Login
- Table of Contents
-
- 02-WLAN Configuration Guide
- 00-Preface
- 01-WLAN Interface Configuration
- 02-WLAN Access Configuration
- 03-WLAN Security Configuration
- 04-IACTP Tunnel and WLAN Roaming Configuration
- 05-WLAN RRM Configuration
- 06-WLAN IDS Configuration
- 07-WLAN QoS Configuration
- 08-WLAN Mesh Link Configuration
- 09-Advanced WLAN Configuration
- 10-WLAN High Availability Configuration
- 11-WLAN IPS Configuration
- 12-WLAN Optimization Configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 06-WLAN IDS Configuration | 289.48 KB |
WLAN IDS configuration task list
Configuring detection of rogue devices
Taking countermeasures against attacks from detected rogue devices
Displaying and maintaining rogue detection
Displaying and maintaining attack detection
Configuring blacklist and whitelist
Configuring a dynamic blacklist
Displaying and maintaining blacklist and whitelist
WLAN IDS configuration examples
Rogue detection configuration example
Blacklist and whitelist configuration example
Configuring WLAN IDS
Overview
802.11 networks are susceptible to a wide array of threats such as unauthorized access points and clients, ad hoc networks, and DoS attacks. Rogue devices are a serious threat to enterprise security. Wireless intrusion detection system (WIDS) is used for the early detection of malicious attacks and intrusions on a wireless network. WIPS helps to protect enterprise networks and users from unauthorized wireless access. The Rogue detection feature is a part of the WIDS/WIPS solution, which detects the presence of rogue devices in a WLAN network and takes countermeasures to prevent rogue devices operation.
Terminology
· WIDS—WLAN IDS is designed to be deployed in an area that an existing wireless network covers. It aids in the detection of malicious outsider attacks and intrusions via the wireless network.
· Rogue AP—An unauthorized or malicious access point on the network, such as an employee setup AP, an AP not configured, a neighbor AP, or an attacker-operated AP. It is not authorized, so if any vulnerability occurs on the AP, the hacker has a chance to compromise your network security.
· Rogue client—An unauthorized or malicious client on the network.
· Rogue wireless bridge—An unauthorized wireless bridge on the network.
· Monitor AP—An AP that scans or listens to 802.11 frames to detect wireless attacks in the network.
· Ad hoc mode—Sets the working mode of a wireless client to ad hoc. An ad hoc terminal can communicate directly with other stations without support from any other device.
· Passive scanning—In passive scanning, a monitor AP listens to all the 802.11 frames over the air in that channel.
· Active scanning—In active scanning, a monitor AP, besides listening to all 802.11 frames, sends a broadcast probe request and receives all probe response messages on that channel. Each AP in the vicinity of the monitor AP replies to the probe request. This helps identify all authorized and unauthorized APs by processing probe response frames. The monitor AP masquerades as a client when sending the probe request.
Rogue detection
Detecting rogue devices
Rogue detection is applicable to large wireless networks. It detects the presence of rogue devices in a WLAN network based on the preconfigured rules.
Rogue detection can detect different types of devices in a WLAN network, for example, rogue APs, rogue clients, rogue wireless bridges, and ad-hoc terminals.
Taking countermeasures against rogue device attacks
You can enable the countermeasures function on a monitor AP. The monitor AP downloads an attack list from the AC and takes countermeasures against the rogue devices based on the configured countermeasures mode.
For example, if the countermeasures mode is config, the monitor AP only takes countermeasures against rogue devices in the static attack list. It sends fake de-authentication frames by using the MAC addresses of the rogue devices to remove them from the network.
Attack detection
The attack detection function detects intrusions or attacks on a WLAN network, and informs the network administrator of the attacks through recording information or sending logs. WIDS detection supports detection of the following attacks:
· Flood attack
· Spoofing attack
· Weak IV attack
Flood attack detection
A flood attack refers to the case where WLAN devices receive large volumes of frames of the same kind within a short span of time. When this occurs, the WLAN devices are overwhelmed. Consequently, they are unable to service normal clients.
WIDS attacks detection counters flood attacks by constantly keeping track of the density of a specific kind of packets. When the traffic density exceeds the limit, the device is considered flooding the network and, if the dynamic blacklist feature is enabled, is added to the blacklist and forbidden to access the WLAN for a period of time.
WIDS inspects the following types of frames:
· Authentication requests and de-authentication requests
· Association requests, disassociation requests and re-association requests
· Probe requests
· 802.11 null data frames
· 802.11 action frames
Spoofing attack detection
In this kind of attack, a potential attacker can send frames in the air on behalf of another device. For instance, a client in a WLAN has been associated with an AP and operates properly. In this case, a spoofed de-authentication frame can cause a client to get de-authenticated from the network and can affect the normal operation of the WLAN.
