Login
- Released At: 08-11-2023
- Page Views:
- Downloads:
- Table of Contents
- Related Documents
-
Copyright © 2023 New H3C Technologies Co., Ltd. All rights reserved
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Packet statistics collection and device learning
Wireless device classification
Broadcast disassociation/deauthentication attack detection
Detection on clients with the 40 MHz bandwidth mode disabled
AP impersonation attack detection
Association/reassociation DoS attack detection
As an overlay (Independent operation)
Integrated (Operating in an existing WLAN)
Overview
Technical background
Different from a wired LAN, WLAN traffic is transmitted in the air, which makes a WLAN more vulnerable to network attacks such as Denial of Service (DoS) attacks and Man In the Middle (MITM) attacks.
WLAN security is experiencing constant improvements. The encryption method has developed from WEP to the 802.11i protocol, which uses 802.1X authentication and CCMP encryptions to well protect wireless data security. However, malicious attacks still threaten WLAN security.
Benefits
The Wireless Intrusion Prevention System (WIPS) protects a WLAN from various network attacks.
WIPS provides the following features:
· Packet statistics collection and device learning.
· Device classification.
· Countermeasures against rogue devices.
· Flood attack detection.
· Malformed packet detection.
· Spoofing attack detection.
· WLAN monitoring.
WIPS implementation
Concepts
Virtual security domain
You can divide a WLAN into multiple domains called virtual security domains (VSDs). WIPS applies different security detection and protection policies for each VSD. Each VSD has its own sensors, and the security protection settings for different VSDs are independent from each other. As shown in Figure 1, you can assign different departments of an enterprise to different VSDs.
Figure 1 VSDs for an enterprise
Sensor
Sensors are APs enabled with WIPS. You can enable a radio on an AP to operate as a sensor. Then, the sensor will scan all 802.11 channels in turn to collect wireless information for further analysis.
Packet statistics collection and device learning
Sensors monitor the wireless packets in the WLAN and send the collected information to the AC. Then, WIPS can identify whether a detected device is an AP or client and learn the association relationships between APs and clients based on the received information.
Table 1 WLAN packet statistics collection and device learning
|
Item |
Description |
|
AP or client list |
Contains information about all detected wireless devices. |
|
Sensor list |
Contains information about all sensors. |
|
Wireless packet statistics collection |
Collects statistics about various types of wireless packets detected by sensors, including broadcast/multicast/unicast packets, management/control/data packets, and beacon/probe request/authentication/association packets. |
Wireless device classification
Wireless device categories
Table 2 Wireless device categories
|
Device |
Category |
Description |
|
AP |
Authorized AP |
An AP that is permitted in the WLAN. |
|
Rogue AP |
An AP that might bring threats to the WLAN and cannot be used in the WLAN. |
|
|
Misconfigured AP |
An AP that can be used in the WLAN but has incorrect configuration. |
|
|
External AP |
An AP that is in an adjacent WLAN. It does not bring any security issues to your network but might cause channel interference. |
|
|
Uncategorized AP |
An AP whose category cannot be determined. |
|
|
Ad hoc |
An AP operating in Ad hoc mode. |
|
|
Mesh AP |
An AP in a wireless mesh network. |
|
|
Client |
Authorized client |
A client that is permitted in the WLAN. |
|
Unauthorized client |
A client that cannot be used in the WLAN. |
|
|
Misassociated client |
A client that is associated with an unauthorized AP. |
|
|
Uncategorized client |
A client whose category cannot be determined. |
Classification procedures
WIPS classifies detected APs by following the procedures shown in Figure 2.
Figure 2 AP classification flow
As shown in Figure 2, WIPS enables you to customize AP classification rules to classify APs as required. AP classification rules can greatly improve the AP classification accuracy. Table 3 shows the AP classification rules supported by WIPS.
Table 3 AP classification rules
|
Match rule |
Description |
|
SSID |
Matches the SSIDs of APs. |
|
Authentication method |
Matches authentication methods, for example, PSK or 802.1X. |
|
Security method |
Matches security methods. |
|
OUI |
Matches the OUI or vendor information. |
|
RSSI |
Matches the signal strength. You can specify a value or value range for the rule. |
|
Uptime |
Matches the running time of APs. |
|
Number of associated clients |
Match the number of associated clients. |
|
Number of detected APs |
Matches the number of APs detected by a sensor. The rule takes effect after the number of detected APs exceeds the threshold. |
WIPS classifies detected clients by following the procedures shown in Figure 3.
