Configuring WLAN IDS· 1

Terminology· 1

Rogue detection· 1

WIDS attack detection· 2

WLAN IDS configuration task list 3

Configuring AP operating mode· 3

Configuring rogue device detection· 4

Configuring rogue device detection· 4

Taking countermeasures against attacks from detected rogue devices 7

Displaying and maintaining rogue detection· 8

Configuring IDS attack detection· 9

Configuring IDS attack detection· 9

Displaying and maintaining IDS attack detection· 9

WLAN IDS configuration example· 9

Configuring WLAN IDS frame filtering· 12

Overview·· 12

Configuring WLAN IDS frame filtering· 13

Displaying and maintaining WLAN IDS frame filtering· 14

WLAN IDS frame filtering configuration example· 14

 

802.11 networks are susceptible to a wide array of threats such as unauthorized access points and clients, ad hoc networks, and Denial of Service (DoS) attacks. Rogue devices are a serious threat to enterprise security. Wireless intrusion detection system (WIDS) is used for the early detection of malicious attacks and intrusions on a wireless network. Wireless intrusion prevention system (WIPS) helps to protect enterprise networks and users from unauthorized wireless access. The Rogue detection feature is a part of the WIDS/WIPS solution, which detects the presence of rogue devices in a WLAN network and takes countermeasures to prevent rogue devices operation.

Terminology

·     WLAN intrusion detection system—WLAN IDS is designed to be deployed in an area that an existing wireless network covers. It aids in the detection of malicious outsider attacks and intrusions via the wireless network.

·     Rogue AP—An unauthorized or malicious access point on the network, such as an employee setup AP, misconfigured AP, neighbor AP or an attacker operated AP. As it is not authorized, if any vulnerability occurs on the AP, the hacker will have chance to compromise your network security.

·     Rogue client—An unauthorized or malicious client on the network.

·     Rogue wireless bridge—Unauthorized wireless bridge on the network.

·     Monitor AP—An AP that scans or listens to 802.11 frames to detect wireless attacks in the network.

·     Ad hoc mode—Sets the working mode of a wireless client to ad hoc. An ad hoc terminal can directly communicate with other stations without support from any other device.

·     Passive scanning—In passive scanning, a monitor AP listens to all the 802.11 frames over the air in that channel.

·     Active scanning—In active scanning, a monitor AP, besides listening to all 802.11 frames, sends a broadcast probe request and receives all probe response messages on that channel. Each AP in the vicinity of the monitor AP will reply to the probe request. This helps identify all authorized and unauthorized APs by processing probe response frames. The monitor AP masquerades as a client when sending the probe request.

Rogue detection

Detecting rogue devices

Rogue detection is applicable to large wireless networks. It detects the presence of rogue devices in a WLAN network based on the pre-configured rules.

Rogue detection can detect different types of devices in a WLAN network, for example, rogue APs, rogue clients, rogue wireless bridges, and ad-hoc terminals.

Taking countermeasures against rogue device attacks

You can enable the countermeasures function on a monitor AP. The monitor AP downloads an attack list from the AC and takes countermeasures against the rogue devices based on the configured countermeasures mode.

For example, if the countermeasures mode is config, the monitor AP takes countermeasures against only rogue devices in the static attack list. It sends fake de-authentication frames by using the MAC addresses of the rogue devices to remove them from the network.

Functionalities supported

The rogue detection feature supports the following functionalities:

·     RF monitoring in different channels

·     Rogue AP detection

·     Rogue client detection

·     Ad hoc network detection

·     Wireless bridge detection

·     Countermeasures against rogue devices, clients and ad hoc networks

WIDS attack detection

The WIDS attack detection function detects intrusions or attacks on a WLAN network, and informs the network administrator of the attacks through recording information or sending logs. At present, WIDS detection supports detection of the following attacks:

·     Flood attack

·     Spoofing attack

·     Weak IV attack

Flood attack detection

A flood attack refers to the case where WLAN devices receive large volumes of frames of the same kind within a short span of time. When this occurs, the WLAN devices get overwhelmed and consequently, is unable to service normal clients.

