Configuring IDS Parameters on APs

Classic Central supports the IDS Intrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. feature that monitors the network for the presence of unauthorized APs and clients. It also logs information about the unauthorized APs and clients, and generates reports based on the logged information.

Rogue APs

The IDS feature in the Classic Central network enables you to detect rogue APs, interfering APs, and other devices that can potentially disrupt network operations. A rogue AP is an unauthorized AP plugged into the wired side of the network. An interfering AP is an AP seen in the RF Radio Frequency. RF refers to the electromagnetic wave frequencies within a range of 3 kHz to 300 GHz, including the frequencies used for communications or Radar signals. environment, but it is not connected to the wired network. While the interfering AP can potentially cause RF interference, it is not considered a direct security threat, because it is not connected to the wired network. However, an interfering AP may be reclassified as a rogue AP.

The built-in IDS scans for APs that are not controlled by the VC. These are listed and classified as either Interfering or Rogue, depending on whether they are on a foreign network or your network.

Configuring Wireless Intrusion Detection and Protection Policies

To configure a Wireless Intrusion Detection and Protection policy:

1. In the WebUI, set the filter to a group that contains at least one AP.
   The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points.
3. Click the Config icon. The tabs to configure access points is displayed.
4. Click Show Advanced.
5. Click Security. The Security details page is displayed.
6. Click the Wireless IDS/IPS accordion.

   The following three sections are displayed:

   • Detection
   • Protection

   You can configure the following options in the above mentioned sections:

   • Infrastructure Detection Policies—Specifies the policy for detecting wireless attacks on APs.
   • Client Detection Policies—Specifies the policy for detecting wireless attacks on clients.
   • Infrastructure Protection Policies—Specifies the policy for protecting APs from wireless attacks.
   • Client Protection Policies—Specifies the policy for protecting clients from wireless attacks.
   • Containment Methods—Prevents unauthorized stations from connecting to your Classic Central network.

   Each of these options contains several default levels that enable different sets of policies. An administrator can customize enable or disable these options accordingly.

Detection

The detection levels can be configured using the Detection section. The following levels of detection can be configured in the WIP Wireless Intrusion Protection. The WIP module provides wired and wireless AP detection, classification, and containment. It detects Denial of Service (DoS) and impersonation attacks, and prevents client and network intrusions. Detection page:

• High
• Medium
• Low
• Off
• Custom

  The following table describes the detection policies enabled in the Infrastructure Detection field.