Figure 3 Client classification flow
WIPS does not support custom classification rules for clients.
Attack detection
Flood attack detection
An AP might be facing a flood attack if it receives a large number of same-type frames within a short period of time. To prevent the AP from being overwhelmed, WIPS periodically examines incoming packet statistics, and triggers an alarm when it detects a suspicious flood attack.
The following flood attacks can be detected:
· Authentication request flood attack—Floods the association table of an AP by imitating many clients sending authentication requests to the AP.
· Probe request/association request/reassociation request flood attack—Floods the association table of an AP by imitating many clients sending probe requests/association requests/reassociation requests to the AP.
· EAPOL-start flood attack—Exhausts the AP's resources by imitating many clients sending EAPOL-start frames defined in IEEE 802.1X to the AP.
· Broadcast/unicast deauthentication flood attack—Spoofs deauthentication frames from the AP to the associated clients to disassociate the clients from the AP. This attack can rapidly terminate wireless services to multiple clients.
· Broadcast/unicast disassociation flood attack—Spoofs disassociation frames from the AP to the associated clients to disassociate the clients from the AP. This attack can rapidly terminate wireless services to multiple clients.
· RTS/CTS flood attack—Floods RTS/CTS frames to reserve the RF medium and force other wireless devices sharing the RF medium to hold back their transmissions. This attack takes advantage of vulnerabilities of the virtual carrier mechanism.
· Block Ack flood attack—Floods Block Ack frames to the AP to interrupt the operation of the Block Ack mechanism.
· Null data flood attack—Spoofs null data frames with a power management bit of 1 from a client to the AP. The AP determines that the client is in power save mode and buffers frames for the client. When the aging time of the buffered frames expires, the AP discards the frames. This interrupts the client's communication with the AP.
· Beacon flood attack—Floods beacon frames imitating a large number of fake APs to interrupt client association.
· EAPOL-logoff flood attack—The IEEE 802.1X standard defines the authentication protocol using Extensible Authentication Protocol over LANs (EAPOL). A client needs to send an EAPOL-logoff frame to terminate the session with an AP. The EAPOL-logoff frames are not authenticated, and an attacker can spoof EAPOL-logoff frames to disassociate a client.
· EAP-success/failure flood attack—In a WLAN using 802.1X authentication, an AP sends an EAP-success or EAP-failure frame to a client to inform the client of authentication success or failure. An attacker can spoof the MAC address of an AP to send EAP-success or EAP-failure frames to a client to disrupt the authentication process.
Malformed packet detection
WIPS determines that a frame is malformed if the frame matches the criteria shown in Table 4, and it then triggers alarms and logs.
Table 4 Malformed frame match criteria
|
Detection type |
Applicable frames |
Match criteria |
|
Invalid IE length detection |
All management frames |
The IE length does not conform to the 802.11 protocol. The remaining length of the IE is not zero after the packet is resolved. |
|
Duplicate IE detection |
All management frames |
Duplicate IE. This type of detection is not applicable to vendor-defined IEs. |
|
Redundant IE detection |
All management frames |
The IE is not a necessary IE to the frame and is not a reserved IE. |
|
Invalid packet length detection |
All management frames |
The remaining length of the IE is not zero after the packet payload is resolved. |
|
Abnormal IBSS and ESS setting detection |
· Beacon frames · Probe response frames |
Both IBSS and ESS are set to 1. |
|
Malformed authentication request frame detection |
Authentication request frames |
· The authentication algorithm number does not conform to the 802.11 protocol and is larger than 3. · The authentication transaction sequence number is 1 and the status code is not 0. · The authentication transaction sequence number is larger than 4. |
|
Malformed association request frame detection |
Association request frames |
The frame length is 0. |
|
Malformed HT IE detection |
· Beacon frames · Probe responses · Association responses · Reassociation requests |
· The SM power save value for the HT capabilities IE is 2. · The secondary channel offset value for the HT operation IE is 2. |
|
Oversized duration detection |
· Unicast management frames · Unicast data frames · RTS, CTS, and ACK frames |
The packet duration value is larger than the specified threshold. |
|
Malformed probe response frame detection |
Probe response frames |
The frame is not a mesh frame and its SSID length is 0. |
|
Invalid deauthentication code detection |
Deauthentication frames |
The reason code is 0 or is in the range of 67 to 65535. |
|
Invalid disassociation code detection |
Disassociation frames |
The reason code is 0 or is in the range of 67 to 65535. |
|
Oversized SSID detection |
· Beacon frames · Probe requests · Probe responses · Association request frames |
The SSID length is larger than 32. |
|
FATA-Jack detection |
Authentication frames |
The value of the authentication algorithm number is 2. |
|
Invalid source address detection |
All management frames |
· The TO DS is 1, indicating that the frame is sent to the AP by a client. · The source MAC address of the frame is a multicast or broadcast address. |
|
Oversized EAPOL key detection |
EAPOL-Key frames |
The TO DS is 1 and the length of the key is larger than 0. |
Spoofing attack detection
In a spoofing attack, the attacker sends frames on behalf of another device to threaten the network.
