802.11 networks are susceptible to a wide array of threats such as unauthorized access points and clients, ad hoc networks, and Denial of Service (DoS) attacks. Rogue devices are a serious threat to enterprise security. To ensure security, the wireless intrusion detection system (WIDS) is introduced. WIDS provides early detection of malicious attacks and intrusions on a wireless network without affecting network performance, and provides real-time countermeasures.

WLAN security provides these features:

· Rogue detection

· WIDS attack detection

· Blacklist and whitelist

Terminology

· Rogue AP—An unauthorized or malicious access point on the network, such as an employee setup AP, misconfigured AP, neighbor AP or an attacker operated AP. Because it is not authorized, if there is any vulnerability in the AP, the hacker will have a chance to compromise your network security.

· Rogue client—An unauthorized or malicious client on the network.

· Rogue wireless bridge—Unauthorized wireless bridge on the network.

· Monitor AP—An AP that scans or listens to 802.11 frames to detect rogue devices in the network.

· Ad hoc mode—A wireless client in ad-hoc mode can communicate directly with other stations without support from any other device.

Detecting rogue devices

Rogue detection is applicable to large wireless networks. It detects the presence of rogue devices in a WLAN network based on the pre-configured rules.

Rogue detection can detect different types of devices in a WLAN network, for example, rogue APs, rogue clients, rogue wireless bridges, and ad-hoc terminals. An AP can work in either of the following modes for rogue detection:

· Monitor mode—An AP scans all 802.11g frames in the WLAN, but cannot provide WLAN services. As shown in Figure 1, AP 1 works as an access AP, and AP 2 works as a monitor AP to listen to all 802.11g frames. AP 2 cannot provide wireless access services.

Figure 1 Monitor AP for rogue detection

· Hybrid mode—An AP can both scan devices in the WLAN and provide WLAN data services.

Figure 2 Hybrid AP for rogue detection

Taking countermeasures against rogue device attacks

You can enable the countermeasures on a monitor AP. The monitor AP downloads an attack list from the AC according to the countermeasure mode, and takes countermeasures against detected rogue devices. The processing methods vary with rogue devices:

· If the rogue device is a rogue client, it is logged out.

· If the rogue device is a rogue AP, legal clients will not use the rogue AP to access the WLAN.

· If the rogue device is an ad-hoc client, it is denied, and ad-hoc clients cannot communicate with each other.

Figure 3 Taking countermeasures against rogue devices

WIDS attack detection

The WIDS attack detection function detects intrusions or attacks on a WLAN network, and informs the network administrator of the attacks by recording information or sending logs. WIDS detection supports detection of the following attacks:

· Flood attack

· Spoofing attack

· Weak IV attack

Flood attack detection

A flood attack refers to the case where WLAN devices receive large volumes of frames of the same kind within a short span of time. When this occurs, the WLAN devices get overwhelmed, and are unable to service normal clients.

WIDS attacks detection counters flood attacks by constantly keeping track of the density of a specific kind of packets. When the traffic density of a device exceeds the limit, the device is considered flooding the network. If the dynamic blacklist feature is enabled, the device is added to the blacklist, and is forbidden to access the WLAN.

WIDS inspects the following types of frames:

· Authentication requests and de-authentication requests

· Association requests, disassociation requests and reassociation requests

· Probe requests

· 802.11 null data frames

· 802.11 action frames.

Spoofing attack detection

In this kind of attack, a potential attacker can send frames in the air on behalf of another device. For instance, a client in a WLAN has been associated with an AP and works normally. In this case, a spoofed de-authentication frame can cause a client to get de-authenticated from the network and can affect the normal operation of the WLAN.

At present, spoofing attack detection counters this type of attack by detecting broadcast de-authentication and disassociation frames sent on behalf of an AP. When such a frame is received, it is identified as a spoofed frame, and the attack is immediately logged.

Weak IV detection

Wired Equivalent Privacy (WEP) uses an Initialization Vector (IV) to encrypt each frame. The system uses an IV and a key to generate a key stream, so encryptions using the same key have different results. Also, when a WEP frame is sent, the IV used in encrypting the frame is sent as part of the frame header.

