PCI DSS 11.1 and 11.1.2 – Rogue AP(s)

This topic will be broken out into several blog entries for your reading pleasure. 🙂 

This is my interpretation and process for the PCI DSS 11.1 and 11.1.2. Your results might be different, or you may have a different interpretation.

11.1 Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.

11.1.2 Implement incident response procedures in the event unauthorized wireless access points are detected.

Note: PCI DSS Summary Quick Reference Guide that can be viewed HERE

Note: Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS.  Whichever methods are used, they must be sufficient to detect and identify both authorized and unauthorized devices.

My interpretation is that I will need a documented process in which a list of Rogue AP(s) is specified for a point in time. The list will then need to be investigated to determine if any are Rogue AP(s) transmitting one of our SSID(s) and that is not under our control, or any Rogue AP(s) are bridging a wireless network to our wired network.

The FCC has determined in several cases to fine Enterprises that took mitigation steps against a non-owned Rogue AP(s) that wasn’t maliciously attacking your network. The RF Spectrum is unlicensed and everyone has equal rights to use the RF Spectrum. I have used the term Actionable Rogue AP, Non-Actionable Rogue AP, and Malicious Rogue AP.

Note: Reference FCC Record DA-14-1444

Also it is important to understand that you have to document your process and the reports. If it isn’t documented and producible, then it didn’t happen.

Terminology for Rogue AP Detection and Mitigation Flow:

  • Actionable Rogue AP – AP that is owned by the Enterprise and has been detected as a Rogue AP by your wireless control system.
  • Non-Actionable Rogue AP – AP that is not owned by your enterprise and has been detected as a Rogue AP by your wireless control system.
  • Malicious Rogue AP – AP that is not owned by your enterprise and has been detected as a Rogue AP by your wireless control system AND is masquerading by transmitting your SSID(s) or launching other attacks against your wireless network.

 

Process Flow:

pci-data-flow

Rogue AP Process:

Cisco Prime runs the Rogue AP Report

1. Checks to see if Rogue AP is on Friendly AP List

  • Yes – AP is Corp Infrastructure AP and Filtered from the Rogue AP Report
  • No – AP is Considered a Rogue AP

2. Checks to see if the Rogue AP has signal strength greater or equal to -85dBm

    • Yes – AP is Rogue AP and continues in Process
    • No – AP is classified as a Rogue AP that is “Non-Actionable” and filtered from the Rogue AP Report

3. Sends Rogue AP Report to Data Repository

4. Operational Support Engineer reviews the Rogue AP Report

Checks if the AP is an Owned Asset

    • Yes – Rogue AP is classified as “Actionable Rogue AP”
      1. Open a ticket for mitigation
      2. Mitigate Rogue AP
      3. Document and close the ticket
    • No – Rogue AP is a Non-Owned Asset. Continue researching.

Checks if Rogue AP is transmitting Corp SSID

    • Yes – Classify the Rogue AP as “Malicious Rogue AP”
      1. Open a ticket and escalate to wireless engineer
      2. Mitigate Rogue AP
      3. Document and close the ticket
    • No – Classify the Rogue AP as “Non-Actionable Rogue AP”
      1. Document the Rogue AP in the Rogue AP Report

 

Next Blog article I will go into the different reports referenced and different optimizations in Cisco WLC and Cisco Prime to execute this process flow.

 


One thought on “PCI DSS 11.1 and 11.1.2 – Rogue AP(s)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s