Spoofing attack detection counters this type of attack by detecting broadcast de-authentication and disassociation frames sent on behalf of an AP. When such a frame is received, it is identified as a spoofed frame, and the attack is immediately logged.
Weak IV detection
WEP uses an IV to encrypt each frame. An IV and a key are used to generate a key stream, and thus encryptions using the same key have different results. When a WEP frame is sent, the IV used in encrypting the frame is also sent as part of the frame header.
However, if a WLAN device generates IVs in an insecure way, for example, if it uses a fixed IV for all frames, the shared secret key may be exposed to any potential attackers. When the shared secret key is compromised, the attacker can access network resources.
Weak IV detection counters this attack by verifying the IVs in WEP frames. Whenever a frame with a weak IV is detected, it is immediately logged.
Blacklist and whitelist
You can configure the blacklist and whitelist functions to filter frames from WLAN clients and implement client access control.
WLAN client access control is accomplished through the following types of lists.
· Whitelist—Contains the MAC addresses of all clients allowed to access the WLAN. If the whitelist is used, only permitted clients can access the WLAN, and all frames from other clients are discarded.
· Static blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. This list is manually configured.
· Dynamic blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. A client is dynamically added to the list if it is considered sending attacking frames until the timer of the entry expires. A dynamic blacklist can collaborate with ARP detection. When ARP detection detects any attacks, the MAC addresses of attackers are added to the dynamic blacklist. For more information about ARP detection, see Security Configuration Guide.
When an AP receives an 802.11 frame, it checks the source MAC address of the frame and processes the frame by following these rules:
1. If the source MAC address does not match any entry in the whitelist, the frame is dropped. If there is a match, the frame is considered valid and is processed further.
2. If no whitelist entries exist, the static and dynamic blacklists are searched.
3. If the source MAC address matches an entry in any of the two lists, the frame is dropped.
4. If there is no match, or no blacklist entries exist, the frame is considered valid and is processed further.
The static blacklist and whitelist configured on the AC apply to all APs connected to the AC, and dynamic blacklist applies to APs that received attack packets.
Figure 1 Frame filtering
· In the topology, three APs are connected to an AC. Configure whitelist and static blacklist entries on the AC, which sends all the entries to the APs. If the MAC address of a station, Client 1 for example, is present in the blacklist, it cannot access any of the APs. If only Client 1 is present in the whitelist, it can access any of the APs, and other clients cannot access any of the APs.
· Enable the dynamic blacklist function on the AC. If AP 1 receives attack frames from Client 1, the AC adds Client 1 to the dynamic blacklist, but Client 1 can associate with AP 2 or AP 3. If AP 2 or AP 3 receives attack frames from Client 1, a new dynamic blacklist entry is generated in the blacklist.
WLAN IDS configuration task list
|
Task |
Description |
|
|
Optional. |
||
|
Optional. Before you configure detection of rogue devices, set the AP operating mode to monitor. |
||
|
Taking countermeasures against attacks from detected rogue devices |
||
|
Optional. |
||
|
Optional. |
||
Configuring AP operating mode
A WLAN consists of various APs that span across the building offering WLAN services to the clients. The administrator may want some of these APs to detect rogue devices. The administrator can configure an AP to operate in any of the three modes: normal, monitor, or hybrid.
· In normal mode, an AP provides WLAN data services but does not perform any scanning.
· In monitor mode, an AP scans all Dot11 frames in the WLAN, but cannot provide WLAN services. An AP operating in this mode cannot provide WLAN service, and you do not need to configure a service template.
· In hybrid mode, an AP can both scan devices in the WLAN and provide WLAN services. For an AP operating in this mode, you need to configure a service template so that the AP can provide WLAN service when scanning devices.
To configure the AP operating mode:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter AP template view. |
wlan ap ap-name model model-name |
N/A |
|
3. Configure the AP operating mode. |
· Configure the AP operating mode as
monitor: · Configure the AP operating mode as hybrid: |
Use either command. By default, the AP operating mode is normal. · When you change the operating mode of an AP from normal to monitor, the AP does not restart. · When you change the operating mode of an AP from monitor to normal, the AP restarts. · Before you change the operating mode of an AP from hybrid to monitor, execute the undo device-detection enable command. |
Configuring rogue detection
Configuring detection of rogue devices
Configuring detection rules
An AC classifies devices as rogues and friends based on the configured detection rules.
· Determine if an AP is a rogue.
Figure 2 Determining if an AP is a rogue
· Determine whether a client is a rogue.
Figure 3 Determining if a client is a rogue
· Determine if an ad hoc network or a wireless bridge is a rogue.
