Finesse of
Conscious
Containment:
Staying on Top of Security and
Spectrum Rules in
WIPS Deployments
#WLPC
Hemant Chaskar @CHemantC
Marriott agreed to pay a $600,000 fine
after the Federal Communications
Commission found the company blocked
consumer Wi-Fi networks last year
during an event at a hotel and conference
center in Nashville.
http://transition.fcc.gov/Daily_Releases/Dai
ly_Business/2014/db1003/DA-14-
1444A1.pdf
RF Shock
@CHemantC
Marriott has agreed to pay a $600,000 fine
after the Federal Communications
Commission found the company blocked
consumer Wi-Fi networks last year during
an event at a hotel and conference center
in Nashville.Marriott fined $600,000 by FCC
for blocking guests' Wi-Fi
VS
http://apps.fcc.gov/ecfs/document/view?id=
60000986872
AHLA Petitions the FCC
@CHemantC
“Wi-Fi Operators Should Have The Ability to Manage Their
Networks In Order To Offer Secure And Reliable Wi-Fi
Service”
“Wi-Fi networks are more susceptible to a variety of attacks
that can threaten the security and reliability of a hotel's
network or pose a risk to guests, including: (i) signal
interception; (ii) unauthorized network access; (iii)
unauthorized access points; and (iv) access point spoofing.”
FCC Warning on Wi-Fi Blocking
“No hotel, convention center, or other commercial establishment or the network operator providing services at such establishments may intentionally block or disrupt personal Wi-Fi hot spots”
Predicament:
Caveats and Partial Coverage of Use Cases = Confusion.
@CHemantC
For the Rest of the Presentation …
Wear your engineering hat
Stay focused on security (WIPS)
Recognize concreate versus haze
Disclaimer: I am NOT a regulatory authority.
My arguments are based on technology knowledge
and civic sense.
@CHemantC
http://www.fcc.gov/document/warning-wi-fi-
blocking-prohibited
Any Wi-Fi device that is not mine is security threat,
must be crushed (contained)!
“Marriott International, Inc. deployed a Wi-Fi
deauthentication protocol to deliberately block
consumers who sought to connect to the Internet using
their own personal Wi-Fi hot spots. Marriott admitted
that the customers it blocked did not pose a security
threat.”
“No hotel, convention center, or other commercial
establishment or the network operator providing services
at such establishments may intentionally block or disrupt
personal Wi-Fi hot spots on such premises providing
services at such establishments may intentionally block or
disrupt personal Wi-Fi hot spots on such premises,
including as part of an effort to force consumers to
purchase access to the property owner’s Wi-Fi
network.”
“In addition, we reiterate that Federal law prohibits the
operation, marketing, or sale of any type of jamming
equipment, including devices that interfere with Wi-Fi,
cellular, or public safety communications.”
Brute Force =/= Security
Any Wi-Fi device
in the airspace
that is not mine
is a security
threat and must
be crushed
(contained)!
#WLPC@CHemantC
Finesse of Conscious Containment
Is there a way to use containment for
Wi-Fi security (WIPS), without:
Harming legit users sharing the airwaves
Causing airtime wastage
Human intervention
@CHemantC
Fin. Con. Con. Rules
1) Only contain devices that you
control
2) Confirm violation before
containment
3) Do containment surgically
@CHemantC
Client Containment
Definition:
Blocking specific client from connecting to AP
Clients that you control:
Enterprise assigned clients
For on-boarded clients (BYOD, Guest), take
opt-in permission if you plan to contain them
@CHemantC
Client Containment
Confirmed violation:
Block controlled client’s association to
Honeypot/Hotspot/Ad hoc network when it
happens
Surgical deauth:
Don’t disrupt other clients connecting to
Honeypot/Hotspot/Ad hoc network
Well timed, feedback based deauth for minimal
airtime consumption
@CHemantC
Containment Airtime Consumption
@CHemantC
0.1
0.6
1.1
1.6
2.1
2.6
3.1
0 2 4 6 8 10 12
Per
cen
t (%
)
Concurrent Associations Under Sustained Containment
Deauth + Connection Traffic
AP Containment
Definition:
Blocking any client from connecting to AP
APs that you control:
Managed enterprise APs
Rogue APs: Unmanaged APs physically
connected to enterprise wired network
@CHemantC
Confirmed violation:
Confirm rogue AP is physically connected to
your network (automatic or manual methods)
Surgical wireless containment:
Do not disrupt neighborhood APs without
knowing if they are connected to your network
Well timed, feedback based deauth for minimal
airtime consumption
AP Containment
@CHemantC
Wire-side containment is also an option
Can bypass the FCC issue altogether
Techniques: ARP tarpitting, switch port
blocking
AP Containment
@CHemantC
Closing Remarks
FCC vs Marriott spat opened a can of worms.
Regulatory guidance is missing for many use
cases.
Brute vs Fin. Con. Con. as technical matter.
Hope FCC will be clarify its stand on Fin. Con.
Con. and other use cases in future.
@CHemantC
Additional Information
FCC order and decree in the matter of Marriott International
Understanding FCC decision regarding Wi-Fi containment at Marriott by Hemant Chaskar via @AirTight blog
Marriott Fined 600K by FCC for Blocking Guests Wi-Fi via SlideShare
FCC-Marriott WiFi Blocking Fine Opens Pandora’s Box by Lee Badman via InformationWeek Network Computing
Wire-Side Containment – Hidden Gem of Rogue Access Point Protectionby Hemant Chaskar via @AirTight blog
AHLA Petition: Petition For Declaratory Ruling, Or In The Alternative, For Rulemaking
FCC WARNING: Wi-Fi Blocking is Prohibited, January 27 2015
http://www.airtightnetworks.com/home/products/AirTight-WIPS.html
Top Related