SonicPoint_wlanSonicPointRfmView

SonicPoint > RF Monitoring

This chapter details the SonicWALL Radio Frequency (RF) Monitoring feature and provides configuration examples for easy deployment. This chapter contains the following sections:

Understanding Radio Frequency Monitoring

The following section provides an overview of the RF Monitoring feature and contains the following subsections:

Why RF Analysis?
Deployment Considerations
Features in SonicPoint RF Monitoring
Management Interface Overview

What is RF Monitoring?

Radio Frequency (RF) technology used in today’s 802.11-based wireless networking devices poses an attractive target for intruders. If left un-managed, RF devices can leave your wireless (and wired) network open to a variety of outside threats, from Denial of Service (DoS) to network security breaches.

In order to help secure your SonicPoint Wireless Access Point (AP) stations, SonicWALL takes a closer look at these threats. By using direct RF monitoring, SonicWALL helps detect threats without interrupting the current operation of your wireless or wired network.

SonicWALL RF Monitoring provides real-time threat monitoring and management of SonicPoint radio frequency traffic. In addition to its real-time threat monitoring capabilities, SonicWALL RF monitoring provides network administrators a system for centralized collection of RF threats and traffic statistics; offering a way to easily manage RF capabilities directly from the SonicWALL security appliance gateway

SonicWALL RF monitoring is:

Real-Time - View logged information as it happens
Transparent - No need to halt legitimate network traffic when managing threats
Comprehensive - Provides detection of many types of RF threats. For complete descriptions of the above types of RF Threat Detection, see the Practical RF Monitoring Field Applications.

Deployment Considerations

Features in SonicPoint RF Monitoring

Management Interface Overview

The SonicPoint > RF Monitoring management interface provides a central location for selecting RF signature types, viewing discovered RF threat stations, and adding discovered threat stations to a watch list. This section describes the entities on the SonicPoint > RF Monitoring page.

Figure 50:4 SonicPoint > RF Monitoring

Table 6 RF Monitoring Panels

Name	Description
Action Items	Provides the options to accept, cancel, refresh, and clear the RF Monitoring page. See Table 7 for details.
RF Monitoring Summary Panel	Displays the SonicPoint RF Monitoring units, total RF threats, and measurment interval (using seconds as the unit of measurment). See Table 8 for details.
802.11 General Frame Setting	Displays the amount of total general threats and the option to enable long duration. See Table 9 for details.
802.11 Management Frame Setting	Configures your management frame settings and displays the number of threats for each setting. See Table 10 for details.
802.11 Data Frame Setting	Configures your data frame settings and displays the number of threats for each setting. See Table 11 for details.
Discovered RF Threat Stations	See Table 12 for details.

Table 7 Action Items

Name	Description
Accept Button	Accepts the latest configuration settings.
Cancel Button	Cancels any changed RF Monitoring settings.
Refresh Button	Refreshes the SonicPoint > RF Monitoring page.
Clear Button	Clears all the configured settings and returns the page back to the default settings.

Table 8 RF Monitoring Summary

Name	Description
SonicPoint RF Monitoring Units	Displays the total number of SonicPoint appliances.
Total RF Threats	Displays the total number of RF threats.
Measurement Interval (Seconds)	Enter the desired measurement interval in seconds.

Table 9 802.11 General Frame Setting

Name

Description

Total General Threats

Displays the total number of general threats.

Long Duration

Wireless devices share airwaves by dividing the RF spectrum into 14 staggered channels. Each device reserves a channel for a specified (short) duration and during the time that any one device has a channel reserved, other devices know not to broadcast on this channel. Long Duration attacks exploit this process by reserving many RF channels for very long durations, effectively stopping legitimate wireless traffic from finding an open broadcast channel.

Table 10 802.11 Management Fame Setting

Clicking the checkboxes enables/disables the following monitors.