The following spoofing attacks can be detected:
· Frame spoofing—A fake AP spoofs an authorized AP to send beacon or probe response frames to induce clients to associate with it.
· AP MAC address spoofing—A client spoofs an authorized AP to send deauthentication or disassociation frames to other clients. This can cause the clients to go offline and affect the correct operation of the WLAN.
· Client MAC address spoofing—A fake AP spoofs an authorized client to associate with an authorized AP.
Frame spoofing attack detection
WIPS calculates the startup time of an AP by using the frame receiving time and timestamp. If the calculated startup time of the AP is not the same as the startup time recorded in WIPS, WIPS determines that this is a spoofing attack.
AP MAC address spoofing attack detection
WIPS examines the MAC address of the sender. If the MAC address of the sender already exists in the AP MAC address table, WIPS determines that this is a spoofing attack.
Client MAC address spoofing attack detection
WIPS examines the MAC address of the sender. If the MAC address of the sender already exists in the client MAC address table, WIPS determines that this is a spoofing attack.
Weak IV detection
When the RC4 encryption algorithm, used by the WEP security protocol, uses an insecure IV, the WEP key is more likely to be cracked. An IV is a weak IV if its first byte is smaller than 16 (decimal) and its second byte is FF. WIPS prevents this kind of attack by detecting the IV in each WEP packet.
Omerta attack detection
Omerta is a DoS attack tool based on the 802.11 protocol. It sends disassociation frames with the reason code 0x01 to disassociate clients. Reason code 0x01 indicates an unknown disassociation reason. WIPS detects Omerta attacks by detecting the reason code of each disassociation frame.
Broadcast disassociation/deauthentication attack detection
An attacker spoofs a legitimate AP to send a broadcast disassociation or deauthentication frame to log off all clients associated with the AP.
Detection on clients with the 40 MHz bandwidth mode disabled
802.11n devices support both the 20 MHz and 40 MHz bandwidth modes. If the 40 MHz bandwidth mode is disabled on a client, other clients associated with the same AP as the client must also use the 20 MHz bandwidth. This affects network throughput and efficiency.
WIPS detects such clients by detecting probe request frames sent by the clients.
Power save attack detection
An attacker spoofs the MAC address of a client to send power save on frames to an AP. The AP caches the frames for the client. The attacked client cannot receive data frames because the AP determines that the client is still in power save mode. When the aging time of the cached frames expires, the AP discards the frames. WIPS detects power save attacks by determining the ratio of power save on frames to power save off frames.
Prohibited channel detection
After you configure a permitted channel list and enable prohibited channel detection, WIPS determines that channels that are not in the permitted channel list are prohibited channels.
Soft AP detection
A soft AP refers to a client that acts as an AP and provides wireless services. An attacker can access the internal network through a soft AP and then initiate further attacks. WIPS detects soft APs by detecting the interval at which a device switches its roles between client and AP. WIPS does not perform soft AP detection on unassociated clients.