WIDS attacks detection counters flood attacks by constantly keeping track of the density of traffic generated by each device. When the traffic density of a device exceeds the limit, the device is considered flooding the network and, if the dynamic blacklist feature is enabled, is added to the blacklist and forbidden to access the WLAN for a period of time.

WIDS inspects the following types of frames:

·     Authentication requests and de-authentication requests

·     Association requests, disassociation requests and reassociation requests

·     Probe requests

·     802.11 null data frames

·     802.11 action frames.

Spoofing attack detection

In this kind of attack, a potential attacker can send frames in the air on behalf of another device. For instance, a client in a WLAN has been associated with an AP and works normally. In this case, a spoofed de-authentication frame can cause a client to get de-authenticated from the network and can affect the normal operation of the WLAN.

At present, spoofing attack detection counters this type of attack by detecting broadcast de-authentication and disassociation frames sent on behalf of an AP. When such a frame is received, it is identified as a spoofed frame, and the attack is immediately logged.

Weak IV detection

Wired Equivalent Privacy (WEP) uses an Initialization Vector (IV) to encrypt each frame. An IV and a key are used to generate a key stream, and thus encryptions using the same key have different results. When a WEP frame is sent, the IV used in encrypting the frame is also sent as part of the frame header.

However, if a WLAN device generates IVs in an insecure way, for example, if it uses a fixed IV for all frames, the shared secret key may be exposed to any potential attackers. When the shared secret key is compromised, the attacker can access network resources.

Weak IV detection counters this attack by verifying the IVs in WEP frames. Whenever a frame with a weak IV is detected, it is immediately logged.

WLAN IDS configuration task list

 

Task		Description
Configuring AP operating mode		Required
Configuring rogue device detection	Configuring rogue device detection	Optional
	Taking countermeasures against attacks from detected rogue devices
	Displaying and maintaining rogue detection
Configuring IDS attack detection	Configuring IDS attack detection	Optional
	Displaying and maintaining IDS attack detection

 

Configuring AP operating mode

A WLAN consists of various APs that span across the building offering WLAN services to the clients. The administrator may want some of these APs to detect rogue devices. The administrator can configure an AP to operate in any of the three modes, normal, monitor, and hybrid.

·     In normal mode, an AP provides WLAN data services but does not perform any scanning.

·     In monitor mode, an AP scans all 802.11 frames in the WLAN, but cannot provide WLAN services.

·     In hybrid mode, an AP can both scan devices in the WLAN and provide WLAN data services.

To configure the AP operating mode:

 

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Enter AP template view.	wlan ap ap-name model model-name	N/A
3.     Configure the AP operating mode as monitor.	work-mode monitor	N/A Use either command. By default, the AP operating mode is normal. ·     When an AP has its operating mode changed from normal to monitor, it does not restart. ·     When an AP has its operating mode changed from monitor to normal, it restarts.
4.     Configure the AP operating mode as hybrid.	device-detection enable

 

NOTE: ·     If the AP operates in hybrid mode, configure a service template so the AP can provide WLAN service when scanning devices. ·     If the AP operates in monitor mode, the AP cannot provide WLAN service, and you do not need to configure a service template.

 

Configuring rogue device detection

Configuring rogue device detection

Configuring detection rules

Configuring detection rules is to configure rogue device classification rules. An AC classifies devices as either rogues or friends based on the configured classification rules.

·     Check whether an AP is a rogue.

Figure 1 Checking whether an AP is a rogue

 

·     Check whether a client is a rogue.

Figure 2 Checking whether a client is a rogue

 

·     Check whether an ad hoc network or a wireless bridge is a rogue.

Figure 3 Checking whether an ad hoc network or a wireless bridge is a rogue

 

To configure the rules:

 

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Enter WLAN IDS view.	wlan ids	N/A
3.     Add the MAC address of a client or AP to the permitted MAC address list.	device permit mac-address mac-address	Optional. By default, the permitted MAC address list is empty.
4.     Add an SSID to the permitted SSID list.	device permit ssid ssid	Optional. By default, the permitted SSID list is empty.
5.     Add a vendor ID to the permitted vendor list.	device permit vendor vendor	Optional. By default, the vendor list is empty.

