Is mu to mu a security risk?

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Answered
I work on a campus, with 500+ students.

Actually we dont have any kind of auth to the wifi, everyone can access it.

But there is too many complaints about whatsapp calling not working.

And we checked that this problem happens when we disable mu to mu communication.

When mu to mu communication is activated, does it allow someone to sniff packets? Can i let this mu to mu communication activated without any security problem?
Photo of gbs

gbs

  • 490 Points 250 badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of Jeremy

Jeremy, Embassador

  • 9,788 Points 5k badge 2x thumb
MU to MU communications is talking about client to client communications while on the same WLAN on the same controller.  We turn disable MU to MU communication and I have an additional ACL on the WLAN controller that stops clients from talking to one another and only allows them to talk to their default gateway.  Disabling these communications cuts down on network traffic and also enhances security.
Photo of Christopher Frazee

Christopher Frazee, Employee

  • 1,862 Points 1k badge 2x thumb
It looks like 'whatsapp' is similar to SKYPE and/or other 3rd party messaging software. The MU to MU disallow feature allows the wireless controller and/or AP to block communications exchanged between clients associated to a WLAN. Once enabled on a WLAN, the wireless controller/AP will block at layer 2 any communication attempts made between all MU MAC addresses associated to the WLAN. This feature also can affect communications between wireless clients and wireless printers associated to the same WLAN.

The primary application for disabling MU to MU communications is Hotspot guest. As the user devices on a Hotspot are typically un-managed, disabling MU to MU communications protects MUs from other MUs, which may be infected with worms and viruses. Additionally disabling MU to MU communications also protects devices malicious attacks from other MUs as well as prevents undesired peer-to-peer file sharing or on-line gaming from dominating bandwidth.
 
The MU to MU disallow feature will only block communications exchanged between MUs on the same WLAN and will not block MU to MU communications between MUs associated on different WLANs and subnets. To block communications between MUs associated on different WLANs or subnets, the integrated stateful firewall must be used.

When WLAN is open (no encryption and/or authentication), with or without mu to mu communications enabled/disabled, your WLAN is at risk of viruses or malicious attacks.
Photo of Timo

Timo

  • 3,210 Points 3k badge 2x thumb
 When WLAN is open (no encryption and/or authentication), with or without mu to mu communications enabled/disabled, your WLAN is at risk of viruses or malicious attacks.

If you use a open network, every one can connect and sniff data (without connecting to the network!). Disabling MU to MU traffic you can stop attacks like MitM. But honeypots as example are possible.
If you use WPA1/2 with PSK it's the same for all people how know the PSK.

To secure your users you need to use authentication. I recommend to use TLS, it's the most secure connection, but you need a PKI and Certificates for every client. Additional you can use PEAP MSCHAPv2, but it need 1-2 settings to really secure it (verify the AAA server). This can be a problem in a BYOD world.

Without authentication you can't call you network secure. Disabling MU to MU communication just stops communication between mobile units connected to the same wireless SSID.
Photo of gbs

gbs

  • 490 Points 250 badge 2x thumb
If i use wpa2 / aes with a password that every student know, this can protect them against sniff? Or at least be a little more secure?
Photo of Christopher Frazee

Christopher Frazee, Employee

  • 1,862 Points 1k badge 2x thumb
Absolutely and definitely will be more secure, but the students with the passphrase could definitely sniff/packet capture, due to having the passphrase.
Photo of gbs

gbs

  • 490 Points 250 badge 2x thumb
So it will be more secure in which way?
Photo of Timo

Timo

  • 3,210 Points 3k badge 2x thumb
WPA2 is more secure than open network. But each student who know the PSK can encrypt traffic from all other. Additional they can create "honeypots" and to "man in the middle" stuff.
A secure solution is WPA2 (AES only) with authentication. TLS perfect, PEAP-MSCHAPv2 works with properly configured devices (must check and verify the AAA server).