  Table 1: Infrastructure Detection Policies

  Detection level	Detection policy
  High	Detect Windows Bridge—Enables detection of Windows station bridging. Signature Deassociation Broadcast—Configures signature matching for the deassociation broadcast frame type. Signature Deauthentication Broadcast—Configures signature matching for the deauthentication broadcast frame type. Detect AP Spoofing—Enables AP Spoofing detection. Detect Chan based mitm—Enables or disables channel-based man-in-the-middle attack detection. Detect adhoc using VALID SSID—Enables detection of adhoc networks. Detect malformed large duration—Enables detection of unusually large durations in frames. Detect Overflow EAPOL key—Enables detection of overflow EAPOL key requests. Detect Invalid Address Combination—Enables detection of invalid address combinations. Detect AP Impersonation—Enables detection of AP impersonation. In AP impersonation attacks, the attacker sets up an AP that assumes the BSSID and ESSID of a valid AP. AP impersonation attacks can be done for man-in-the-middle attacks, a rogue AP attempting to bypass detection, or a honeypot attack. Detect AP Flood—Enables detection of flooding with fake AP beacons to confuse the legitimate users and to increase the amount of processing needed on client operating systems. Detect Beacon Wrong Channel—Enables detection of beacons advertising the incorrect channel. Detect ht Greenfield—Enables detection of high throughput devices advertising greenfield preamble capability. Detect Overflow IE—Enables detection of overflow Information Elements (IE). Detect RTS Rate Anomaly—Enables detection of rate anomalies. Detect Malformed HT IE—Enables detection of malformed HT High Throughput. IEEE 802.11n is an HT WLAN standard that aims to achieve physical data rates of close to 600 Mbps on the 2.4 GHz and 5 GHz bands. Information Elements (IE). Detect CTS Rate Anomaly—Enables detection of CTS Clear to Send. The CTS refers to the data transmission and protection mechanism used by the 802.11 wireless networking protocol to prevent frame collision occurrences. See RTS. rate anomaly. Detect Malformed Frame Auth—Enables detection of malformed authentication frames. Detect invalid MAC OUI—Enables checking of the first three bytes of a MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address, known as the organizationally unique identifier (OUI Organizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI.), assigned by the IEEE Institute of Electrical and Electronics Engineers. to known manufacturers. Often clients using a spoofed MAC address do not use a valid OUI and instead use a randomly generated MAC address. Enabling MAC OUI check triggers an alarm to be triggered if an unrecognized MAC address is in use. Detect Malformed Association Request—Enables detection of malformed association requests. Detect Wireless Bridge—Enables detection of wireless bridging. Detect Bad WEP—Enables detection of WEP Wired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. initialization vectors that are known to be weak and/or repeating. A primary means of cracking WEP keys is to capture 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. frames over an extended period of time and search for implementations that are still used by many legacy devices. Detect HT 40 MHz intolerance—Enables detection of 802.11n 802.11n is a wireless networking standard to improve network throughput over the two previous standards, 802.11a and 802.11g. With 802.11n, there will be a significant increase in the maximum raw data rate from 54 Mbps to 600 Mbps with the use of four spatial streams at a channel width of 40 MHz. 40 MHz Megahertz intolerance setting when the stations and APs advertise 40 MHz intolerance. Detect Valid SSID Misuse—Enables detection of interfering or neighbor APs using valid or protected SSIDs Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.. Detect Adhoc Network—Enables detection of adhoc networks. Detect Client Flood—Enables detection of client flood attack.
  Medium	Detect Windows Bridge—Enables detection of Windows station bridging. Signature Deassociation Broadcast—Configures signature matching for the deassociation broadcast frame type. Signature Deauthentication Broadcast—Configures signature matching for the deauthentication broadcast frame type. Detect AP Spoofing—Enables AP Spoofing detection. Detect Chan based mitm—Enables or disables channel-based man-in-the-middle attack detection. Detect adhoc using VALID SSID—Enables detection of adhoc networks. Detect malformed large duration—Enables detection of unusually large durations in frames.
  Low	Detect Windows Bridge—Enables detection of Windows station bridging. Signature Deassociation Broadcast—Configures signature matching for the deassociation broadcast frame type. Signature Deauthentication Broadcast—Configures signature matching for the deauthentication broadcast frame type. Detect AP Spoofing—Enables AP Spoofing detection. Detect Chan based mitm—Enables or disables channel-based man-in-the-middle attack detection.
  Off	All detection policies are disabled.
  Custom	Allows you to select custom detection policies. To select, click the check box of respective detection policy.

  The following table describes the detection policies enabled in the Client Detection field.

  Table 2: Client Detection Policies

  Detection level	Detection policy
  High	Detect Valid Client Misassociation—Enables detection of misassociation between a valid client and an unsafe AP. This setting can detect the following misassociation types: Misassociation to rogue AP Misassociation to external AP Misassociation to honeypot AP Misassociation to adhoc AP Misassociation to Hosted AP Detect Hotspotter Attack—Enables detection of hotspot Hotspot refers to a WLAN node that provides Internet connection and virtual private network (VPN) access from a given location. A business traveler, for example, with a laptop equipped for Wi-Fi can look up a local hotspot, contact it, and get connected through its network to reach the Internet. attacks. Detect Power Save DOS Attack—Enables detection of Power Save DoS Denial of Service. DoS is any type of attack where the attackers send excessive messages to flood traffic and thereby preventing the legitimate users from accessing the service. attack. Detect Omerta Attack—Enables detection of Omerta attack. Detect Disconnect Station—Enables a station disconnection attack. In a station disconnection, attacker spoofs the MAC address of either an active client or an active AP. The attacker then sends deauthenticate frames to the target device, causing it to lose its active association. Detect unencrypted Valid —Enables detection of unencrypted valid clients. Detect Block ACK Attack—Enables detection of attempts to reset traffic receive windows using the forged Block ACK Add messages. Detect FATA-Jack—Enables detection of fatjack attacks. Detect Rate Anomalies—Enables detection of rate anomalies. Detect ChopChop Attack—Enables detection of ChopChop attack. Detect EAP Rate Anomaly—Enables Extensible Authentication Protocol (EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. ) handshake analysis to detect an abnormal number of authentication procedures on a channel and generate an alarm when this condition is detected. Detect TKIP Replay Attack—Enables detection of TKIP Temporal Key Integrity Protocol. A part of the WPA encryption standard for wireless networks. TKIP is the next-generation Wired Equivalent Privacy (WEP) that provides per-packet key mixing to address the flaws encountered in the WEP standard. replay attack. Signature-Air Jack—Enables signature matching for the Air Jack frame type. Signature-ASLEAP—Enables signature matching for the ASLEAP frame type. Detect WPA ft Attack—Enables or disables detection of WPA Wi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. FT attacks.
  Medium	Detect Valid Client Misassociation—Enables detection of misassociation between a valid client and an unsafe AP. This setting can detect the following misassociation types: Misassociation to rogue AP Misassociation to external AP Misassociation to honeypot AP Misassociation to adhoc AP Misassociation to Hosted AP Detect Hotspotter Attack—Enables detection of hotspot attacks. Detect Power Save DOS Attack—Enables detection of Power Save DoS attack. Detect Omerta Attack—Enables detection of Omerta attack. Detect Disconnect Station—Enables a station disconnection attack. In a station disconnection, attacker spoofs the MAC address of either an active client or an active AP. The attacker then sends deauthenticate frames to the target device, causing it to lose its active association. Detect unencrypted Valid —Enables detection of unencrypted valid clients. Detect Block ACK Attack—Enables detection of attempts to reset traffic receive windows using the forged Block ACK Add messages. Detect FATA-Jack—Enables detection of fatjack attacks.
  Low	Detect Valid Client Misassociation—Enables detection of misassociation between a valid client and an unsafe AP. This setting can detect the following misassociation types: Misassociation to rogue AP Misassociation to external AP Misassociation to honeypot AP Misassociation to adhoc AP Misassociation to Hosted AP
  Off	All detection policies are disabled.
  Custom	Allows you to select custom detection policies. To select, click the check box of respective detection policy.

