topic Re: how to block WIFI network scan APP in Wireless

how to block WIFI network scan APP

W-ALI — Thu, 21 Jul 2022 15:05:43 GMT

Hello ,

does there any solution to prevent WIFI connected users from using any mobile applications like (Fing App) for wifi network scanner. .already I configured below ACL on WIFI connected port on switch , but useless.

40 deny tcp 172.22.179.0 0.0.0.255 any eq 161
60 deny udp 172.22.179.0 0.0.0.255 any eq snmp
80 deny ip 172.22.179.0 0.0.0.255 172.22.179.0 0.0.0.255
100 permit ip any any

any solution ?

Re: how to block WIFI network scan APP

Rasika Nayanajith — Thu, 21 Jul 2022 21:21:45 GMT

What type of WLC you get (AireOS based or IOS-XE based)? may be using AVC (Application Visibility & Control) feature you should be able to drop traffic from that application.

HTH
Rasika
*** Pls rate all useful responses ***

Re: how to block WIFI network scan APP

MikeRamos — Thu, 21 Jul 2022 23:45:16 GMT

Hey W-AL:

As @Rasika Nayanajith(btw, big fan of your blog) said, It depends on what platform you are running.

If it is AireOS:

1- Create an AVC Profile under WIRELESS Tab > Application Visibility and Control - You can actually choose from a pretty long list of applications there and whether you want to permit or deny them.

2- Apply said AVC Profile to the SSID under the QoS Tab of the WLAN (or Guest LAN).

If running IOS-XE (i.e. 9800 WLCs): I recommend the "Understanding and Troubleshooting Cisco Catalyst 9800 Series Wireless Controllers" book (or eBook) at Ciscopress for more info.

1- Create a QoS Policy under Configuration > Services > QoS and choose which applications you want to block.

2- Once created, attach to said QoS Policy the Policy Profiles you want this QoS Policy applied to (Selected section) and the desired direction in which traffic should be blocked.

3- (Optional) Double check that said QoS Policy was correctly applied to the desired Policy Profile under the QoS and AVC Tab (Egress or Ingress).

Re: how to block WIFI network scan APP

W-ALI — Fri, 22 Jul 2022 00:53:52 GMT

@MikeRamos @Rasika Nayanajith

thanks for your reply

the WLC : AIR-AP1815I-I-K9 and AIR-AP1832I-I-K9

please advise if that possible

thanks in advance

Re: how to block WIFI network scan APP

W-ALI — Fri, 22 Jul 2022 01:18:45 GMT

@MikeRamos @Rasika Nayanajith

as per attached Print-Screen I can't find any WIFI network Scanner Application as

Wireless Network watcher or Fing

does there any category name?

Re: how to block WIFI network scan APP

MikeRamos — Fri, 22 Jul 2022 01:52:48 GMT

Hey W-AL:

Seems like your APs are in Autonomous Mode running Cisco Mobility Express. From your screenshot above, try looking in the networking application group (or other network-related groups) to see if you can find it there.

The AVC profile utilizes NBAR to recognize the traffic passing through the WLC (in your case the APs) and sometimes it has to be updated. With each update, more applications are added to the pool. Suffice to say that the newer the application you want to block is, the fewer chances you have of finding it in AireOS AVC since Cisco is moving away from that platform in favor of Catalyst 9800. I can almost guarantee you will have better chances of finding those apps in C9800.

Also, (and as an alternative) you can enable NBAR on your switch, provided that it can do so, and create a class-map/policy-map (Traffic Shaping) to address your issue with the unwanted traffic, however, the same idea stated above applies here: If your switch is kind of old chances are you are not going to have that app in the pool. This alternative, btw, is how you do traffic shaping in Catalyst 9800 WLCs, the only difference with a real switch is that in the 9800 you apply it to the Policy Profile.

Re: how to block WIFI network scan APP

Rich R — Fri, 22 Jul 2022 13:19:01 GMT

I don't think @W-ALI 's question is really about that specific app - it's about network scanning apps in general.
Since you're apparently using ME we assume flex mode with local switching.
It depends what your users need to access on the local networks but the same general principle.
Your ACL should deny all IP traffic to local subnets (assuming users don't need to access anything on the local subnet) eg:
deny ip any 172.22.179.0 0.0.0.255 then permit everything else
permit ip any any
*but* this does not prevent ARP so the scanning app can still ARP for every IP on the subnet to discover which IP addresses 'exist' but it cannot do any more than that - it can't ping or probe them.
You could also do a packet capture to see exactly what the app is doing and make sure the ACL covers all the possibilities.

Re: how to block WIFI network scan APP

W-ALI — Fri, 22 Jul 2022 15:51:42 GMT

Thanks @MikeRamos for this info really appreciated,

the AVC profile on AIR-AP1815 & AIR-AP1832 doesn't include all APP of network scanner, however I'm seeking to find any solution to prevent the category of network scanner APP,

maybe in future , must buy the new WLC technology to get the best options

thanks mate for your info & support

Re: how to block WIFI network scan APP

W-ALI — Fri, 22 Jul 2022 16:04:20 GMT

yes @Rich R that's exactly what I mean,

already I did the ACL to deny Internal IPs to reach other,

but if any user get the ARP table , that's mean issue ,

because I applied & Enables the MAC filtering option, that's allow to any user if get the ARP table to register other device after change the MAC by any APP.

