Motorola Air Defense Services Platform Wireless Intrusion Prevention System. (ADSP)
Motorola provide an Intrusion Prevention System for wireless networks. This article will explore some the features and advantages and presents a review of the product.
Some organisations say they have a "no wireless policy", yet when the Motorola ADSP device is brought onto the network, inevitably, it will reveal rogue Access Points (APs). Staff often obtain a wireless router and attach it to the corporate network without being sanctioned by the company. This is a huge security risk because most APs work out of the box due to poor or open security-settings. It might seem harmless to do this, but wireless systems can be detected and tapped typically up to 50m away from the building, and with a specialist antenna, up to 1km away.
The author is aware of organisations who have lost credit-card data due to wireless snooping.
Irrespective of the corporate policy in play, management requires the ability to measure compliance to whatever policy is in place.
To this end, the ADSP provides visibility, and much more. It truly is a very complete and high-end enterprise-level wireless IPS. ROI is often obtained almost immediately because of reduced wireless-troubleshooting costs, increased efficiency and rapid proof of governance-compliance like PCI DSS.
- Sonicwall firewall. Some training notes, protocol an...
This is an article that describes essential security-related network challenges. Where applicable, the Sonicwall firewall is referenced.
- Confidentiality, Integrity, and Availability. How it...
The three pillars of security are: Confidentiality, Integrity and Availability. It's like a three-legged stool. If you remove one, then the whole is unbalanced.
- 802.11 wifi glossary terms acronyms
The Wi-Fi standards 802.11x use so many abbreviations that it makes it extremely frustrating to read any text on the subject. For some reason authors seem to like using too many TLAs all over the text without expanding or explaining them.
Solutions addressed by ADSP
Here is a list of solutions provided by the ADSP
- Wireless IPS - not normally possible for a large corporate installation without automated tools.
- Rogue detection - Find unsanctioned devices - and optionally jamb them off the air.
- Forensic data storage and analysis.
- Troubleshoot a branch office anywhere in the world from HQ.
- Manage the devices remotely.
Connect a keyboard and VDU to the server and power it up.
You are presented with a console-based log in.
Log in as smxmgr and smxmgr (Change this default at the earliest opportunity).
This brings you into a text-based menu and it becomes obvious how to apply settings like IP address, netmask, DNS server, gateway, set the time and date, and other essentials. Having given it an IP address, A.B.C.D. the device can be administered using a browser and the URL https://A.B.C.D:8543
You will need the latest version of flash.
Initial screen - Check out the invisible download
The ADSP toolkit
Download and install the ADSP toolkit from the login screen. You can choose Windows or Linux packages.
There are several options for sensors. A now-obsolete example is called a model 520 sensor. This is a dedicated unit and as such is a full-time wireless scanner. However, modern solutions combine advanced APs and full-time sensor into one unit. This is great because it cuts down on cable and power.
Refer to the AP documentation to find out how to do some or all of the following:
- Upgrade the firmware to make it have sensor functionality. (Sometimes necessary).
- Assign a DHCP or static IP address and other parameters like DNS and gateway.
- Tell the Sensor the IP address of the ADSP server.
Basic network diagram
The Sensors talk to the ADSP primary and secondary (if present) via secure connections on port 443. You can add many sensors. Add three or more in a rough equilateral triangle-spacing to allow ADSP the ability to do location mapping to an accuracy of about 10m.
A greenfield installation is likely to use Motorola APs which already have sensors built in, but the system can be overlaid on any 802.11 system operating in the 2.4GHz or 5Ghz range. Full spectrum scanning is always available in both these bands.
The sensors are detected and shown in the dashboard.
Log into the GUI.
When the sensors are on line, they show up in the dashboard. Note that you also have control over wired, and wireless switches. The following picture is a portion of the GUI that shows your inventory of managed devices for the ADSP.
Dashboard view drop-down menu
You can arrange the dashboard to display what is of most interest at the time. For example:
- Rogue Wireless Access
- Top Wireless Extrusions by Count
- Top Wireless Exploits by Count
- Policy Compliance
- Security Threat by Tree Level
- Security Threat by Device
- Top Wireless Vulnerability by Count.
There are several more views available.
A large infrastructure could have a high number of devices and sensors. So the dashboard allows you to set the scope. For example, you might be in charge of "Alice Springs" only. So the dashboard allows you to set your scope to match only that Region.
This is the level of hierarchical granularity available:
- Country—Displays information about a specific country including regions, cities, campuses, buildings, and floors.
