:

• “RF Management Interface Overview” section on page 4

• “Selecting RF Signature Types” section on page 5

• “Viewing Discovered RF Threat Stations” section on page 5

• “Adding a Threat Station to the Watch List” section on page 6

RF Management Interface OverviewThe top portion of the RF Management interface allows you to:

• View the number of threats logged for each group/signature

• Select which RF signature types your SonicWALL looks for

The bottom (Discovered RF Threat Stations) portion of the interface allows you to:

• View a detailed log of the most current threats

• Configure a watch list for discovered stations



Selecting RF Signature TypesThe RF Management interface allows you to select which types of RF threats your SonicWALL monitors and logs.

Step 1 Navigate to SonicPoint > RF Management in the SonicWALL security appliance management interface. RF threat types are displayed, with a checkbox next to each.

Step 2 Click the checkbox next to the RF threat to enable/disable management of that threat. By default, all RF threats are checked as managed.

Tip For a complete list of RF Threat types and their descriptions, see the “Types of RF Threat Detection” section on page 7 of this document.

Viewing Discovered RF Threat StationsThe RF Management Discovered Threat Stations list allows you to view, sort and manage a list of the most recent threats to your wireless network.

Each logged threat contains (and can be sorted by) the following information:

Tip Did you know? It is possible to find approximate locations of RF Threat devices by using logged threat statistics. For more practical tips and information on using the RF Management threat statistics, see the “Practical RF Management Field Applications” section on page 8

Log Data Description

MAC Address Physical address of the RF threat station.

Type Type of wireless signal received from the threat station.

Vendor Manufacturer of the threat station (determined by MAC address).

Rssi Received signal strength as reported by the SonicPoint. This entry, along with the “sensor” entry, can be helpful in triangulating the actual physical position of the RF threat device.

Rate Transfer rate (Mbps) of the threat station.

Encrypt Wireless signal encryption on the threat station, “None” or “Encrypted”.

RF Threat RF Threat type. For a complete list with descriptions, see the “Types of RF Threat Detection” section on page 7.

Update Time Time this log record was created/updated.

Sensor ID of the SonicPoint which recorded this threat. This entry, along with the “Rssi” entry, can be helpful in triangulating the actual physical position of the RF threat device.



Adding a Threat Station to the Watch ListThe RF Management Discovered Threat Stations “Watch List” feature allows you to create a watch list of threats to your wireless network. The watch list is used to filter results in the Discovered RF Threat Stations list.

To add a station to the watch list:

Step 1 In the SonicPoint > RF Management page, navigate to the Discovered RF threat stations section.

Step 2 Click the icon that corresponds to the threat station you wish to add to the watch list.

Step 3 A confirmation screen will appear. Click OK to add the station to the watch list.

Step 4 If you have accidentally added a station to the watch list, or would otherwise like a station removed from the list, click the icon that corresponds to the threat station you wish to remove.

Tip Once you have added one or more stations to the watch list, you can filter results to see only these stations in the real-time log by choosing “Only Stations in Watch List Group” from the View Type drop-down list.


Types of RF Threat Detection

Types of RF Threat DetectionThe following is a partial list containing descriptions for the most prominent types of RF signatures detected by SonicWALL RF Management:

Long Duration Attacks

Wireless devices share airwaves by dividing the RF spectrum into 14 staggered channels. Each device reserves a channel for a specified (short) duration and during the time that any one device has a channel reserved, other devices know not to broadcast on this channel. Long Duration attacks exploit this process by reserving many RF channels for very long durations, effectively stopping legitimate wireless traffic from finding an open broadcast channel.

Management Frame Flood

This variation on the DoS attack attempts to flood wireless access points with management frames (such as association or authentication requests) filling the management table with bogus requests.

Null Probe Response

When a wireless client sends out a probe request, the attacker sends back a response with a Null SSID. This response causes many popular wireless cards and devices to stop responding.

Broadcasting Deauthentication

This DoS variation sends a flood of spoofed deauthentication frames to wireless clients, forcing them to constantly de-authenticate and subsequently re-authenticate with an access point.

Valid Station with Invalid (B)SSID

In this attack, a rouge access point attempts to broadcast a trusted station ID (ESSID). Although the BSSID is often invalid, the station can still appear to clients as though it is a trusted access point. The goal of this attack is often to gain authentication information from a trusted client.

Wellenreiter/NetStumbler Detection

Wellenreiter and NetStumbler are two popular software applications used by attackers to retrieve information from surrounding wireless networks.

Ad-Hoc Station Detection

Ad-Hoc stations are nodes which provide access to wireless clients by acting as a bridge between the actual access point and the user. Wireless users are often tricked into connecting to an Ad-Hoc station instead of the actual access point, as they may have the same SSID. This allows the Ad-Hoc station to intercept any wireless traffic that connected clients send to or receive from the access point.