Protection

The following levels of protection can be configured in the WIP Protection page:

• Off
• Low
• High
• Custom

The following table describes the protection policies that are enabled in the Infrastructure Protection field.

Table 3: Infrastructure Protection Policies

Protection level	Protection policy
High	Protect SSID—Enforces policy where the valid/protected SSIDs are used only by valid APs. An offending AP is contained by preventing clients from associating to it. Rogue Containment—Controls Rogue APs. When rogue APs are detected, they are not automatically disabled. This option automatically disables a rogue AP by preventing clients from associating to it. Protect AP Impersonation—Enables protection from AP impersonation attacks. When AP impersonation is detected, both the legitimate and impersonating AP are disabled using a Denial of Service (DoS). Protect from Adhoc Networks—Enables protection from adhoc networks. When adhoc networks are detected, they are disabled using a denial of service attack.
Low	Protect SSID—Enforces policy where the valid/protected SSIDs are used only by valid APs. An offending AP is contained by preventing clients from associating to it. Rogue Containment—Controls Rogue APs. When rogue APs are detected, they are not automatically disabled. This option automatically disables a rogue AP by preventing clients from associating to it.
Off	All protection policies are disabled
Custom	Allows you to select custom protection policies. To select, click the check box of respective protection policy.

The following table describes the protection policies that are enabled in the Client Protection field.

Table 4: Client Protection Policies

Protection level	Protection policy
High	Protect Valid Station—Enables protection of valid stations. When enabled valid stations are not allowed to connect to an invalid AP. Protect Windows Bridge—Enables protection of a Windows station bridging.
Low	Protect Valid Station—Enables protection of valid stations. When enabled valid stations are not allowed to connect to an invalid AP.
Off	All protection policies are disabled
Custom	Allows you to select custom protection policies. To select, click the check box of respective protection policy.

Containment Methods

You can enable wired and wireless containment measures to prevent unauthorized stations from connecting to your Classic Central network.

Classic Central supports the following types of containment mechanisms:

• Wired containment — When enabled, APs generate ARP Address Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. packets on the wired network to contain wireless attacks.
• Wireless containment — When enabled, the system attempts to disconnect all clients that are connected or attempting to connect to the identified AP.
  • None — Disables all the containment mechanisms.
  • Deauthenticate only — With deauthentication containment, the AP or client is contained by disrupting the client association on the wireless interface.
  • Tarpit invalid stations — Enables wireless containment by tarpit of non-valid clients.
  • Tarpit all stations—Enables wireless containment by tarpit for all stations.

The FCC Federal Communications Commission. FCC is a regulatory body that defines standards for the interstate and international communications by radio, television, wire, satellite, and cable. and some third parties have alleged that under certain circumstances, the use of containment functionality violates 47 U.S.C. §333. Before using any containment functionality, ensure that your intended use is allowed under the applicable rules, regulations, and policies. HPE Aruba Networking is not liable for any claims, sanctions, or other direct, indirect, special, consequential or incidental damages related to your use of containment functionality.

Protection Against Wired Attacks

In the Protection Against Wired Attacks section, enable the following options:

• Drop Bad ARP—Drops the fake ARP packets.
• Fix Malformed DHCP—Fixes the malformed DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  packets.
• ARP Poison Check—Triggers an alert on ARP poisoning caused by the rogue APs.