Friday, October 1, 2010

802.11n Rogue Network Detection

Executive Summary

Current wireless monitoring systems are able to detect and alert on 802.11n rogue wireless networks without modification or upgrade. No changes to current environment are required. However, traffic analysis and interception of 802.11n data traffic would require installation of an 802.11n capable WIPS/WIDS solution, as well as access to encryption key material if the network is secured.

Testing was performed on 6 different consumer and enterprise platforms was conducted to reach these results, as described below.


The 802.11n wireless standard specifies new frame encoding methods which are incompatible with legacy 802.11a/b/g equipment. One potential threat is for a rogue wireless network to be installed utilizing 802.11n in order to bypass detection by 802.11a/b/g based monitoring systems currently deployed.

Evaluation of enterprise and consumer 802.11n equipment was performed to determine the potential for such an attack. Testing revealed that the new frame encoding methods are not used for network advertisement or broadcast frames. The 802.11n standard mandates network advertisement using legacy encoding methods to ensure backwards compatibility. This allows current monitoring systems based on 802.11a/b/g equipment to detect the presence of 802.11n wireless networks.

The ability of current monitoring systems to adequately detect 802.11n rogue network threats provides sufficient insight into the wireless network for policy compliance and remediation efforts. The risk of 802.11n networks bypassing detection by current monitoring systems is very low. No changes to current environment are recommended in response to this threat.

802.11n Rogue Network Threats

The advancement of wireless local area network technologies with the recent 802.11n draft specification and subsequent availability of enterprise and consumer equipment represents unique opportunities and threats to corporate wireless networks. The 802.11n draft protocol specifies fundamental architectural changes in the encoding and transmission of radio frequency signals which allow wireless networks to achieve benefits such as higher throughput and longer range. The downside to such advancements is the inability for legacy 802.11a/b/g equipment to decode these signals, effectively leaving them blind to their transmission. This issue represents multiple risks to wireless networks, such as introducing a greater likelihood for interference, frame collisions, frame retransmissions, degraded throughput, as well as the potential for 802.11n rogue access points to remain undetected by legacy monitoring systems.

The IEEE 802.11n working group recognized these issues and built-in legacy co-existence mechanisms to facilitate the concurrent use of the new and old encoding mechanisms. The draft specifies three possible operating modes for 802.11n networks: Legacy, Mixed-Mode, and Greenfield Mode. Legacy mode operation conforms to the existing 802.11a/b/g encoding mechanisms and provides no additional benefits of the new standard. Mixed-Mode operation allows wireless networks to simultaneously serve both new and legacy equipment, and requires all signals encoded with the new standard to be pre-pended by a legacy frame header to allow legacy equipment to recognize the signal transmission. This behavior prevents legacy equipment from interfering with the transmissions of 802.11n signals at the cost of some throughput. Greenfield mode operation allows 802.11n equipment to transmit signals with the new encoding mechanism without pre-pending a legacy header. This provides for the maximum throughput for the wireless network, but prevents legacy equipment from recognizing or understanding these wireless signals.

The potential exists for rogue wireless networks implementing Greenfield mode operation to remain undetected by legacy monitoring systems based on 802.11a/b/g equipment.

Impact Analysis

The results from this evaluation reveal that legacy monitoring systems will be able to detect new 802.11n (IEEE 802.11 clause 20) wireless networks. The testing shows that each of the products evaluated support Legacy and Mixed-Mode operation, but few support Greenfield mode operation. More importantly, the testing also shows that network advertisement through Beacon frames are always sent with Legacy encoding (IEEE 802.11 clause 15,17, 18, or 19 data rates), ensuring that 802.11a/b/g equipment will always be able to detect the presence of such networks.

The IEEE 802.11n-2009 amendment, section 9.6.0d “Rate selection for data and management frames” states:

If the BSSBasicRateSet parameter is not empty, a non-STBC Beacon or a non-STBC PSMP frame shall be transmitted in a non-HT PPDU using one of the rates included in the BSSBasicRateSet parameter.

If the BSSBasicRateSet parameter is empty, the frame shall be transmitted in a non-HT PPDU using one of the mandatory PHY rates.

However, data frames sent between 802.11n clients and APs may be sent with either Mixed-Mode or Greenfield mode encoding, preventing legacy monitoring systems from deciphering their contents. However, due to modern wireless security protocols and encryption using dynamic keying material, data frames cannot be deciphered by monitoring systems for any secured network. Therefore, the inability to decipher high throughput encrypted data frames is not a significant change from current security operation.

Additionally, access points supporting an “N-Only” mode of operation implement this feature by evaluating the supported rates of client devices (as set in the HT Capabilities information element, specified in section of the IEEE 802.11n-2009 amendment) attempting to associate to the BSS and refusing association if the client does not include support for 802.11n MCS data rates. Beacons for devices operating in this mode are still transmitted at Legacy data rates. Typically, the following association refusal status codes are used, per the IEEE 802.11-2007 standard section
  • Code 18 – STA Does Not Support All Data Rates in the BSS Basic Rate Set
  • Code 10 – All Capability Fields Not Supported

The ability for legacy 802.11a/b/g equipment to detect 802.11n networks allows current monitoring systems to adequately detect 802.11n rogue network threats and provides sufficient insight into the wireless networks for policy compliance and remediation efforts.

Test Environment
Evaluation of 802.11n equipment was performed to determine the viability of such equipment to remain undetected by current wireless monitoring systems based on 802.11a/b/g equipment. In order to accurately assess this threat, equipment was selected from a cross-section of commercially available vendors, both enterprise and consumer oriented. Each device was tested to determine the ability of legacy equipment to detect their presence.

802.11n Device Test bed:
  1. Cisco 1252 Autonomous Access Point
  2. Linksys WRT350N
  3. Linksys WRT600N
  4. D-Link DIR-655
  5. D-Link DGL-4500
  6. Apple Airport Extreme

Each device was run through a series of tests to evaluate their operation characteristics:
  1. Network advertisement when in 802.11a/b/g legacy mode operation
  2. Network advertisement when in 802.11a/b/g/n mixed mode operation
  3. Network advertisement when in 802.11n only mode operation
  4. Analysis of advertised capabilities, including Greenfield mode and 40-MHz channels
  5. Detection and reporting of networks by current monitoring systems based on legacy 802.11a/b/g access points

Test results were compiled independently for devices operating in the 2.4GHz and 5GHz frequency ranges due to operational differences commonly implemented by vendors.

Test Results


IEEE 802.11n-2009 Amendment to the IEEE 802.11-2007 standard:
  • Section 9.6 Multirate Support
    • Section 9.6.0d specifies rate selection for data and mangement frames
  • Section 20.1.4 specifies PPDU formats (Non-HT Legacy, HT-Mixed, HT-Greenfield)

1 comment: