Project Charter
Wireless Rogue Detection, Intrusion
Detection/Prevention, Acceptable Use Policy
Project
Project Charter – Wireless Rogue Detection, Intrusion Detection/Prevention, Acceptable Use
Policy Project
Introduction
From the 2012 Information Security Architecture Review
Medium Priority Observations
13.0 Rogue wireless network detection not fully operational
14.0 Aruba wireless solution IDS/IPS features not implemented
Low Priority Observations
18.0 Weaknesses on acceptable use policy
Observation
Detection of rogue access
points is currently only
available in certain areas of
the University network (e.g.
where newer
IEEE802.11b/g/n access
points with monitor mode
capabilities are in place). In
other locations of the
campus most wireless
Access Point’s do not
support monitor mode,
meaning that they cannot
be used to detect Rogue
wireless networks.
Implication
Attackers may
attempt to
deploy rogue
wireless
networks to
trick users into
connecting to
the fake devices
in order to
perform various
attacks (e.g.
social
engineering).
Users of the
network may
also implement
Also, we understand that
insecure
detection can only currently wireless
be performed by manually networks and
reviewing log files from the connect them to
Aruba controller, but
the campus
currently this task is not
network,
performed proactively.
thereby
Page | 1
Recommendation
Implement the
required access
points in those
areas that are
currently unable to
perform rogue
access point
detection.
Implement
controls and
processes to
proactively
monitor for the
presence of rogue
wireless access
points and shut
them down.
Management comments
and action plan
Upgrades to a/b/g/n
wireless are in progress in
the eight most heavily used
buildings. Upgrades of the
remaining buildings from
b/g to a/b/g/n will take
place over the next 2- 3
years, in the mean time
these areas will only be able
to detect b/g rogues.
The University has
guidelines on the
deployment of private
wireless LANs
WirelessGuidelines but they
are not enforced. Rogue
APs are now commonplace,
with 800-1000 rogue APs
detected. Enforcement of
the existing policy will
begin, including:
Responsible
party and
timing
Bruce
Campbell –
Director,
Network
Services
Winter, 2013
Project Charter – Wireless Rogue Detection, Intrusion Detection/Prevention, Acceptable Use
Policy Project
allowing
external users
the ability to
connect to the
campus
network and
launch attacks.




During the assessment of
the Aruba wireless
controller configuration file,
it was observed that no
IDS/IPS features are
implemented. We
understand that a license is
required to enable these
features. Other features
provided with this license
include:




Rogue identification
and containment
Impersonation
detection and
prevention
Denial of service
attack detection
Probing and network
Page | 2
Without IDS/IPS
detection,
attacks that are
generated on
the wireless
network may go
undetected.
Starting a publicity
campaign on the
matter
Ensuring the
University provided
solution meets all
reasonable wireless
requirements
Purchasing or
developing systems
to identify and
contain rogues (see
recommendation
14).
Ensuring
unnecessary private
APs are removed.
Implement IDS/IPS A quote for the Aruba
mechanisms.
RFProtect license to
implement wireless
Also, develop a
IDS/IDP, and upgrades to
wireless security
the Airwave management
and configuration tool have been received.
policy that includes Total cost for license and
specific rules and equipment is $125,000.
controls that
Aruba RFProtect and
should be
Airwave will be
implemented
implemented pending
across the entire satisfactory review of
wireless
technical capabilities and
infrastructure.
budget allocation.
The entire campus wireless
infrastructure is managed
by IST, and it includes a
master controller which
pushes policy to all other
Bruce
Campbell –
Director,
Network
Services
Fall, 2012
Project Charter – Wireless Rogue Detection, Intrusion Detection/Prevention, Acceptable Use
Policy Project


