Security Operations
Security operations for wireless in Prime Infrastructure include three main functions: configuration auditing, rogue access points monitoring, and wireless intrusion prevention systems (wIPS). The latter is tightly related to the Mobility Services Engine, and we delve more into it in the next sections of this chapter.
Through configuration auditing, Prime Infrastructure performs different checks against a predefined list of settings and assigns a so-called Security Index to the wireless deployment. These predefined settings include options such as Telnet/SSH configuration, client exclusion measures, Management Frame Protection (MFP) parameters for WLANs, and so on. You can access the Security Index under Dashboard > Wireless > Security. Whenever you configure an option in a way that it is deemed as “optimal” (in terms of security best practice compliance), Prime Infrastructure raises the overall Security Index score, where a score of 100 represents the maximum value. However, not reaching a Security Index of 100 does not mean that your wireless network is not secure. You should consider such an index as a general indicator for all the security-related elements that you could configure in all the WLCs managed by Prime Infrastructure. Some of these elements are well-known best practices, such as making sure that the default SNMP communities are not enabled, but not reaching the maximum score does not necessarily mean that your networks are unsecure or unprotected.
Under the same Security dashboard, you can see a preview of wIPS attacks and rogue access points detection. From here, by clicking the different counters, you can directly access the specific alarms and events raised for those categories.
We described rogue access points detection, classification, and mitigation on the WLC previously in this book. Prime Infrastructure receives SNMP traps from the WLC about rogue access points and consolidates them into alarms, which you can find under Monitor > Monitoring Tools > Alarms and Events and the Rogue AP tab. By default, Prime Infrastructure assigns an Information severity to friendly rogue APs detection, a Minor severity for unclassified rogue APs detection, a Major severity for malicious rogue APs, and a Major or Critical severity for custom rogue APs. This classification depends on the severity score of the custom rogue classification rule on the WLC.
A common requirement in today’s wireless networks is to be able to locate and manage rogue access points on a map. If you don’t need to locate more than one rogue access point at a time, Prime Infrastructure natively supports such an option without the need for additional components, such as the Mobility Services Engine (MSE). You can find such an option called Ondemand Location Map under the rogue AP alarm details, as shown in Figure 6-17.
)
Figure 6-17 Ondemand Rogue AP Location Option Without MSE
Although without an MSE you cannot display a rogue AP location in the alarm’s details or locate multiple rogue APs at once on a map, you can still trigger an on-demand location. However, note that this feature works with old generation maps only. We keep referring to MSE when talking about rogue access points’ location. This is because, at the time of this book’s writing, the current version (10.3) of the more recent Cisco location solution, Connected Mobile Experiences (CMX), does not support such a feature, which is expected for a future version.
On top of rogue policies, contention, and techniques on the WLC to detect whether rogue access points might be on your wired network, Prime Infrastructure also supports an additional option to determine whether a rogue AP may be connected to one of the Cisco switches managed by Prime Infrastructure. This feature is called Switch Port Tracing (SPT), and you can launch it directly from the rogue AP alarm’s details. You can configure SPT to be launched automatically or manually, with a series of additional options that you can find under Administration > Settings > System Settings > Network and Device > Switch Port Trace (SPT) > SPT Configuration. Following a rogue AP detection and an SNMP trap event from the WLC, after the correlated alarm is generated, Prime Infrastructure can determine via the Cisco Discovery Protocol (CDP) to which Cisco switch the Cisco access point that is detecting the rogue AP is connected. However, you must enable CDP on your Cisco access points and switches for SPT to work. Cisco switches should also be managed by Prime Infrastructure via SNMP, because after having found where the detecting Cisco access point is connected, Prime Infrastructure queries the content addressable memory (CAM) table of the switch via SNMP. By doing so, it tries to find out if one of the rogue access point clients’ MAC addresses is present, or if the MAC address of the rogue AP itself is present in the CAM table (plus or minus 1 and 2 to the right-most significant byte). For example, if the rogue AP’s detected radio MAC is FC:5B:39:94:AD:31, in addition to that specific MAC, Prime Infrastructure will search for FC:5B:39:94:AD:30, FC:5B:39:94:AD:32 (minus and plus 1 to the right-most significant byte), and FC:5B:39:94:AD:2F, FC:5B:39:94:AD:33 (minus and plus 2 to the right-most significant byte). This technique will increase the chances of finding the rogue AP’s Ethernet MAC in the switch CAM table, because usually the radio MAC is derived from the Ethernet MAC by adding or subtracting 1 or 2 to the right-most significant byte (sometimes even more than just 1 or 2, but in that case, the SPT search could demand too many resources). If Prime Infrastructure does not find the rogue AP on the first switch, it queries that switch for its neighbor switches via CDP, and then starts analyzing those neighbors’ CAM tables, provided that it is managing them, and so on. If Prime Infrastructure finds the rogue AP connected to one of the switches’ ports, you then have the option to disable that port. Figure 6-18 shows a quick example of SPT.
)
Figure 6-18 Switch Port Tracing Example
Depending on the network size, SPT could take some time and resources to complete. For such a reason, you can find options to configure how many rogue APs and switches Prime Infrastructure should query in parallel when SPT is launched. You can also configure the maximum number of CDP hops, which represents how many CDP neighbor searches Prime Infrastructure should use when querying switches starting from the Cisco access point that detected the rogue AP. You can access these settings under the aforementioned SPT Configuration menu.
For the sake of simplicity, so far we have mentioned that switches used for SPT should be managed by Prime Infrastructure, but this is not entirely accurate. You can add a switch to Prime Infrastructure, manage it from there, and of course run SPT. In such a managed scenario, that switch consumes one or more license tokens in Prime Infrastructure, depending on the switch model and configuration. However, you can also add switches in Prime Infrastructure with the option Switch Port Trace for the license level, in which case the switch does not consume any licenses.
To manually launch SPT, you do not even need to add switches in Prime Infrastructure, as long as you enter the correct SNMP parameters for the switches in your network under the Manual SPT configuration, and don’t forget that enabling CDP on all Cisco APs and switches is always a prerequisite.