Name	Description
Total Management Threats	Displays the total number of management threats.
Management Frame Flood	This variation on the DoS attack attempts to flood wireless access points with management frames (such as association or authentication requests) filling the management table with bogus requests.
Null Probe Response	When a wireless client sends out a probe request, the attacker sends back a response with a Null SSID. This response causes many popular wireless cards and devices to stop responding.
Broadcasting De-authentication	This DoS variation sends a flood of spoofed de-authentication frames to wireless clients, forcing them to constantly de-authenticate and subsequently re-authenticate with an access point.
Valid Station With Invalid SSID	In this attack, a rouge access point attempts to broadcast a trusted station ID (ESSID). Although the BSSID is often invalid, the station can still appear to clients as though it is a trusted access point. The goal of this attack is often to gain authentication information from a trusted client.
Wellenreiter Detection	Wellenreiter and NetStumbler are two popular software applications used by attackers to retrieve information from surrounding wireless networks.
Ad-Hoc Station Detection	Ad-Hoc stations are nodes which provide access to wireless clients by acting as a bridge between the actual access point and the user. Wireless users are often tricked into connecting to an Ad-Hoc station instead of the actual access point, as they may have the same SSID. This allows the Ad-Hoc station to intercept any wireless traffic that connected clients send to or receive from the access point.

Table 11 802.11 Data Frame Setting

Clicking the checkboxes enables/disables the following monitors.

Name	Description
Total Data Threats	Displays the total number of data threats.
Unassociated Station	A wireless station attempts to authenticate prior to associating with an access point, the unassociated station can create a DoS by sending a flood of authentication requests to the access point while still unassociated.
NetStumbler Detection	Typically is used to locate both free Internet access as well as interesting networks. Netstumbler interfaces with a GPS receiver and mapping software to automatically map out locations of wireless networks.
EAPOL Packet Flood	Extensible Authentication Protocol over LAN (EAPOL) packets are used in WPA and WPA2 authentication mechanisms. Since these packets, like other authentication request packets, are received openly by wireless access points, a flood of these packets can result in DoS to your wireless network.
Weak WEP IV	WEP security mechanism uses your WEP key along with a randomly chosen 24-bit number known as an Initialization Vector (IV) to encrypt data. Network attackers often target this type of encryption because some of the random IV numbers are weaker than others, making it easier to decrypt your WEP key.

Table 12 Discovered RF Threat Stations

Name	Description
Items	Displays the total number of logged threats. Use the arrow buttons to navigate through pages if applicable.
Station	Selects the type of stations displayed in the list of entries.
# MAC Address	Sorts the entries by MAC Address. This is the physical address of the RF threat station.
Type	Sorts the entries by the type of wireless signal received from the threat station.
Vendor	Sorts the entries by vendor. This is the manufacturer of the threat station (determined by MAC address).
RSSI	Sorts the entries by the received signal strength as reported by the SonicPoint. This entry, along with the “sensor” entry, can be helpful in triangulating the actual physical position of the RF threat device..
Rate	Sorts the entries by transfer rate (Mbps) of the threat station.
Encrypt	Sorts the entries by wireless signal encryption on the threat station, “None” or “Encrypted”.
RF Threat	Sorts the entries by RF threat (occurs in the latest time).
Update Time	Sorts the entries by the time this log record was created/updated.
Sensor	Sorts the entries by the ID of the SonicPoint which recorded this threat. This entry, along with the “Rssi” entry, can be helpful in triangulating the actual physical position of the RF threat device.
Comment	Displays a text box to add comments about the threat.
Configure	Configures a watch list for discovered stations. Refer to the for configuration details.

Tip Did you know? It is possible to find approximate locations of RF Threat devices by using logged threat statistics. For more practical tips and information on using the RF Management threat statistics, see the Practical RF Monitoring Field Applications

Configuring the RF Monitoring Feature

This section includes procedures for configuring the RF Monitoring feature. Refer to Management Interface Overview for details on using the
SonicPoint > RF Monitoring management interface. This section includes the following subsections:

Configuring RF Monitoring on SonicPoint(s)
Your SonicPoints will now reboot with the RF Monitoring feature enabled. Be patient as the reboot process may take several minutes.Selecting RF Signature Types
Adding a Threat Station to the Watch List
Adding a Threat Station to the Watch List
High Availability License Synchronization Overview

Configuring RF Monitoring on SonicPoint(s)

In order for RF Monitoring to be enforced, you must enable the RF Monitoring option on all available SonicPoint devices. The following section provides instructions to re-provision all available SonicPoints with RF Monitoring enabled.

Navigate to SonicPoint > SonicPoints in the SonicWALL security appliance management interface.
Click the Configure button corresponding to the desired SonicPoint Provisioning Profile.
In the Settings tab, click the Enable RF Monitoring checkbox.

Next, to ensure all SonicPoints are updated with the RF Monitoring feature enabled, it is necessary to delete all current SonicPoints from the SonicPoint table and re-synchronize these SonicPoints using the profile you just created.

Click the Delete All button at the bottom right corner of the SonicPoints table.
Click the Synchronize SonicPoints button at the top of the page.