Unassociated Station

Because a wireless station attempts to authenticate prior to associating with an access point, the unassociated station can create a DoS by sending a flood of authentication requests to the access point while still unassociated.

EAPOL Packet Flood

Extensible Authentication Protocol over LAN (EAPOL) packets are used in WPA and WPA2 authentication mechanisms. Since these packets, like other authentication request packets, are received openly by wireless access points, a flood of these packets can result in DoS to your wireless network.

Weak WEP IV

WEP security mechanism uses your WEP key along with a randomly chosen 24-bit number known as an Initilization Vector (IV) to encrypt data. Network attackers often target this type of encryption because some of the random IV numbers are weaker than others, making it easier to decrypt your WEP key.


Practical RF Management Field Applications

Practical RF Management Field ApplicationsThis section provides an overview of practical uses for collected RF Management data in detecting Wi-Fi threat sources. Practical RF Management Field Applications are provided as general common-sense suggestions for using RF Management data.

This section contains the following sub-sections:

– “Before Reading this Section” section on page 8

– “Using Sensor ID to Determine RF Threat Location” section on page 9

– “Using RSSI to Determine RF Threat Proximity” section on page 10

Before Reading this SectionWhen using RF data to locate threats, keep in mind that wireless signals are affected by many factors. Before continuing, take note of the following:

• Signal strength is not always a good indicator of distance - Obstructions such as walls, wireless interference, device power output, and even ambient humidity and temperature can affect the signal strength of a wireless device.

• A MAC Address is not always permanent - While a MAC address is generally a good indicator of device type and manufacturer, this address is succeptable to change and can be spoofed. Likewise, originators of RF threats may have more than one hardware device at their disposal.



Using Sensor ID to Determine RF Threat LocationIn the Discovered RF Threat Stations list, the Sensor field indicates which Sonic Point is detecting the particular threat. Using the sensor ID and MAC address of the SonicPoint allows you to easily determine the location of the SonicPoint that is detecting the threat.

Timesaver For this section in particular (and as a good habit in general), you may find it helpful to keep a record of the locations and MAC addresses of your SonicPoint devices.

Step 1 Navigate to SonicPoint>RF Management in the SoncWALL Management Interface.

Step 2 In the Discovered RF Threat Stations table, locate the Sensor for the SonicPoint that is detecting the targeted RF threat and record the number.

Step 3 Navigate to SonicPoint>SonicPoints.

Step 4 In the SonicPoints table, locate the SoincPoint that matches the Sensor number you recorded in Step 2.

Step 5 Record the MAC address for this SoincPoint and use it to find the physical location of the SonicPoint.

The RF threat is likely to be in the location that is served by this SonicPoint.

PRO 3060

SonicPoint

Sensor - Identifies which individual SonicPoint(s) are detecting the RF threat.



Using RSSI to Determine RF Threat ProximityThis section builds on what was learned in the “Using Sensor ID to Determine RF Threat Location” section on page 9. In the Discovered RF Threat Stations list, the Rssi field indicates the signal strength at which a particular Sonic Point is detecting an RF threat.

The Rssi field allows you to easily determine the proximity of an RF threat to the SonicPoint that is detecting that threat. A higher Rssi number generally means the threat is closer to the SonicPoint.

Tip It is important to remember that walls serve as barriers for wireless signals. While a very weak Rssi signal may mean the RF threat is located very far from the SoincPoint, it may also indicate a threat located near, but outside the room or building.

Step 1 Navigate to SonicPoint>RF Management in the SoncWALL Management Interface.

Step 2 In the Discovered RF Threat Stations table, locate the Sensor and Rssi for the SonicPoint that is detecting the targeted RF threat and record these numbers.

Step 3 Navigate to SonicPoint>SonicPoints.

Step 4 In the SonicPoints table, locate the SoincPoint that matches the Sensor number you recorded in Step 2.

Step 5 Record the MAC address for this SoincPoint and use it to find the physical location of the SonicPoint.

A high Rssi usually indicates an RF threat that is closer to the SonicPoint. A low Rssi can indicate obstructions or a more distant RF threat.

PRO 3060

rssi - Identifies signal strengthof the RF threat, allowing forapproximate distance gauging.

rssi: 12Weak signal

SonicPoint

SonicWALL PRO 5060with RF Management enabled

Strong signalrssi: 33



Solution Document Version History

Version Number Date Notes1 3/27/07 This document was created by Patrick Lydon.


sonicos 4.0e rf managementsoftware.sonicwall.com/firmware/beta/documentation/...if left un-managed,...

Documents