WLPC: Staying on Top of Security and Spectrum Rules in WIPS Deployments by Hemant Chaskar
Download as PPTX, PDF1 like1,932 views
Marriott was fined $600,000 by the FCC for intentionally blocking guests from using their personal Wi-Fi hotspots at a hotel in Nashville. The FCC ruled that Marriott blocked consumers who did not pose a security threat. The document discusses the need for rules around Wi-Fi containment that allow hotels to securely manage their networks without harming legitimate users or wasting network resources, suggesting techniques like only containing devices under your control after confirming a violation and doing so surgically to minimize impact.
WLPC: Staying on Top of Security and Spectrum Rules in WIPS Deployments by Hemant Chaskar
- 1. Finesse of Conscious Containment: Staying on Top of Security and Spectrum Rules in WIPS Deployments #WLPC Hemant Chaskar @CHemantC
- 2. Marriott agreed to pay a $600,000 fine after the Federal Communications Commission found the company blocked consumer Wi-Fi networks last year during an event at a hotel and conference center in Nashville. http://transition.fcc.gov/Daily_Releases/Dai ly_Business/2014/db1003/DA-14- 1444A1.pdf RF Shock @CHemantC Marriott has agreed to pay a $600,000 fine after the Federal Communications Commission found the company blocked consumer Wi-Fi networks last year during an event at a hotel and conference center in Nashville. Marriott fined $600,000 by FCC for blocking guests' Wi-Fi VS
- 3. http://apps.fcc.gov/ecfs/document/view?id= 60000986872 AHLA Petitions the FCC @CHemantC “Wi-Fi Operators Should Have The Ability to Manage Their Networks In Order To Offer Secure And Reliable Wi-Fi Service” “Wi-Fi networks are more susceptible to a variety of attacks that can threaten the security and reliability of a hotel's network or pose a risk to guests, including: (i) signal interception; (ii) unauthorized network access; (iii) unauthorized access points; and (iv) access point spoofing.”
- 4. FCC Warning on Wi-Fi Blocking “No hotel, convention center, or other commercial establishment or the network operator providing services at such establishments may intentionally block or disrupt personal Wi-Fi hot spots” Predicament: Caveats and Partial Coverage of Use Cases = Confusion. @CHemantC
- 5. For the Rest of the Presentation … Wear your engineering hat Stay focused on security (WIPS) Recognize concreate versus haze Disclaimer: I am NOT a regulatory authority. My arguments are based on technology knowledge and civic sense. @CHemantC
- 6. http://www.fcc.gov/document/warning-wi-fi- blocking-prohibited Any Wi-Fi device that is not mine is security threat, must be crushed (contained)! “Marriott International, Inc. deployed a Wi-Fi deauthentication protocol to deliberately block consumers who sought to connect to the Internet using their own personal Wi-Fi hot spots. Marriott admitted that the customers it blocked did not pose a security threat.” “No hotel, convention center, or other commercial establishment or the network operator providing services at such establishments may intentionally block or disrupt personal Wi-Fi hot spots on such premises providing services at such establishments may intentionally block or disrupt personal Wi-Fi hot spots on such premises, including as part of an effort to force consumers to purchase access to the property owner’s Wi-Fi network.” “In addition, we reiterate that Federal law prohibits the operation, marketing, or sale of any type of jamming equipment, including devices that interfere with Wi-Fi, cellular, or public safety communications.” Brute Force =/= Security Any Wi-Fi device in the airspace that is not mine is a security threat and must be crushed (contained)! #WLPC@CHemantC
- 7. Finesse of Conscious Containment Is there a way to use containment for Wi-Fi security (WIPS), without: Harming legit users sharing the airwaves Causing airtime wastage Human intervention @CHemantC
- 8. Fin. Con. Con. Rules 1) Only contain devices that you control 2) Confirm violation before containment 3) Do containment surgically @CHemantC
- 9. Client Containment Definition: Blocking specific client from connecting to AP Clients that you control: Enterprise assigned clients For on-boarded clients (BYOD, Guest), take opt-in permission if you plan to contain them @CHemantC
- 10. Client Containment Confirmed violation: Block controlled client’s association to Honeypot/Hotspot/Ad hoc network when it happens Surgical deauth: Don’t disrupt other clients connecting to Honeypot/Hotspot/Ad hoc network Well timed, feedback based deauth for minimal airtime consumption @CHemantC
- 11. Containment Airtime Consumption @CHemantC 0.1 0.6 1.1 1.6 2.1 2.6 3.1 0 2 4 6 8 10 12 Percent(%) Concurrent Associations Under Sustained Containment Deauth + Connection Traffic
- 12. AP Containment Definition: Blocking any client from connecting to AP APs that you control: Managed enterprise APs Rogue APs: Unmanaged APs physically connected to enterprise wired network @CHemantC
- 13. Confirmed violation: Confirm rogue AP is physically connected to your network (automatic or manual methods) Surgical wireless containment: Do not disrupt neighborhood APs without knowing if they are connected to your network Well timed, feedback based deauth for minimal airtime consumption AP Containment @CHemantC
- 14. Wire-side containment is also an option Can bypass the FCC issue altogether Techniques: ARP tarpitting, switch port blocking AP Containment @CHemantC
- 15. Closing Remarks FCC vs Marriott spat opened a can of worms. Regulatory guidance is missing for many use cases. Brute vs Fin. Con. Con. as technical matter. Hope FCC will be clarify its stand on Fin. Con. Con. and other use cases in future. @CHemantC
- 16. Additional Information FCC order and decree in the matter of Marriott International Understanding FCC decision regarding Wi-Fi containment at Marriott by Hemant Chaskar via @AirTight blog Marriott Fined 600K by FCC for Blocking Guests Wi-Fi via SlideShare FCC-Marriott WiFi Blocking Fine Opens Pandora’s Box by Lee Badman via InformationWeek Network Computing Wire-Side Containment – Hidden Gem of Rogue Access Point Protection by Hemant Chaskar via @AirTight blog AHLA Petition: Petition For Declaratory Ruling, Or In The Alternative, For Rulemaking FCC WARNING: Wi-Fi Blocking is Prohibited, January 27 2015 http://www.airtightnetworks.com/home/products/AirTight-WIPS.html
- 17. Thank you! #WLPC