- Region—Displays information about a specific region including cities, campuses, buildings, and floors.
- City—Displays information about a specific city including campuses, buildings, and floors.
- Campus—Displays information about a specific campus including buildings and floors.
- Building—Displays information about a specific campus including floors.
- Floor—Displays information about a specific floor.
This is in addition to System which shows the entire network and ADSP which shows the above list of network levels, and the ADSP server information.
Another invisible widget
This can drive you mad unless you already know it. So I'll prevent some madness in the world and point out a pastel-shaded arrow on the left side of the dashboard. This is a vertical shutter-blind that exposes a list of dashboard widgets. Once you find it, it's not even obvious how to insert and remove dashboard widgets like "Alarm Counts by Scope" or "Device Table". But you might guess that it's a drag-and-drop technique. Drag the menu items into the dashboard. But you remove them using the cross in the top right of the widget.
An example widget: List of top talkers
The Network Tab
The network tab displays the devices discovered. In the top left is a mysterious set of three symbols. It's reasonable to guess they mean:
Table view, Tree view, Search.
The 'Show" drop-down box
The drop-down-box to the right of the Table/Tree/Search options lets you choose the type of device to display. These two filters allow you to focus on protions of your network.
By now, it should be clear that this system is scalable to many thousands of devices. This is why there is so much opportunity to narrow down scope.
The types of devices to display are one of:
- Network Device
- BSS - Basic Service Set (For details of this and many more wireless terms see this glossary.)
- Wireless Client
For example, you can select "Wireless Clients" and get information as in the following selected line. (There are normally many lines - this is just one sanitised example.)
Click to enlarge
This shows the device's MAC address, the alarm status, when it was last noted on the network, It's scope, signal strength, SSID (if broadcast) and whether it is a rogue. Off-screen is the associated BSS and AP when known.
It might be useful to you to only view wireless clients that are within a certain signal strength. Let's design a filter that shows only a narrow range of signal strengths.
Choose TABLE view (The icons in the top left).
In the horizontal shutters below that icon- click on "Signal Strength" and move the sliders to the lower and upper range of interest.
Click to enlarge
The GUI seems to let you select any parameter to narrow the search. For example, you can select alarm severity, When last-seen, It's classification, and even the type of security settings that have been sensed.
When you set a scope device, a bright green icon is displayed. (See above)
By now you should be able to see the power and ease to be able to display all devices that are unencrypted, or using an insecure method. This could be a normally-empty view on a screen in a NOC.
Tuning the system
A sanctioned device is (fairly obviously) one that is supposed to be found on the network. Once it is marked as sanctioned, then it is known to be allowed to connect to the network. By sanctioning all the approved infrastructure, whatever is left is, by implication not allowed to connect. Therefore you can set alarms to trigger on activity of unsanctioned devices.
There are some tools that tune the system based on a description of the kinds of equipment found in the organisation, and other criteria like signal strength, SSID, encryption etc.
But you can also sanction a device in an ad-hoc way. The screenshot below shows how you can set a flag, export the device list, and sanction a device immediately from the Network display.
Click to enlarge
The Network Graph
You can get ADSP to classify devices and place them in a tree-structure. When this is done, there is an alternative way to view up to 100 devices at a time. Either a concentric or hierarchical network map is available. The screen-shot below shows a simple network scoped over a particular company unit. Note that you get to control the zoom level, icon size and network depth, where the latter is the number of hierarchical levels to display.
An alarm is assigned by criteria either inherent in the intelligence of ADSP or manually. These are classified into Sever, Critical, Major, Minor and Safe.
The Network tab has an option to filter and display each of these severities in any combination. It also allows you to filter granularly to the exact reason for an alarm. The example to the right shows the broad groups, and the knowledge it has about Impersonation Attacks as classified under Exploits. You could, therefore drill into all ID Theft: Out of Sequence attacks by selecting only that option. Alternatively, you could select the entire set of known DoS attacks.
You may want to view only devices that were first seen in the Last hour, or more than three days ago. To do this, select the Network tab, First/Last Seen shutter and note how there are selectable criteria ranging from 0-5 minutes to more than 72 hours. Select these as required:
- Last Hour
- 1 - 12 hours
- 12 - 24 hours
- 24 - 72 hours
- More than 72 hours
The Alarms Tab.
This tab is for viewing and managing events that happen on the network where the events are significant in some way. It shows a table with the following columns:
- alarm criticality
- alarm type
- offending device
- start time
- alarm status
- SSID of the offending device.