Windows bridge detection
When a wireless client connected to a wired network establishes a Windows bridge through the wired NIC, the client can bridge an external AP with the internal network. This might bring security problems to the internal network. WIPS detects Windows bridges by analyzing data frames sent by associated clients.
Unencrypted device detection
An authorized AP or client that is transmitting unencrypted frames might bring security problems to the network. WIPS detects unencrypted devices by analyzing the frames sent the by authorized APs or clients.
Hotspot attack detection
An attacker sets up a rogue AP with the same SSID as a hotspot to lure the clients to associate with it. After the clients associate with the malicious AP, the attacker initiates further attacks to obtain client information.
You can configure a hotspot file to enable WIPS to detect hotspot attacks.
AP impersonation attack detection
In an AP impersonation attack, a malicious AP that has the same BSSID and ESSID as a legitimate AP lures the clients to associate with it. Then this impersonating AP initiates hotspot attacks or fools the detection system.
WIPS detects AP impersonation attacks by detecting the interval at which an AP sends beacon frames.
HT-greenfield AP detection
An AP operating in HT-greenfield mode might cause collisions, errors, and retransmissions because it cannot communicate with 802.11a/b/g devices. WIPS detects HT-greenfield APs by analyzing the beacon frames or probe response frames sent by APs.
Honeypot AP detection
In a honeypot AP attack, the attacker sets up a malicious AP to lure clients to associate with it. The SSID of the malicious AP is similar to the SSID of a legitimate AP. After a client associates with a honeypot AP, the honeypot AP initiates further attacks such as port scanning or fake authentication to obtain client information.
WIPS detects honeypot APs by detecting SSIDs of external APs. If the similarity between the SSID of an external AP and the SSID of a legitimate AP reaches the specified threshold, WIPS generates an alarm.
Figure 4 Honeypot AP
MITM attack detection
In an MITM attack, the attacker sets up a rogue AP and lures a client to associate with it. Then the rogue AP spoofs the MAC address of the client to associate with the authorized AP. When the client and the authorized AP communicate, the rogue AP captures packets from both the client and the authorized AP. The rogue AP might modify the frames and obtain the frame information. WIPS detects MITM attacks by detecting clients that are disassociated from an authorized AP and associated with a honeypot AP. WIPS can detect MITM attacks only when you enable both honeypot AP detection and MITM attack detection.
Figure 5 MITM attack
Wireless bridge detection
An attacker might intrude on the internal networks through a wireless bridge. When detecting a wireless bridge, WIPS generates an alarm. If the wireless bridge is in a mesh network, WIPS records the mesh link.
Association/reassociation DoS attack detection
An association/reassociation DoS attack floods the association table of an AP by imitating many clients sending association requests to the AP. When the number of entries in the table reaches the upper limit, the AP cannot process requests from legitimate clients.
AP flood attack detection
WIPS detects the number of APs in the WLAN and triggers an alarm for an AP flood attack when the number of APs exceeds the specified threshold.
Device entry attack detection
Attackers can send invalid packets to WIPS to increase processing costs. WIPS periodically examines the learned device entries to determine whether to rate limit device entry learning. If the number of AP or client entries learned within the specified interval exceeds the threshold, WIPS triggers an alarm and stops learning new entries.
Attack countermeasures
WIPS supports both manual and automatic countermeasures against rogue APs and clients. If an AP or client is classified as a rogue AP or rogue client, WIPS takes one of the following countermeasures:
· Adds the rogue AP or client to the prohibited device list to disable the device from accessing the WLAN.
· Sends disassociation packets to the rogue device to disconnect it from the WLAN.
Application scenarios
As an overlay (Independent operation)
WIPS can be deployed in a wireless network that does not have any H3C devices or in a wired network to prevent employees from accessing a WLAN without permission or deployed in a wireless network to enhance the security of the network.
A WIPS network is independent of the network to be protected.
Integrated (Operating in an existing WLAN)
WIPS can be deployed in an existing WLAN that contains H3C devices. You can add sensors to the WLAN or configure APs in the WLAN as sensors. As a best practice to ensure the effectiveness of WIPS, make sure the number of sensors is a minimum of one third of the number of APs in the WLAN.
Figure 6 shows a typical WIPS networking scheme.