I think the best practice to find any way to prevent the APP get the ARP table

thank you very much for your support

Re: how to block WIFI network scan APP

MikeRamos — Fri, 22 Jul 2022 16:10:19 GMT

It is my absolute pleasure, @W-ALI !

Yeah I figured you wanted to do more like an application group type of blocking instead of an specific app. The C9800 does a tremendous job at that and has quite a lot of apps in NBAR. You can also achieve this if you have Catalyst 9Ks switches so the QoS Traffic Shaping will then happen at the switch level instead of the WLC one since they run the same NBAR packages.

Re: how to block WIFI network scan APP

Rich R — Fri, 22 Jul 2022 16:29:08 GMT

I'm not sure there is any easy way to block the ARP but we've never really tried and I don't think NBAR will be able to it either.

Re: how to block WIFI network scan APP

Leo Laohoo — Sat, 23 Jul 2022 01:12:57 GMT

Wait, this is all wrong.

@W-ALI wants to block users from using an IP scanner and discover the MAC addresses.

No one can stop anyone from using an app. No one. And, equally, no one can say, "do not scan our network" unless someone really wants to court trouble.

Anyone, however, can minimize the scope of the scan by segmenting the network with VRF or a firewall. The firewall, can say, "if you are in the public WiFi subnet, you cannot go anywhere else but the internet". That means, public WiFi users have no access to corporate subnet.

So it will definitely not help if the public WiFi subnet and the corporate subnet is the same or one big 10.0.0.0/8 subnet. Now that, is really asking for trouble.

Next, does anyone know what the implication is if someone decides to unitarily block ICMP echo from the network? I do. Things break. Internet of Trash with poorly written code will stop working if ICMP echo response is disabled or blocked.

Finally, does it make any difference what is found? Random MAC address is enabled by default.

Re: how to block WIFI network scan APP

W-ALI — Sat, 23 Jul 2022 10:16:01 GMT

Thanks @Leo Laohoo for your great input

I would like to clarify more

the WIFI VLAN created on Firewall with below ACL:

permit to some internal server IPs by ports

deny to private network (192.168.XX ,10.X.X.X , 172.16.0.0-172.31. 255.255)

permit to any

also I created the below ACL on Switch port connected to WIFI

40 deny tcp 172.22.179.0 0.0.0.255 any eq 161
45 deny icmp 172.22.179.0 0.0.0.255 any echo
60 deny udp 172.22.179.0 0.0.0.255 any eq snmp
80 deny ip 172.22.179.0 0.0.0.255 172.22.179.0 0.0.0.255
100 permit ip any any (28008 matches)

The Random MAC option disabled because I enabled MAC filtering to avoid any user from register more devices ,

so if any bad user get the real MAC by ARP , maybe can make troubles for other registered users.

so I'm trying to find any solution to prevent that.

Re: how to block WIFI network scan APP

Leo Laohoo — Sat, 23 Jul 2022 10:28:41 GMT

@W-ALI wrote:

The Random MAC option disabled because I enabled MAC filtering to avoid any user from register more devices

Wut? No. This is wrong.
Only the owner of the end devices have the "last say" on Random MAC addresses because the clients are owned by THEM (and not you).

@W-ALI wrote:

so if any bad user get the real MAC by ARP , maybe can make troubles for other registered users.

If I turn on Random MAC addresses on my WiFi clients, no one will know but me. No one.
Remember, Random MAC addresses is already enabled by default.

Again, the entire issue about "stop scanning my network" is not going to work. It is a hopeless exercise and benefits no one.

Re: how to block WIFI network scan APP

W-ALI — Sat, 23 Jul 2022 11:56:23 GMT

thanks @Leo Laohoo for your reply and notes

we forced the WiFi users to disable random mac option and provide me with the real MAC device to add it in white list because I enabled the MAC filtering so if enable random mac will failed login

the purpose of whitelisted MAC , to prevent users from add any other device because already he had the SSID password,

however in the past I enabled the 802.1X login by domain user & password , but I cant found any way to allow just concurrent session, the users was login from laptops and also the Mobile because I have no Captive portal to allow just concurrent login,

so for that I disabled 802.1X and allowed the MAC filtering.

I'm just looking for the best practice to secure the WIFI with the capabilities currently available.

Re: how to block WIFI network scan APP

Leo Laohoo — Sat, 23 Jul 2022 12:10:48 GMT

@W-ALI wrote:

I'm just looking for the best practice to secure the WIFI with the capabilities currently available.

802.1x

Re: how to block WIFI network scan APP

patoberli — Mon, 25 Jul 2022 11:22:19 GMT

Regarding MAC filtering. With a normal wireless sniffer, that can be installed on any laptop, for example Wireshark, you can simply capture a bit in promiscuous mode and you get all the client MAC addresses in the captured data. MAC addresses are no secret, they are more or less public.

Because of that your best option is to use 802.1x with a Radius server that can limit the simultaneous logins per username/certificate to 1.

But in the end I wouldn't do this, as more and more devices will want Wi-Fi. It's very soon that every user has a tablet, laptop, smart watch, .... which should be online.

Re: how to block WIFI network scan APP

Rich R — Mon, 25 Jul 2022 11:48:57 GMT

Agreed with @patoberli

Re: how to block WIFI network scan APP

W-ALI — Mon, 25 Jul 2022 11:57:53 GMT

Thanks a lot @patoberli for your input, really appreciated that,

yes that's true

the best solution 802.1X , i will try to apply it with certificate

thanks mate