Figure 4 Determining if an ad hoc network or a wireless bridge is a rogue
To configure the detection rules:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter WLAN IDS view. |
wlan ids |
N/A |
|
3. Add the MAC address of a client or AP to the static attack list. |
device attack mac-address mac-address |
Optional. By default, the attack list is empty. |
|
4. Add the MAC address of a client or AP to the permitted MAC address list. |
device permit mac-address mac-address |
Optional. By default, the permitted MAC address list is empty. |
|
5. Add an SSID to the permitted SSID list. |
device permit ssid ssid |
Optional. By default, the permitted SSID list is empty. |
|
6. Add a vendor ID to the permitted vendor list. |
device permit vendor vendor |
Optional. By default, the vendor list is empty. |
Configuring the device expiration timer
This task allows you to set the device expiration interval for device entries in the detected device list. If a device in the list is not detected within this interval, the device entry is removed from the detected list; if the deleted entry is that of a rogue, it is moved to the rogue history table.
To configure the device expiration timer:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter WLAN IDS view. |
wlan ids |
N/A |
|
3. Configure the device expiration timer. |
device aging-duration duration |
Optional. By default the aging duration is 600 seconds. |
Taking countermeasures against attacks from detected rogue devices
Configuring the rules
You can configure a device as a rogue by adding its MAC address to the static attack list.
To configure the rules:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter WLAN IDS view. |
wlan ids |
N/A |
|
3. Add the MAC address of a client or AP to the static attack list. |
device attack mac-address mac-address |
Optional. By default, the attack list is empty. |
Configuring the countermeasures mode
The countermeasures mode can be set to control the devices for which countermeasures are taken. Based on the configuration, monitor APs can take countermeasures against devices present in its static attack list, all rogue devices, only rogue APs, or only ad hoc clients.
To configure the countermeasures mode:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter WLAN IDS view. |
wlan ids |
N/A |
|
3. Configure the countermeasures mode. |
countermeasures mode { all | { rogue | adhoc | config } * } |
Optional. By default, the countermeasure mode is config, or, the static attack list. |
|
4. Enable the countermeasures function. |
countermeasures enable |
By default, the countermeasures function is disabled. To configure the countermeasures mode as config, use the device attack mac-address command to configure the static attack list first. |
|
5. Specify the interval at which the AP takes countermeasures against rogue devices and the maximum number of devices against which the AP can take countermeasures. |
countermeasures on-service interval interval [ max-device max-device ] |
Optional. By default, the interval is 5000 milliseconds, and the maximum number of devices is 256. |
Displaying and maintaining rogue detection
|
Task |
Command |
Remarks |
|
Display attack list information. |
display wlan ids attack-list { config | all | ap ap-name } [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display detected entities. |
display wlan ids detected { all | rogue { ap | client } | adhoc | ssid | mac-address mac-address } [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display the history of attacks detected in the WLAN system. |
display wlan ids rogue-history [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display the list of permitted MAC addresses, the list of permitted SSIDs, or the list of permitted vendor OUIs. |
display wlan ids permitted { mac-address | ssid | vendor } [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Clear the list of detected entities in WLAN. |
reset wlan ids detected { all | rogue { ap | client } | adhoc | ssid | mac-address mac-address } |
Available in user view. |
|
Clear all entries from the rogue-history list. |
reset wlan ids rogue-history |
Available in user view. |
Configuring attack detection
Configuring attack detection
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter IDS view. |
wlan ids |
N/A |
|
3. Enable IDS attack detection. |
attack-detection enable { all | flood | spoof | weak-iv } |
By default, IDS attack detection is disabled. |
Displaying and maintaining attack detection
|
Task |
Command |
Remarks |
|
Display all the attacks detected by WLAN IDS IPS. |
display wlan ids history [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display the count of attacks detected by WLAN IDS IPS. |
display wlan ids statistics [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Clear the history of attacks detected by the WLAN system. |
reset wlan ids history |
Available in user view. |
|
Clear the statistics of attacks detected in the WLAN system. |
reset wlan ids statistics |
Available in user view. |
Configuring blacklist and whitelist
Perform this task to configure the static blacklist, static whitelist, enable dynamic blacklist feature, and configure the lifetime for dynamic entries.
· WLAN IDS permits devices present in the static whitelist. You can add entries into or delete entries from the list.
· WLAN IDS denies devices present in the static blacklist. You can add entries into or delete entries from the list.
· WLAN IDS or WLAN IPS adds dynamically detected attack devices into the dynamic blacklist. You can set a lifetime in seconds for dynamic blacklist entries. After the lifetime of an entry expires, the device entry will be removed from the dynamic blacklist.