discovery
Network intrusion
detection
Client intrusion
prevention
The current “Guidelines on
Use of Waterloo Computing
and Network Resources”
(http://www.adm.uwaterlo
o.ca/infocist/use.htm) do
not clearly state restrictions
regarding digital copyright,
peer to peer, and file
sharing. Also it does not
prohibit network misuse or
attacks such as network
scanning, vulnerability
scanning, etc.
If the computer
and network
acceptable use
policy does not
explicitly
prohibit or ban
certain
activities, or the
policy is not
clearly visible to
users, users may
assume that
some activities
e.g. digital
Also, unauthenticated users copyrighted
of the guest wireless
material
network are presented with sharing, is not
a captive portal that does
restricted or
not present the full
enforced.
acceptable use policy.
Therefore they
may engage in
activities that
should be
explicitly
forbidden.
Page | 3
controllers. The existing
policy will be documented,
reviewed, and updated as
needed.
The University
should improve
their policies to
explicitly prohibit
certain activities
such as network
misuse (e.g.
scanning and DOS
attacks), and also
digital copyright
file sharing for
example.
Furthermore these
policies should be
communicated
effectively to all
users of the
network and
require their
acceptance of the
terms expressed in
the policies.
Also, the University
should comply with
the stated
guideline: “To
inform Waterloo
users of their rights
and responsibilities
in the use of
Waterloo
computing and
The current “Guidelines on
Use of Waterloo Computing
and Network Resources”
(http://www.adm.uwaterlo
o.ca/infocist/use.htm)
includes a link
(http://www.adm.uwaterlo
o.ca/infocist/use2006exam
ples.htm ) which clearly
cover copyright materials,
peer to peer, file sharing,
and some forms of misuse
such as exploiting a
vulnerability in a system.
The guidelines and
companion document will
be reviewed and updated
as needed, and merged into
a single document if
justified (making it more
suitable for “review and
accept” applications)
Technical and other
mechanisms to inform
users of their rights and
responsibilities will be
explored. This could include
requiring end users to
review and accept policy
before access is granted
(where technically possible,
Bruce
Campbell –
Director,
Network
Services
Winter, 2013.
Project Charter – Wireless Rogue Detection, Intrusion Detection/Prevention, Acceptable Use
Policy Project
network resources, see UW RT 225721), or
and to
passive approaches such as
communicate
publicity campaigns.
clearly the terms
and conditions
under which access
to and use of such
resources are
provided” by
making this policy
fully accessible to
users of the guest
wireless network in
order to allow
them to review its
content.
Objectives
The objectives of this project is to improve security/accountability in the campus wireless environment, by:


Disabling/containing rogue access points
Requiring users of the campus wireless environment to review and accept an Acceptable Use Policy.
Scope
The scope of the project is the campus wireless environment. The Acceptable Use Policy may also be included on the
student residence network.
The campus wired network is outside the scope of this project.
Constraints, Assumptions and Risks


Rogue detection is limited to 802.11b/g in many areas of campus. Upgrades to 802.11a/b/g/n is in progress in
most heavily used buildings.
Users should be required to review/accept the Acceptable Use Policy (AUP) once per term, (and optionally per
device) or some other reasonable time period, before being granted to http (standard web) protocol. Other
protocols should not be affected by the AUP review/accept logic.
Page | 4
Project Charter – Wireless Rogue Detection, Intrusion Detection/Prevention, Acceptable Use
Policy Project

Technology to provide AUP review/acceptance has not been investigated. It is expected the Sandvine Policy
Traffic Switch (PTS) can provide this functionality for the campus wireless environment and student residence
network.
Dependencies

Complete functionality of rogue detection depends in all bands dependent on campus wireless upgrade.
Budget


UW RT https://rt.uwaterloo.ca/Ticket/Display.html?id=233465 – Airwave renewal complete. $13,000
UW RT https://rt.uwaterloo.ca/Ticket/Display.html?id=238768 - Order Aruba RF Protect licenses complete.
$99,000
Timeline
Deployment of Airwave server, and RF Protect licenses
(without full functionality enabled)
Enable containment/disabling of rogue APs
Enable display of Acceptable Use Policy
Fall, 2012
Winter, 2013
Winter, 2013
Strategy



Deploy Airwave and Aruba RFProtect
Upgrade to 802.11a/b/g/n APs in most heavily used buildings
Begin enforcement of existing wireless guidelines
https://strobe.uwaterloo.ca/~twiki/bin/view/ISTNS/WirelessGuidelines by
o



Continuing publicity campaign
o Ensuring the University provided solution meets all reasonable wireless requirements
o Enabling Aruba RFProtect Rogue containment functions
o Removing unnecessary private APs
Review/activate additional Aruba RFProtect intrusion detection/prevention features.
Review/update the University’s Guidelines on Use of Waterloo Computing and Network Resources
Require users to review and accept an Acceptable Use Policy, on the campus wireless network.
Page | 5
Project Charter – Wireless Rogue Detection, Intrusion Detection/Prevention, Acceptable Use
Policy Project
Resource Roles and Responsibilities
Project Sponsor
Project Leader Steve Bourque
Project Team Martin Macleod, Engineering
Lawrence Folland, CS
Approval
This charter formally authorizes the Wireless Rogue Detection, Intrusion Detection/Prevention, Acceptable Use Policy
Project, based on the information outlined in this charter. Should any of this information change throughout the
duration of the project, it shall be discussed by [insert statement according to project’s governance on where changes
are discussed] and documented under [insert statement where project’s documented changes are recorded].
Approved by:
Approval Date:
This approval was discussed by [insert where this approval was discussed] and documented at [insert where
documentation for approval resides].
Revision History
Page | 6