However, if a WLAN device generates IVs in an insecure way, for example, if it uses a fixed IV for all frames, the shared secret key may be exposed to any potential attackers. When the shared secret key is compromised, the attacker can access network resources.

Weak IV detection counters this attack by verifying the IVs in WEP frames. Whenever a frame with a weak IV is detected, it is immediately logged.

Blacklist and whitelist

You can configure the blacklist and whitelist functions to filter frames from WLAN clients and thereby implement client access control.

WLAN client access control is accomplished through the following three types of lists.

· Whitelist—Contains the MAC addresses of all clients allowed to access the WLAN. If the whitelist is used, only permitted clients can access the WLAN, and all frames from other clients are discarded.

· Static blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. This list is configured manually.

· Dynamic blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. A client is added dynamically to the list if it is considered sending attacking frames until the timer of the entry expires. A dynamic blacklist can collaborate with ARP detection. When ARP detection detects any attacks, the MAC addresses of attackers are added to the dynamic blacklist. For more information about ARP detection, see "Configuring ARP attack defense."

When an AP receives an 802.11 frame, it checks the source MAC address of the frame and processes the frame as follows:

1. If the source MAC address does not match any entry in the whitelist, the frame is dropped. If there is a match, the frame is considered valid, and is processed further.

2. If no whitelist entries exist, the static and dynamic blacklists are searched.

3. If the source MAC address matches an entry in any of the two lists, the frame is dropped.

4. If there is no match, or no blacklist entries exist, the frame is considered valid, and is processed further.

A static blacklist or whitelist configured on an AC applies to all APs connected to the AC, while a dynamic blacklist applies to APs that receive attack frames.

Figure 4 Network diagram for WLAN client access control

· In the topology above, three APs are connected to an AC. Configure whitelist and static blacklist entries on the AC, which will send all the entries to the APs. If the MAC address of a station, Client 1 for example, is present in the blacklist, it cannot access any of the APs. If only Client 1 is present in the whitelist, it can access any of the APs, and other clients cannot access any of the APs.

· Enable dynamic blacklist function on the AC. If AP 1 receives attack frames from Client 1, a dynamic blacklist entry is generated in the blacklist. Client 1 cannot associate with AP 1, but can associate with AP 2 or AP 3. If AP 2 or AP 3 receives attack frames from Client 1, a new dynamic blacklist entry is generated in the blacklist.

Configuring rogue device detection

Recommended configuration procedure

Step	Remarks
1. Configuring AP operating mode	Required. By default, the AP operates in normal mode and only provides WLAN data services.
2. Configuring detection rule lists	Required.
3. Enabling countermeasures and configuring aging time for detected rogue devices	Optional.

Configuring AP operating mode

1. Select Security > Rogue Detection from the navigation tree.

Figure 5 AP monitor configuration

2. On the AP Monitor tab, select the AP to be configured and click the icon.

Figure 6 AP operating mode configuration

3. Configure the AP operating mode as described in Table 1.

An AP operating in hybrid mode can provide WLAN data services as well as scanning devices in the WLAN, so WLAN service configurations are needed.

An AP operating in monitor mode cannot provide WLAN data services, so WLAN service configurations are not needed.

Table 1 Configuration items

Item	Description
Work mode	Configure the AP operating mode: · In normal mode, an AP provides WLAN data services but does not perform scanning. · In monitor mode, an AP scans all 802.11g frames in the WLAN, but cannot provide WLAN services. · In hybrid mode, an AP can both scan devices in the WLAN and provide WLAN data services. IMPORTANT: · When an AP has its operating mode changed from normal to monitor, it does not restart. · When an AP has its operating mode changed from monitor to normal, it restarts.

Item

Description

Work mode

Configure the AP operating mode:

· In normal mode, an AP provides WLAN data services but does not perform scanning.

· In monitor mode, an AP scans all 802.11g frames in the WLAN, but cannot provide WLAN services.

· In hybrid mode, an AP can both scan devices in the WLAN and provide WLAN data services.

IMPORTANT:

· When an AP has its operating mode changed from normal to monitor, it does not restart.

· When an AP has its operating mode changed from monitor to normal, it restarts.

4. Click Apply.

Configuring detection rules

Configuring detection rules is to configure rogue device classification rules. An AC classifies devices as rogues and friends based on the configured classification rules.

