Radio frequency-based precision Blocking Technology for wireless security

For intrusion prevention devices, effective communication blocking is indispensable as an effective way to suppress attacks. In a wired network, most gateway devices connected to the network are blocked by discarding the datagram.

Specific implementations can be divided into MAC address-based blocking, IP address-based blocking, Port-based blocking, connection/Application-based blocking, or a combination of these blocking methods.

Because of the differences between the several blocking implementation methods, the blocking effect will also be different. Generally speaking, the first two are MAC-based and IP-based blocking, which usually blocks all network traffic of users. The second two are only blocking a user's specific connection, this method is more accurate and can meet the customer's intentions more flexibly.

In addition, some wired network devices connected by bypass will adopt other blocking methods, such as sending TCP Reset packets to end TCP connections, send ARP spoofing packets to redirect data packets to an inaccessible destination, and use other application layer control packets to remove connections.

In summary, in wired networks, serial blocking is more effective and reliable than bypass blocking, bypass blocking requires more complex processes such as learning, forgery, and management to ensure the blocking effect. On the other hand, the advantage of bypass blocking over serial blocking is that bypass blocking has little impact on the existing network and does not need to modify the network topology during deployment, because it is usually not used as a hub for business forwarding or is not involved in carrying services, the possibility of single point of failure is greatly reduced, which often makes it more favored by network administrators.

The blocking method is extended to the wireless network. Because the current WLAN Network is usually a point-to-point multi-point architecture, it is difficult to connect additional devices simply on the wireless link, therefore, serial blocking can only be considered on the wired network side. However, it also faces another problem. If the device is only blocked on the wired side, the blocked wireless device is actually connected to the wireless network and the network resources before the blocked point, theoretically, they can all be accessed, which poses a major security risk. Based on the above reasons, Qiming Xingxing wireless security engine uses a self-developed radio frequency-based wireless blocking technology to meet the needs of users for precise identification and reliable blocking.

Block wireless devices from wired devices

Use RF to block wireless devices

There are two methods for RF blocking. One is RF interference, which interferes with the reception of wireless devices by sending interference signals in the frequency band for a long time and high power. Its working principle is generally like playing a video with a Tweeter to the crowd, so that even the people on the other side can't hear each other's words. Because the physical layer is used for interference, this implementation method is simple and reliable.

However, at the same time, the signal interference method also has a relatively large disadvantage, that is, the interference effect is positively correlated with the field strength of the signal sent by the jamming device. That is, the larger the field strength of the interference signal, the better the interference effect. Otherwise, this will not achieve the desired results.

The signal field strength sent by the jamming device must be much greater than the signal field strength of the equipment to achieve better blocking effect, but it cannot violate the national electromagnetic radiation regulations, generally, the emission power of the jamming device is less than or equal to 1 W, and the range is from dozens of flat meters to hundreds of flat meters.

Another more advanced blocking method is to use the implementation mechanism of the wireless link layer or higher layer protocol. Its advantage is that it adopts a more intelligent approach, to achieve precise blocking with a lower cost and a lower transmit power.

Because different working principles are adopted from the jammers, the precise blocking device can use a lower transmit power to suppress the launch of wireless devices, so as to achieve the same working effect as the jammers, it plays a role of hundreds of thousands of pounds. For example, to block a wireless device in an area of the same area, the transmit power of the device is only half or lower of the jamming device, and in some cases, it is only of the transmitter power.

On the other hand, even if such a low transmit power is adopted, the precise blocking device is not always in the transmitting State. When no objects need to be blocked appear in the region in which the device is working, the device is only in the listening status, and no RF signal is sent to the outside. When an object to be blocked appears, the blocking device starts targeted blocking actions in a timely manner. As a result, the launching function of the blocked object is restrained, therefore, the signal field strength in the entire work area will not increase significantly, or even the overall signal field strength will be lower than the status when the wireless device is working at full capacity.

In addition, the precise blocking device allows certain wireless devices in the work area to be used, while other wireless devices are blocked. This policy can be freely defined by users, it is beyond the reach of traditional RF jammers.

Currently, on the wireless network, more common wireless blocking methods include de-Authentication flood, associate flood, authentication flood, Association flood, early EAP flood, EAPOL start flood, EAPOL exit flood, CTS flood, NAV attack, FakeAP, AirJack, FataJack and so on. These methods have their own advantages and disadvantages, and their performance varies with different wireless devices. Therefore, they need to be used and managed flexibly.

During the authentication/de-Authentication blocking process, the device blocks packets such as sending authentication, association, de-authentication, and de-Association to interfere with the control process between the wireless terminal and AP, in this way, wireless terminals cannot be connected successfully, and thus the connection is blocked.

Authentication Association blocking Process

During the AirJack blocking process, the blocking device affects the AP's time slot allocation, so that some terminals can never obtain available time slots to communicate with the AP, thus being blocked. Although the wireless terminal has established a connection with the AP, it cannot communicate.

AirJack blocking Process

During the FakeAP blocking process, the blocking device will assume the role of a counterfeit AP, and actively lead the target wireless terminal to its own counterfeit AP, and at the same time play the role of a wireless honeypot. The blocked wireless terminal successfully connected to the AP that blocks the counterfeit device, and began to send data. The blocking device did not transfer the data, but discarded it, in this way, the blocking effect is achieved.

FakeAP blocking Process

Based on the above methods, the Starling wireless security engine gradually forms a blocking Knowledge Base Based on its long-term practice and accumulation, and adopts a flexible blocking management policy, quickly find more effective blocking methods for different wireless devices, and dynamically adjust the method based on the discovery, learning, feedback, and other processes to achieve reliable blocking effect.

Block knowledge base and Management