Many of the organisational and search tools that are available on the network tab are available for the alarms. For example, you can group by:
- Alarm Category and sub-category
- Alarm type, state and start
- Device type and classification
You also have control over the alarm to make it easy to keep track of it. The screen shot below shows the actions that are available. Note how you can temporarily clear the alarm if required, or mark it as acknowledged.
This is an example from 'Expert Help'
At the bottom of the screen is an area that can be shown or hidden by clicking on a grey arrow head. In this area you find more alarm tools, and one of them is 'expert help'. Click on an alarm to select it, then click expert help. You are presented with a description of the reason for the alarm, and a scenario.
In this case, an unsanctioned BSS is an unauthorised access point has been detected and operating in your air-space but it has not been added to a list of authorised (or ignored) APs. Part of the post-installation task is to classify devices to identify all company-sanctioned entities.
You can also store notes about each alarm, edit them later, initiate an escalation, configure the alarm further, disable it for device, clear the alarm, or perform forensic analysis.
Clicking on forensic analysis brings up the following GUI from the toolkit that you installed previously.
Click to enlarge.
In the forensic analysis screen a rich set of information is available no the summary tab. Those sliders on the time-line allow you to narrow the search-time and move it through like a time-window cursor. Threats are displayed as a pie-chart based on categories and criticalities, then you see an overall threat level assessment, details about Transmit and Receive traffic including the top 5, frequency and channel information and re-try percentage.
The Device Info area details channels and frequencies, the authentication method, encryption, and SSID.
Finally, the top 5 associations are displayed at the bottom left.
The next tab is "Device Info". Here is a screenshot;
Device Info tab - Forensic analysis.
In the display above, it's a glance-view to note that between 2:07 and 2:21 PM the Advanced Encryption Scheme (AES), and TKIP were used for the device under test, it's not known if IP-SEC was in use, several channels were tried, then it settled on channel 10, and the SSID is not being broadcast.
This data is available in tabular form by clicking on the table icon to the right, and exported using the export-icon just under that. The funnel icon is for filtering the data further.
Let's look at the Threat Analysis tab.
Threat Analysis - forensics.
In this example, I chose to display "total Traffic" instead of "Threat Level" in the time-line. The other alternative is "association count".
In the example, the only rogue activity displayed is 'Unsanctioned BSS' because we chose to perform forensic analysis on a single existing alarm on a single device. You can choose another device using the ellipses [...] button at the top, next to 'Time Range'.
This example did not make any associations, so the next tab is empty. However, it did use air-time because of polling, broadcast, control frames etc, and that's visible using the 'traffic analysis' tab.
Traffic analysis - forensics.
There are several options available in the 'traffic category' drop-down box. Showing, is 'Destinations', and the other options are:
- Control Details.
- Data Details
- EAP Details
- Encryption Details
- Management Details
In the example, it shows transmitted and received data, what was broadcast (in green), and UNicast (in Blue). The time-line cursor which is seen as a thin vertical bar over the traffic-data graph follows the mouse to display data-point-values in the left-hand pane.
The next tab is 'Signal Analysis'
Click the + sign to see the signal strength in detail with values. This would be handy to see if there are any dips or spikes in signal strength that cannot be explained. Perhaps something moves in front of a device and blocks the signal at a certain time of day. This could be a forklift, overhead crane, passing truck, bad weather and many other causes. If you can narrow down time of day, it helps troubleshooting efforts.
After clicking the + sign see the signal strength.
Location analysis requires three sensors. At present I only have one installed. However, the features are:
- Load a graphic that represents your building layout.
- Place sensors on the map to scale.
- Track devices to within 10m.
- Pan, zoom, and otherwise navigate a 2D space.
- Show a 'heat map' where the device leaves colours on the screen proportional to some value.
- Export data
- Show the data in table form.
Forensic analysis over many devices.
From the main window - use the Menu to launch the forensic tool. You get the opportunity to enter a device MAC address, or choose a scope. In the following screenshots, you will see all data collected by the sensor device.
The sensor does not use much bandwidth. It uses the lowest data rate, and requires only a low signal strength to operate. The following graph illustrates this. It has been collecting data for hundreds of devices, yet only consumed about 1 Kbit/sec.
There are a few ways to add a location attribute to a discovered device. One way is to manually place it into the hierarchy. This is done by using the 'move' feature. Find an object that is classified as 'unplaced' and left-click on it. If there is an option called 'move'. Use that to locate the correct place in the hierarchy for the device.
Another way is to import a CSV file. The format is explained in the help system.
The tree structure contains the following levels:
... and you can import CSV data to set this up or use the GUI to build the tree.
To use the GUI, go to Configuration -> Platform Configuration -> Tree setup.
Unlike most other object which have a drop-down arrow, this one uses links pushed far to the right. It's easy to miss, so I highlighted this below. Use these links to create a child object or copy it.
Rename the tree-node using the properties that are displayed to the far right. Again, this is not consistent with the rest of the interfaces, so until you notice it, it's not obvious how to rename a node.
When you have thousands of stations in an organisation, it's going to be very useful to have a tool that will classify these using simple rules compared to manual placement.
Use Menu -> Auto Classification to do this.
It has two modes. The first is "On demand" which allows you to press a button and invoke the rules at that time. The other is "Auto classification". The auto classification is triggered when devices are seen to exhibit certain chosen characteristics.
There is a work-flow issue with the way this GUI is presented because the default tab is "On Demand" but the first thing you need to do is create rules, so click on the "Action Rules" tab.
As you can see from the options in the above screen shot, there are many conditions available. In the example above, we are looking for any device that has a vendor name that includes testvendor and the conditions of Classification and last seen. (Those in use a re bold).
The available actions are:
- Override Sanction
To discover devices
The Auto Placement Rules, and the Device Import Rules are applied when you use the Import and Discovery tool. (This is under the Menu tab).
The import source is one of:
- Local File
- Remote File
- SNMP Discovery
- Wireless Manager/Switch
No enterprise product is complete without a good set of reporting tools. There are some very useful reports available by default, and a method of building your own.
These are the ones available by default:
- Alberta Netcare Provincial Organizational Wireless Readiness Assessment
- Department of Defense Report
- FISMA Federal Information Security Management Act
- GLBA Compliance Report
- HIPAA Compliance Report
- No Wireless Compliance Report
- North American Electric Reliability Corporation Critical Infrastructure Protection Standard
- PCI DSS v1 1 Compliance Report
- PCI DSS v1 2 Compliance Report
- PCI DSS v2 0 Compliance Report
- SOX Summary
Then there are more groups of reports including:
- Device Reports
- Performance Reports
- Security Reports
- Infrastructure Management Reports
- Custom Reports
The PCI DSS v2.0 report for example produces a complete auditor's report by each relevant section in the requirements.
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- Requirement 4: Encrypt transmission of cardholder data across open, public networks
- Requirement 9: Restrict physical access to cardholder data.
- Requirement 10: Track and monitor all access to network resources and cardholder data.
- Requirement 11: Regularly test security systems and processes.
Rogue Access Points (Up to 100 Listed)
Rogue Wireless Clients (Up to 100 Listed)
Wireless Client Extrusions (Up to 100 Listed)
Intrusion Attempts (Up to 50 Listed)
and charts like the following example:
This is an enterprise ready solution. It has the ability to monitor many thousands of devices efficiently. The GUI is responsive and rich but unconventional because of the use of flash. Hence there is no right-click context menus, Instead, drop down left-click provides a substitute.
The reports are very good. It is bound to save money on compliance, and also add true value to your security posture.
The value of remote troubleshooting alone could pay for this installation. You can turn any of the sensors into a remote-controlled client and use it from across the globe to simulate a CEO's station in order to decide whether to send a wireless engineer ($1000) to fix an AP, or a service desk call to fix a laptop ($100).
Everything is controlled from a single point. All the important features like classification and alarm generation can be automated. You can even generate alarms on any sanctioned unit if its configuration moves outside set rules like desired encryption strength. You have the option to use air termination or port termination for any unsanctioned device, or one that falls out of policy for security. It's difficult to see how an organisation could otherwise properly secure a wireless installation.
The full-time scanning ability is essential. Some competing products might share scanning with data which permits a time-based attack while the sensors are doing data. It also simultaneously monitors all channels in the 4.2GHz and 5GHz range regardless of client setup, and it will also detect interference when placed into a frequency analysis mode. In that mode, you get to find out for example, that failures to connect by certain stations coincide with tea-breaks and the use of a local microwave oven.
Any greenfield installation will benefit greatly with this system because the Motorola APs all have sensor ability. This minimises the amount of cabling and power required. Both these suck cash in any sizeable installation.
You can also install this system as an overlay onto an existing WiFi infrastructure. It's basically agnostic to vendor since it's only concerned in detail about the 802.11 specification.