RF Signature Anomalies Prevention was AXed!!!!

WEPGuard — means you can also prevent authorized clients with anomalies in their RF signature from connecting to an authorized AP. These RF anomalies can indicate the client is spoofing an authorized inactive client MAC address to gain access to the AP.

I find it hard to understand why a function as important as RF signature anomalies Detection and Prevention was taken out of the Threat Prevention Configuration. I went back through Client Auto-classification as well as the Intrusion Prevention tab located under Configuration to see if there was another way of preventing spoofed clients from joining Authorized AP. To the best of my understanding, there is no setting or configuration that can prevent spoofed clients. I understand the implementation of the marker packet technology and how it is utilized in the WIPS function of the AP. However, if I cannot dictate or control spoofed clients autonomously what's the point of WatchGuard's WIPS as a Threat Prevention Sensor.

By taking out the RF Signature Anomalies under WEPGuard, I have no access to reset clients RF Signature without deleting them.

I understand that WEP itself is an out of date encryption standard, and having that option removed makes sense. To remove the only option to prevent spoofed clients however does not make sense. Can you please help me understand how Watchguard can protect and prevent all my clients from spoofed malicious attacks.

Thanks,
MGS

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @DefenderX

    The WEPGuard feature, and the associated anti-spoofing feature associated with it was specifically designed and worked to prevent attacks on WEP that were intended to harvest the WEP key. When WEP was used, it was possible to spoof the MAC address and generate/replay traffic to cause the access point to send more data.

    There's a few key points here:
    -There's no way to prevent a wireless client from changing its MAC and therefore spoofing another client if the wireless card on that client allows that.
    -The WEPGuard feature specifically watched for spoofed replays that attempted to generate that traffic. It did not stop general spoofing.

    Since WPA uses a different key derived from the one you type in, the key is different for each packet, and when WPA/WPA2 is in use, this protection isn't needed because that attack was specific to WEP.

    The need for WEPGuard (and associated features with it) were no longer needed when WEP was deprecated.

    -James Carson
    WatchGuard Customer Support

  • james.carsonjames.carson Moderator, WatchGuard Representative

    In addition to the above, we're looking for more information on signature anomalies. Myself or one of my colleagues will post back once we have more information on that feature.

    -James Carson
    WatchGuard Customer Support

  • James,

    Thanks for the clarification on WEP and why it was deprecated. My concern is Spoofed clients. Can you please explain in a more intricate way about how Watchguard implements security measures for WPA/WPA2 encryption standard regarding Spoofed clients?

    There appears to be No Prevention measures.
    I understand that by using the marker packet the AP can determine authorized clients from unauthorized. But I have found no information on whether the AP can Prevent Spoofed clients without the marker packet from associating with the AP.

    The only implementation that I have found that prevented Spoofed clients of some degree was under WEPGuard.

    Thanks,
    MGS

  • What is your definition or concern with a spoofed client here?
    MAC addr spoofing - there is no obvious solution

    Re: the WEP spoofing issue, see this:
    https://www.informit.com/articles/article.aspx?p=102230&seqNum=8

    As this does not apply to WPA/WPA2, the WEP spoofing issue does not exist with these protocols.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Like I mentioned previously, there's no mechanism to prevent general spoofing. The function inside of WEPguard was designed to keep clients from simply rewriting a MAC and replaying old/random/other traffic to force the WEP AP to generate more traffic. The replays were detectable. Simply re-writing a MAC address by the client is not.

    -James Carson
    WatchGuard Customer Support

  • So, the attacker using a WiFi Pineapple or other means to spoof the client CANNOT be PREVENTED?

    In a nutshell, there is NO PREVENTION COUNTERMEASURES for SPOOFED CLIENTS. And in affect, the Watchguard WIPS for SPOOFED CLIENTS would be considered a WIDS.

    It would have been nice to hear that because of the marker packet implementation, any spoofed client without the special marker packet would automatically be deauthorized and a warning would be issued to the threat and how it was mitigated. However, that does not appear to be the case.

    I just want to be reassured that even though I have an active spoofed client, the attacker CANNOT access the AP.

    Thanks,
    MGS

  • The wifi Pineapple is an AP, often with the goal of setting up an Evil Twin access point as a honey pot.
    WIPS can block an Evil Twin access point.

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Wi-Fi-Cloud/manage_wirelessmanager/configuration/wips/twe_wips.html

  • Since Watchguard cannot give a detailed answer to a specific question regarding SPOOFED CLIENTS and how Watchguard’s implementation of WIPS prevents unauthorized access, I Digress.

    Not being able to DEFEND that attack vector is HIGHLY ALARMING.

    Signing off,
    MGS

  • edited March 2021

    FYI - I do not work for WG. Never have. I am just a long time WG firewall user, just trying to help answer questions from other WG firewall users.

    See this section: Clients Mis-Association and Honeypot AP Prevention Techniques

    White Paper - WIPS Secure Wi-Fi
    https://www.watchguard.com/wgrd-resource-center/white-paper/wips-secure-wifi

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @DefenderX
    Like I mentioned, that specific spoof happens on the client. As far as the AP is aware, this traffic is normal because the client is what decides what its MAC address is.

    There are other attack prevention measures in place that are effective. If you need assistance with any of those I'd suggest setting up a case for assistance.

    Since WEP is deprecated and no longer in use, there's no need to defend from it.

    -James Carson
    WatchGuard Customer Support

This discussion has been closed.