Configuring static lists
The maximum number of entries in a static list depends on the device model. For more information, see About the H3C Access Controllers Configuration Guides.
To configure static lists:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter WLAN IDS view. |
wlan ids |
N/A |
|
3. Add an entry into the whitelist. |
whitelist mac-address mac-address |
Optional. By default, no whitelist exists. |
|
4. Add an entry into the static blacklist. |
static-blacklist mac-address mac-address |
Optional. By default, no static blacklist exists. |
Configuring a dynamic blacklist
The maximum number of entries in a dynamic blacklist depends on the device model. For more information, see About the H3C Access Controllers Configuration Guides.
To configure a dynamic blacklist:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter WLAN IDS view. |
wlan ids |
N/A |
|
3. Enable the dynamic blacklist feature. |
dynamic-blacklist enable |
Optional. By default, the dynamic blacklist feature is disabled. |
|
4. Configure the lifetime for dynamic blacklist entries. |
dynamic-blacklist lifetime lifetime |
Optional. By default, the lifetime is 300 seconds. |
Displaying and maintaining blacklist and whitelist
|
Task |
Command |
Remarks |
|
Display blacklist entries. |
display wlan blacklist { static | dynamic } [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display whitelist entries. |
display wlan whitelist [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Clear dynamic blacklist entries. |
reset wlan dynamic-blacklist { mac-address mac-address | all } |
Available in user view. |
WLAN IDS configuration examples
Rogue detection configuration example
Network requirements
As shown in Figure 5, AP 1 (with serial ID 210235A29G007C000021) and AP 2 (serial ID 210235A29G007C000022) are connected to an AC through a Layer 2 switch.
· AP1 operates in normal mode and only provides WLAN services.
· AP2 operates in monitor mode and detects rogue devices.
· Client 1 (MAC address 000f-e215-1515), Client 2 (MAC address 000f-e215-1530) and Client 3 (MAC address 000f-e213-1235) are connected to AP1.
· Client 4 (MAC address 000f-e220-405e) is considered as a rogue.
Configuration procedure
# Create a WLAN ESS interface.
<AC> system-view
[AC] interface wlan-ess 1
[AC-WLAN-ESS1] quit
# Create service template 1 of clear type, configure its SSID as normal, and bind WLAN-ESS1 to normal.
<AC> system-view
[AC] wlan service-template 1 clear
[AC-wlan-st-1] ssid normal
[AC-wlan-st-1] bind wlan-ess 1
[AC-wlan-st-1] authentication-method open-system
[AC-wlan-st-1] service-template enable
[AC-wlan-st-1] quit
# Configure AP 1 to operate in normal mode and provide WLAN service only.
[AC] wlan ap ap1 model WA3628i-AGN
[AC-wlan-ap-ap1] serial-id 210235A29G007C000021
[AC-wlan-ap-ap1] radio 1 type dot11an
[AC-wlan-ap-ap1-radio-1] service-template 1
[AC-wlan-ap-ap1-radio-1] radio enable
# Configure AP 2 to operate in monitor mode. It only scans rogue devices, but does not provide access services.
[AC] wlan ap ap2 model WA3628i-AGN
[AC-wlan-ap-ap2] serial-id 210235A29G007C000022
[AC-wlan-ap-ap2] work-mode monitor
[AC-wlan-ap-ap2] radio 1 type dot11an
[AC-wlan-ap-ap2-radio-1] radio enable
[AC-wlan-ap-ap2-radio-1] return
# Configure IDS rules to allow Client 1, Client 2, and Client 3 to connect to the WLAN network to use WLAN services provided by AP 1.
<AC> system-view
[AC] wlan ids
[AC-wlan-ids] device permit mac-address 000f-e215-1515
[AC-wlan-ids] device permit mac-address 000f-e215-1530
[AC-wlan-ids] device permit mac-address 0015-e213-1235
# Configure Client 4 (rogue client), configure the countermeasures mode, and enable countermeasures.
[AC-wlan-ids] device attack mac-address 0015-e220-405e
[AC-wlan-ids] countermeasures mode config
[AC-wlan-ids] countermeasures enable
Blacklist and whitelist configuration example
Network requirements
As shown in Figure 6, client 1 (0000-000f-1211) is a rogue client. To ensure WLAN security, add the MAC address of Client 1 into the blacklist on the AC to disable it from accessing the wireless network through any AP.
Configuration procedure
# Add MAC address 0000-000f-1211 of Client 1 into the blacklist.
<AC> system-view
[AC] wlan ids
[AC-wlan-ids] static-blacklist mac-address 0000-000f-1211
After the configuration, Client 1 cannot access AP 1 or AP 2.