· Identify whether an AP is a rogue.

Figure 7 Identifying whether an AP is a rogue

· Identify whether a client is a rogue.

Figure 8 Identifying whether a client is a rogue

· Identify whether an ad hoc network or a wireless bridge is a rogue.

Figure 9 Identifying whether an ad hoc network or a wireless bridge is a rogue

Configuring detection rule lists

1. Select Security > Rogue Detection from the navigation tree.

2. Click the Rule List tab.

Figure 10 Configuring a rule list

3. Configure the rule list as described in Table 2.

Table 2 Configuration items

Item	Description
List Type	· MAC—Add MAC addresses to be permitted after selecting this option. · Wireless Service—Add SSIDs to be permitted after selecting this option. · Vendor—Specify vendors to be permitted after selecting this option. · Attacker—Add the MAC address of a device to configure the device as a rogue.

Item

Description

List Type

· MAC—Add MAC addresses to be permitted after selecting this option.

· Wireless Service—Add SSIDs to be permitted after selecting this option.

· Vendor—Specify vendors to be permitted after selecting this option.

· Attacker—Add the MAC address of a device to configure the device as a rogue.

4. Select MAC from the list and click Add.

Figure 11 Configuring a MAC address list

5. Configure the MAC address list as described in Table 3.

Table 3 Configuration items

Item	Description
MAC	Enter the permitted MAC address in the box.
Select the existent devices	If you select this option, the MAC address table displays MAC addresses of the current devices. Select the MAC addresses to be permitted.

6. Click Apply.

The operation to add other types of lists is similar to the add operation of a MAC address list, so the description is omitted.

Enabling countermeasures and configuring aging time for detected rogue devices

1. Select Security > Rogue Detection from the navigation tree.

2. On the AP Monitor tab, click Common Set.

Figure 12 Common configuration

3. Perform common configuration as described in Table 4.

Table 4 Configuration items

Item	Description
Countermeasures Setting	Configure the AP to take countermeasures against rogue devices while providing wireless services. · Interval—The interval at which the AP takes countermeasures. · Max Device Number—The maximum number of rogue devices that the AP can take countermeasures against.
Reverse Mode	· Unlaw Set—Allows you to take countermeasures against rogue devices (including illegal APs and illegal clients). · Unlaw Adhoc Device—Allows you to take countermeasures against ad hoc devices. · Static Unlaw Device—Allows you to take countermeasures against rogue devices configured in the detection rule list.
Device Aging-Duration	Configure the aging time of entries in the device list. Once a rogue device is detected, an entry for it is added to the monitor record and the aging time starts. The aging time restarts if the device is detected again during the time. When the aging time is reached, the entry is deleted from the monitor record and added to the history record.

4. Click Apply.

Displaying monitor record

1. Select Security > Rogue Detection from the navigation tree.

2. Click the Monitor Record tab to enter the monitor record page.

Figure 13 Monitor record

Table 5 Field description

Type	Description
Type	· r—Rogue device. · p—Permitted device. · a—Ad hoc device. · w—AP. · b—Wireless bridge. · c—Client. For example, pw represents a permitted AP while rb represents a rogue wireless bridge. The device considers all ad hoc devices and wireless bridges as rogue devices.

Type

Description

Type

· r—Rogue device.

· p—Permitted device.

· a—Ad hoc device.

· w—AP.

· b—Wireless bridge.

· c—Client.

For example, pw represents a permitted AP while rb represents a rogue wireless bridge.

The device considers all ad hoc devices and wireless bridges as rogue devices.

Displaying history record

1. Select Security > Rogue Detection from the navigation tree.

2. Click the History Record tab.

Figure 14 History record page

Configuring WIDS

1. Select Security > WIDS from the navigation tree.

Figure 15 Configuring WIDS

2. On the WIDS Setup tab, configure WIDS as described in Table 6.

Table 6 Configuration items

Item	Description
Flood Attack Detect	If you select the option, flood attack detection is enabled. It is disabled by default.
Spoofing Attack Detect	If you select the option, spoofing attack detection is enabled. It is disabled by default.
Weak IV Attack Detect	If you select the option, Weak IV attack detection is enabled. It is disabled by default.

3. Click Apply.

Displaying history record

1. Select Security > WIDS from the navigation tree.

2. Click the History Record tab.

Figure 16 Displaying history information

Displaying statistics information

1. Select Security > WIDS from the navigation tree.

2. Click the Statistics tab.

Figure 17 Displaying statistics

Configuring the blacklist and whitelist functions

A static blacklist or whitelist configured on an AC applies to all APs connected to the AC, while a dynamic blacklist applies to APs that receive attack frames. For more information, see "Blacklist and whitelist."

Configuring dynamic blacklist

1. Select Security > Filter from the navigation tree.

Figure 18 Configuring a dynamic blacklist

2. On the Blacklist tab, configure the dynamic blacklist as described in Table 7.

Table 7 Configuration items

Item	Description
Dynamic Blacklist	· Enable—Enable dynamic blacklist. · Disable—Disable dynamic blacklist.
Lifetime	Configure the lifetime of the entries in the blacklist. When the lifetime of an entry expires, the entry is removed from the blacklist.

Item

Description

Dynamic Blacklist

· Enable—Enable dynamic blacklist.

· Disable—Disable dynamic blacklist.

Lifetime

Configure the lifetime of the entries in the blacklist. When the lifetime of an entry expires, the entry is removed from the blacklist.

3. Click Apply.

NOTE:

These attacks can be detected through a dynamic blacklist: Assoc-Flood, Reassoc-Flood, Disassoc-Flood, ProbeReq-Flood, Action-Flood, Auth-Flood, Deauth-Flood, and Null data-Flood.

Configuring static blacklist

1. Select Security > Filter from the navigation tree.

2. On the Blacklist tab, click Static .

Figure 19 Configuring a static blacklist

3. Click Add Static.

Figure 20 Adding static blacklist

4. Add a static blacklist as described in Table 8.

Table 8 Configuration items

Item	Description
MAC Address	Select MAC Address, and then add a MAC address to the static blacklist.
Select from Connected Clients	If you select the option, the table below lists the current existing clients. Select the options of the clients to add their MAC addresses to the static blacklist.

5. Click Apply.

Configuring whitelist

1. Select Security > Filter from the navigation tree.

2. Click the Whitelist tab.

Figure 21 Configuring a whitelist

3. Click Add.

Figure 22 Adding a whitelist

4. Add a whitelist as described in Table 9.

Table 9 Configuration items

Item	Description
MAC Address	Select MAC Address, and then add a MAC address to the whitelist.
Select from Connected Clients	If you select the option, the table below this option lists the current existing clients. Select the options of the clients to add their MAC addresses to the whitelist.

5. Click Apply.

Rogue detection configuration example

Network requirements

As shown in Figure 23, a monitor AP (AP 2 with serial ID SZ001) and AP 1 (serial ID SZ002) are connected to an AC through a Layer 2 switch.

· AP 1 operates in normal mode and provides WLAN data services only.

· AP 2 operates in monitor mode, and scans all 802.11g frames in the WLAN.

· Client 1 (MAC address 000f-e215-1515), Client 2 (MAC address 000f-e215-1530), and Client 3 (MAC address 000f-e213-1235) are connected to AP 1. They are configured as friends.

· Client 4 (MAC address 000f-e220-405e) is connected to AP 2. It is configured as a rogue device.

Figure 23 Network diagram

Configuration guidelines

· The radio must be disabled so that the AP operation mode can be changed.

· If you configure more than one detection rule, you need to specify the rogue device types (AP, client, bridge, and ad hoc) and the rule matching order. For more information, see "Configuring detection rules."

· The wireless service configuration is needed for an AP operating in hybrid mode, and not needed for an AP in monitor mode.

Configuration procedure

1. Configure AP 1 to operate in normal mode:

In normal mode, AP 1 provides WLAN data services only. For information about how to configure WLAN services, see "Configuring access services."

2. Configure AP 2 to operate in monitor mode:

a. Select AP > AP Setup from the navigation tree.

b. Click Add.

c. On the page that appears, set the AP name to ap, select the AP model WA3628i-AGN, select Manual, and enter the serial ID of AP 2.

d. Click Apply.

Figure 24 AP configuration

e. Select Security > Rogue Detection from the navigation tree.

f. On the AP Monitor tab, click the icon for the target AP.

g. Select the operating mode Monitor.

h. Click Apply.

Figure 25 AP operating mode configuration

3. Enable the 802.11n(2.4GHz) radio mode:

a. Select Radio > Radio from the navigation tree.

b. Select the AP with the radio mode 802.11n(2.4GHz).

c. Click Enable.

Figure 26 Radio configuration

4. Configure rogue detection rules:

a. Select Security > Rogue Detection from the navigation tree.

b. Click the Rule List tab and click Add.

c. On the page that appears, enter 000f-e215-1515, 000f-e215-1530, and 000f-e213-1235 in the MAC Address field, and then click Apply.

Figure 27 Adding MAC addresses to the rogue detection rule list

d. Select Attacker, and click Add. Enter 000f-e220-405e in the MAC Address field and click Apply.

Figure 28 Adding MAC addresses to the attacker list

5. Enable countermeasures against the static rogue device:

a. Select Security > Rogue Detection from the navigation tree.

b. Click the AP Monitor tab, and click Common Set.

c. Select Static Rogue Device. This is because the MAC address of Client 4 is added manually to the attacker list.

d. Click Apply.

Figure 29 Common configuration

Configuring authorized IP

The authorized IP function associates the HTTP or Telnet service with an ACL to filter the requests of clients. Only clients that pass the ACL filtering can access the device.

Before configuring authorized IP, you must create and configure the ACL. For ACL configuration, see "Configuring QoS."

1. Select Security > Authorized IP from the navigation tree.

2. Click the Setup tab.

Figure 30 Configuring authorized IP

3. Configure authorized IP as described in Table 10.

Table 10 Configuration items

Item		Description
Telnet	IPv4 ACL	Select the IPv4 ACL to be associated with the Telnet service. Available IPv4 ACLs are what you configure on the page you enter by selecting QoS > ACL IPv4.
Telnet	IPv6 ACL	Select the IPv6 ACL to be associated with the Telnet service. Available IPv6 ACLs are what you configure on the page you enter by selecting QoS > ACL IPv6.
Web (HTTP)	IPv4 ACL	Select the IPv4 ACL to be associated with the HTTP service. Available IPv4 ACLs are what you configure on the page you enter by selecting QoS > ACL IPv4.

4. Click Apply.

Configuring user isolation

User isolation overview

Without user isolation, all the devices in the same VLAN can access each other directly. This causes security problems. User isolation can solve this problem.

· When an AC configured with user isolation receives unicast packets, broadcast packets or multicast packets from a wireless client to another wireless client in the same VLAN, the AC determines whether to isolate the two devices according to the configured list of permitted MAC addresses.

· When an AC configured with user isolation receives unicast packets (broadcast and multicast packets in a VLAN are not isolated) from a wireless client to a wired client or from a wired client to another wired client in the same VLAN, the AC determines whether to isolate the two devices according to the configured list of permitted MAC addresses.

· When an AC configured with user isolation receives unicast packets from a wired client to a wireless client, the AC determines whether to isolate the two devices according to the configured list of permitted MAC addresses. Whether to isolate broadcast or multicast packets varies with the configuration of command user-isolation permit broadcast (see "Configuring stateful failover").

To avoid user isolation from affecting communications between users and the gateway, you can add the MAC address of the gateway to the list of permitted MAC addresses.

User isolation both provides network services for users and isolates users, disabling them from communication at Layer-2 and thus ensuring service security.

Before user isolation is enabled

As shown in Figure 31, before user isolation is enabled in VLAN 2 on the AC, wireless terminals the client and the server and wired terminal the host in the VLAN can communicate with each other and access the Internet.

Figure 31 User communication

After user isolation is enabled

As shown in Figure 31, user isolation is enabled on the AC. The client, the server, and Host A in VLAN 2 access the Internet through the gateway.

· If you add the MAC address of the gateway to the permitted MAC address list, the client, the server, and the host in the same VLAN are isolated, but they can access the Internet.

· If you add the MAC address of a user (the client, for example) to the permitted MAC address list, the client and the server, and the client and the host can access each other directly, but the host and the server cannot.

To enable all the users in the VLAN to access one another and the Internet, you need to add the MAC address of the gateway and the MAC addresses of the users to the permitted MAC address list. For more information about configuring the permitted MAC address list, see "Configuring user isolation".

Configuring user isolation

1. Select Security > User Isolation from the navigation tree.

2. Click Add .

The page for configuring user isolation appears.

Figure 32 Configuring user isolation

3. Configure user isolation as described in Table 11.

Table 11 Configuration items

Item	Description
VLAN ID	Specify the VLAN in which user isolation is enabled.
AccessMAC	Specify the MAC addresses to be permitted by the AC. For more information, see "After user isolation is enabled." · Enter a MAC address in the field next to the Add button. · Click Add to add the MAC address to the permitted MAC list. · To delete a MAC address from the list, select an entry and click Delete. IMPORTANT: · Broadcast or multicast MAC addresses cannot be specified as permitted MAC addresses. · Up to 16 permitted MAC addresses can be configured for one VLAN.

Item

Description

VLAN ID

Specify the VLAN in which user isolation is enabled.

AccessMAC

Specify the MAC addresses to be permitted by the AC. For more information, see "After user isolation is enabled."

· Enter a MAC address in the field next to the Add button.

· Click Add to add the MAC address to the permitted MAC list.

· To delete a MAC address from the list, select an entry and click Delete.

IMPORTANT:

· Broadcast or multicast MAC addresses cannot be specified as permitted MAC addresses.

· Up to 16 permitted MAC addresses can be configured for one VLAN.

4. Click Apply.

To avoid network disruption caused by user isolation, add the MAC address of the gateway to the permitted MAC address list, and then enable user isolation.

If you configure user isolation for a super VLAN, the configuration does not take effect on the sub-VLANs in the super VLAN, and you must configure user isolation on the sub-VLANs if needed.

Displaying user isolation information

Select Security > User Isolation from the navigation tree to enter the page displaying user isolation configuration summary.

Figure 33 Displaying user isolation summary

User isolation configuration example

Network requirements

As shown in Figure 34, isolate Client A, Client B, and Host A in VLAN 2 from one another while allowing them to access the Internet. The MAC address of the gateway is 000f-e212-7788.

Figure 34 Network diagram

Configuration procedure

1. Configure wireless service:

For information about how to configure wireless service, see "Configuring access services."

2. Configure user isolation:

a. Select Security > User Isolation from the navigation tree.

b. Click Add.

c. On the page that appears, enter the VLAN ID 2, add MAC address 000f-e212-7788 to the permitted MAC address list, and click Apply.

Figure 35 Configuring user isolation

Configuring session management

Support for session management depends on the device model. For more information about whether the wireless controller supports session management function, see "About the H3C Access Controllers Web-Based Configuration Guide."

This function is used to verify packets through transport layer protocols. The session management feature tracks the status of connections by inspecting the transport layer protocol (TCP or UDP) information, and performs unified status maintenance and management for all connections.

Basic session management settings include:

· Configuring whether to enable unidirectional traffic detection.

· Configuring a persistent session rule which is available only for TCP sessions in ESTABLISHED state.

· Setting aging times for the sessions in different protocol states, which are effective only for the sessions that are being established.

· Setting aging times for the sessions of different application layer protocols, which are effective only for the sessions in READY or ESTABLISHED state.

NOTE:

If too many sessions, for example, more than 800 thousands sessions, exist, do not set small values for the aging times of the sessions in different protocol states and of different application layer protocols. Otherwise, the responses of the console will be very slow.

To configure the basic session management settings:

1. Select Security > Session table from the navigation tree, and click the Configuration tab.

The basic configuration page appears.

Figure 36 Session configuration

2. Configure basic settings as described in Table 12.

Table 12 Configuration items

Item		Description
Enable unidirectional traffic detection		Enable or disable unidirectional traffic detection. · When unidirectional traffic detection is enabled, the session management feature processes both the unidirectional and bidirectional traffic. · When unidirectional traffic detection is disabled, the session management feature processes only the bidirectional traffic.
ACL		Configure the persistent session rule according to the ID of an ACL. Only one ACL can be referenced as the persistent session rule, and the last referenced ACL takes effect. If no ACL is specified, persistent sessions are not allowed.
Session Aging Time		Set the aging time of persistent sessions. The value of 0 means that the persistent sessions will not be aged.
TCP Protocol	· SYN_SENT State and SYN_RCV State Aging Time · FIN_WAIT State Aging Time · ESTABLISHED State Aging Time	· Specify the SYN_SENT state and SYN_RCV state aging time for TCP. · Specify the FIN_WAIT state aging time for TCP. · Specify the ESTABLISHED state aging time for TCP.
UDP Protocol	· OPEN State Aging Time · READY State Aging Time	· Specify the OPEN state aging time for UDP. · Specify the READY state aging time for UDP.
ICMP Protocol	· OPEN State Aging Time · CLOSED State Aging Time	· Specify the OPEN state aging time for ICMP. · Specify the CLOSED state aging time for ICMP.
Aging Accelerate Queue	Accelerate Queue Aging Time	Specify the accelerate queue aging time.
RAWIP Protocol	· OPEN State Aging Time · READY State Aging Time	· Specify the OPEN state aging time for RAW IP. · Specify the READY state aging time for RAW IP.
DNS Session Aging Time		Specify the DNS session aging time.
FTP Session Aging Time		Specify the FTP session aging time.
MSN Session Aging Time		Specify the MSN session aging time.
QQ Session Aging Time		Specify the QQ session aging time.
SIP Session Aging Time		Specify the SIP session aging time.

Displaying session table information

1. Select Security > Session Table from the navigation tree, and click the Session Summary tab.

The session table appears.

Figure 37 Session table

Table 13 Field description

Field	Description
Init Src IP	Source IP address and port number of packets from the session initiator.
Init Dest IP	Destination IP address and port number of packets from the session initiator.
Init VPN VPN/VLAN/INLINE	VPN to which the packets (from the initiator to responder) belong and the VLAN and INLINE to which the packets belong during Layer 2 forwarding.
Resp Src IP	Source IP address and port number of packets from the session responder.
Resp Dest IP	Destination IP address and port number of packets from the session responder.
Resp VPN VPN/VLAN/INLINE	VPN instance to which the packets (from the responder to initiator) belong and the VLAN and INLINE to which the packets belong during Layer 2 forwarding.
Protocol	Transport layer protocol type or number.
Session Status	Session status, including Accelerate, SYN, TCP-EST, FIN, UDP-OPEN, UDP-READY, ICMP-OPEN, ICMP-CLOSED, RAWIP-OPEN, and RAWIP-READY.
Lifetime	Remaining lifetime of the session.

2. Click the icon for the target session to display detailed information about the session.

Figure 38 Detailed information about a session

Table 14 Field description

Field	Description
Protocol	Transport layer protocol, which can be TCP, UDP, ICMP, or RAWIP.
State	Session status: · Accelerate. · SYN. · TCP-EST. · FIN. · UDP-OPEN. · UDP-READY. · ICMP-OPEN. · ICMP-CLOSED. · RAWIP-OPEN. · RAWIP-READY.
TTL	Remaining lifetime of the session.
Initiator: VD / ZONE / VPN / IP / PORT	Initiator's virtual device/security zone/VPN instance/IP address/port number.
Responder: VD / ZONE / VPN / IP / PORT	Responder's virtual device/security zone/VPN instance/IP address/port number.
---------->	Session direction—From the initiator to responder.
<---------	Session direction—From the responder to initiator.
Packets	Number of packets in the direction.
Bytes	Number of bytes in the direction.

H3C Access Controllers Web-Based Configuration Guide(E3703P61 R2509P61 R3709P61 R2609P61 R3509P61)-6W103

Configuring WLAN security

Taking countermeasures against rogue device attacks

WIDS attack detection

Flood attack detection

Spoofing attack detection

Weak IV detection

Blacklist and whitelist

Configuring rogue device detection

Configuring AP operating mode

Enabling countermeasures and configuring aging time for detected rogue devices

Displaying history record

Configuring whitelist

Network requirements

Configuration guidelines

Configuration procedure

Configuring user isolation

Displaying user isolation information

User isolation configuration example

Network requirements

Configuration procedure

Displaying session table information

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us