Finesse of

Conscious

Containment:

Staying on Top of Security and

Spectrum Rules in

WIPS Deployments

#WLPC

Hemant Chaskar @CHemantC

Marriott agreed to pay a $600,000 fine

after the Federal Communications

Commission found the company blocked

consumer Wi-Fi networks last year

during an event at a hotel and conference

center in Nashville.

http://transition.fcc.gov/Daily_Releases/Dai

ly_Business/2014/db1003/DA-14-

1444A1.pdf

RF Shock

@CHemantC

Marriott has agreed to pay a $600,000 fine

after the Federal Communications

Commission found the company blocked

consumer Wi-Fi networks last year during

an event at a hotel and conference center

in Nashville.Marriott fined $600,000 by FCC

for blocking guests' Wi-Fi

VS

http://apps.fcc.gov/ecfs/document/view?id=

60000986872

AHLA Petitions the FCC

@CHemantC

“Wi-Fi Operators Should Have The Ability to Manage Their

Networks In Order To Offer Secure And Reliable Wi-Fi

Service”

“Wi-Fi networks are more susceptible to a variety of attacks

that can threaten the security and reliability of a hotel's

network or pose a risk to guests, including: (i) signal

interception; (ii) unauthorized network access; (iii)

unauthorized access points; and (iv) access point spoofing.”

FCC Warning on Wi-Fi Blocking

“No hotel, convention center, or other commercial establishment or the network operator providing services at such establishments may intentionally block or disrupt personal Wi-Fi hot spots”

Predicament:

Caveats and Partial Coverage of Use Cases = Confusion.

@CHemantC

For the Rest of the Presentation …

Wear your engineering hat

Stay focused on security (WIPS)

Recognize concreate versus haze

Disclaimer: I am NOT a regulatory authority.

My arguments are based on technology knowledge

and civic sense.

@CHemantC

http://www.fcc.gov/document/warning-wi-fi-

blocking-prohibited

Any Wi-Fi device that is not mine is security threat,

must be crushed (contained)!

“Marriott International, Inc. deployed a Wi-Fi

deauthentication protocol to deliberately block

consumers who sought to connect to the Internet using

their own personal Wi-Fi hot spots. Marriott admitted

that the customers it blocked did not pose a security

threat.”

“No hotel, convention center, or other commercial

establishment or the network operator providing services

at such establishments may intentionally block or disrupt

personal Wi-Fi hot spots on such premises providing

services at such establishments may intentionally block or

disrupt personal Wi-Fi hot spots on such premises,

including as part of an effort to force consumers to

purchase access to the property owner’s Wi-Fi

network.”

“In addition, we reiterate that Federal law prohibits the

operation, marketing, or sale of any type of jamming

equipment, including devices that interfere with Wi-Fi,

cellular, or public safety communications.”

Brute Force =/= Security

Any Wi-Fi device

in the airspace

that is not mine

is a security

threat and must

be crushed

(contained)!

#WLPC@CHemantC

Finesse of Conscious Containment

Is there a way to use containment for

Wi-Fi security (WIPS), without:

Harming legit users sharing the airwaves

Causing airtime wastage

Human intervention

@CHemantC

Fin. Con. Con. Rules

1) Only contain devices that you

control

2) Confirm violation before

containment

3) Do containment surgically

@CHemantC

Client Containment

Definition:

Blocking specific client from connecting to AP

Clients that you control:

Enterprise assigned clients

For on-boarded clients (BYOD, Guest), take

opt-in permission if you plan to contain them

@CHemantC

Client Containment

Confirmed violation:

Block controlled client’s association to

Honeypot/Hotspot/Ad hoc network when it

happens

Surgical deauth:

Don’t disrupt other clients connecting to

Honeypot/Hotspot/Ad hoc network

Well timed, feedback based deauth for minimal

airtime consumption

@CHemantC

Containment Airtime Consumption

@CHemantC

0.1

0.6

1.1

1.6

2.1

2.6

3.1

0 2 4 6 8 10 12

Per

cen

t (%

)

Concurrent Associations Under Sustained Containment

Deauth + Connection Traffic

AP Containment

Definition:

Blocking any client from connecting to AP

APs that you control:

Managed enterprise APs

Rogue APs: Unmanaged APs physically

connected to enterprise wired network

@CHemantC

Confirmed violation:

Confirm rogue AP is physically connected to

your network (automatic or manual methods)

Surgical wireless containment:

Do not disrupt neighborhood APs without

knowing if they are connected to your network

Well timed, feedback based deauth for minimal

airtime consumption

AP Containment

@CHemantC

Wire-side containment is also an option

Can bypass the FCC issue altogether

Techniques: ARP tarpitting, switch port

blocking

AP Containment

@CHemantC

Closing Remarks

FCC vs Marriott spat opened a can of worms.

Regulatory guidance is missing for many use

cases.

Brute vs Fin. Con. Con. as technical matter.

Hope FCC will be clarify its stand on Fin. Con.

Con. and other use cases in future.

@CHemantC

Additional Information

FCC order and decree in the matter of Marriott International

Understanding FCC decision regarding Wi-Fi containment at Marriott by Hemant Chaskar via @AirTight blog

Marriott Fined 600K by FCC for Blocking Guests Wi-Fi via SlideShare

FCC-Marriott WiFi Blocking Fine Opens Pandora’s Box by Lee Badman via InformationWeek Network Computing

Wire-Side Containment – Hidden Gem of Rogue Access Point Protectionby Hemant Chaskar via @AirTight blog

AHLA Petition: Petition For Declaratory Ruling, Or In The Alternative, For Rulemaking

FCC WARNING: Wi-Fi Blocking is Prohibited, January 27 2015

http://www.airtightnetworks.com/home/products/AirTight-WIPS.html

Thank you!

#WLPC