Your SonicPoints will now reboot with the RF Monitoring feature enabled. Be patient as the reboot process may take several minutes.Selecting RF Signature Types

The RF Monitoring management interface allows you to select which types of RF threats your SonicWALL monitors and logs.

Navigate to SonicPoint > RF Monitoring in the SonicWALL security appliance management interface. RF threat types are displayed, with a checkbox next to each.

Click the checkbox next to the RF threat to enable/disable management of that threat. By default, all RF threats are checked as managed.

Tip For a complete list of RF Threat types and their descriptions, see 802.11 Management Fame Setting of this document.

Adding a Threat Station to the Watch List

The RF Monitoring Discovered Threat Stations “Watch List” feature allows you to create a watch list of threats to your wireless network. The watch list is used to filter results in the Discovered RF Threat Stations list.

To add a station to the watch list:

In the SonicPoint > RF Monitoring page, navigate to the Discovered RF threat stations section.
Click the icon that corresponds to the threat station you wish to add to the watch list.
A confirmation screen will appear. Click OK to add the station to the watch list.
If you have accidentally added a station to the watch list, or would otherwise like a station removed from the list, click the icon that corresponds to the threat station you wish to remove.

Tip Once you have added one or more stations to the watch list, you can filter results to see only these stations in the real-time log by choosing Only Stations in Watch List Group from the View Type drop-down list.

Practical RF Monitoring Field Applications

This section provides an overview of practical uses for collected RF Monitoring data in detecting Wi-Fi threat sources. Practical RF Monitoring Field Applications are provided as general common-sense suggestions for using RF Monitoring data.

This section contains the following subsections:

Before Reading this Section
Using Sensor ID to Determine RF Threat Location
Using RSSI to Determine RF Threat Proximity

Before Reading this Section

When using RF data to locate threats, keep in mind that wireless signals are affected by many factors. Before continuing, take note of the following:

Signal strength is not always a good indicator of distance - Obstructions such as walls, wireless interference, device power output, and even ambient humidity and temperature can affect the signal strength of a wireless device.
A MAC Address is not always permanent - While a MAC address is generally a good indicator of device type and manufacturer, this address is susceptible to change and can be spoofed. Likewise, originators of RF threats may have more than one hardware device at their disposal.

Using Sensor ID to Determine RF Threat Location

In the Discovered RF Threat Stations list, the Sensor field indicates which Sonic Point is detecting the particular threat. Using the sensor ID and MAC address of the SonicPoint allows you to easily determine the location of the SonicPoint that is detecting the threat.

Timesaver For this section in particular (and as a good habit in general), you may find it helpful to keep a record of the locations and MAC addresses of your SonicPoint devices.

Navigate to the SonicPoint > RF Monitoring page in the SonicWALL Management Interface.
In the Discovered RF Threat Stations table, locate the Sensor for the SonicPoint that is detecting the targeted RF threat and record the number.
Navigate to SonicPoint > SonicPoints.
In the SonicPoints table, locate the SonicPoint that matches the Sensor number you recorded in Step 2.
Record the MAC address for this SonicPoint and use it to find the physical location of the SonicPoint.

The RF threat is likely to be in the location that is served by this SonicPoint.

Using RSSI to Determine RF Threat Proximity

This section builds on what was learned in the Using Sensor ID to Determine RF Threat Location. In the Discovered RF Threat Stations list, the Rssi field indicates the signal strength at which a particular Sonic Point is detecting an RF threat.

The Rssi field allows you to easily determine the proximity of an RF threat to the SonicPoint that is detecting that threat. A higher Rssi number generally means the threat is closer to the SonicPoint.

Tip It is important to remember that walls serve as barriers for wireless signals. While a very weak Rssi signal may mean the RF threat is located very far from the SonicPoint, it may also indicate a threat located near, but outside the room or building.

Navigate to the SonicPoint > RF Monitoring page in the SonicWALL Management Interface.
In the Discovered RF Threat Stations table, locate the Sensor and Rssi for the SonicPoint that is detecting the targeted RF threat and record these numbers.
Navigate to the SonicPoint > SonicPoints page.
In the SonicPoints table, locate the SonicPoint that matches the Sensor number you recorded in Step 2.
Record the MAC address for this SonicPoint and use it to find the physical location of the SonicPoint.

A high Rssi usually indicates an RF threat that is closer to the SonicPoint. A low Rssi can indicate obstructions or a more distant RF threat.