 

Configuring the device expiry timer

This task allows you to set the device expiry interval for device entries in the detected device list. If a device in the list is not detected within this interval, the device entry is removed from the detected list; if the deleted entry is that of a rogue, it is moved to the rogue history table.

To configure the device expiry timer:

 

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Enter WLAN IDS view.	wlan ids	N/A
3.     Configure the device expiry timer.	device aging-duration duration	Optional. By default the aging duration is 600 seconds.

 

Taking countermeasures against attacks from detected rogue devices

Configuring the rules

You can configure a device as a rogue by adding its MAC address to the static attack list.

To configure the rules:

 

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Enter WLAN IDS view.	wlan ids	N/A
3.     Add the MAC address of a client or AP to the static attack list.	device attack mac-address mac-address	Optional. By default, the attack list is empty.

 

Configuring the countermeasures mode

The countermeasures mode can be set to control which devices countermeasures are taken for. Based on the configuration, monitor APs can take countermeasures against devices present in its static attack list, all rogue devices, only rogue APs, or only ad hoc clients. Countermeasures are not taken against wireless bridges even if they are classified as rogues.

To configure the countermeasures mode:

 

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Enter WLAN IDS view.	wlan ids	N/A
3.     Configure the countermeasures mode.	countermeasures mode { all | { rogue | adhoc | config } * }	Optional. By default, the countermeasure mode is config, or, the static attack list.
4.     Enable the countermeasures function.	countermeasures enable	Disabled by default. If you want to configure the countermeasures mode as config, you need to use the device attack mac-address command to configure the static attack list first.

 

Displaying and maintaining rogue detection

 

Task	Command	Remarks
Display attack list information.	display wlan ids attack-list { config | all | ap ap-name } [ | { begin | exclude | include } regular-expression ]	Available in any view
Display detected entities.	display wlan ids detected { all | rogue { ap | client } | adhoc | ssid | mac-address mac-address } [ | { begin | exclude | include } regular-expression ]	Available in any view
Display the history of attacks detected in the WLAN system.	display wlan ids rogue-history [ | { begin | exclude | include } regular-expression ]	Available in any view
Display the list of permitted MAC addresses, the list of permitted SSIDs, or the list of permitted vendor OUIs..	display wlan ids permitted { mac-address | ssid | vendor } [ | { begin | exclude | include } regular-expression ]	Available in any view
Clear the list of detected entities in WLAN.	reset wlan ids detected { all | rogue { ap | client } | adhoc | ssid | mac-address mac-address }	Available in user view
Clear all entries from the rogue-history list.	reset wlan ids rogue-history	Available in user view

 

Configuring IDS attack detection

Configuring IDS attack detection

 

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Enter IDS view.	wlan ids	N/A
3.     Enable IDS attack detection.	attack-detection enable { all | flood | weak-iv | spoof }	Disabled by default.

 

Displaying and maintaining IDS attack detection

 

Task	Command	Remarks
Display all the attacks detected by WLAN IDS IPS.	display wlan ids history [ | { begin | exclude | include } regular-expression ]	Available in any view
Display the count of attacks detected by WLAN IDS IPS.	display wlan ids statistics [ | { begin | exclude | include } regular-expression ]	Available in any view
Clear the history of attacks detected by the WLAN system.	reset wlan ids history	Available in user view
Clear the statistics of attacks detected in the WLAN system.	reset wlan ids statistics	Available in user view

 

WLAN IDS configuration example

Network requirements

As shown in Figure 4, a monitor AP (with serial ID 210235A29G007C000020) and AP1 (serial ID 210235A29G007C000021) are connected to an AC through a Layer 2 switch.

·     AP1 operates in normal mode, and only provides WLAN services.

·     AP2 operates in monitor mode, and detects rogue devices.

·     Client 1 (MAC address 000f-e215-1515), Client 2 (MAC address 000f-e215-1530) and Client 3 (MAC address 000f-e213-1235) are connected to AP1.

·     Client 4 (MAC address 000f-e220-405e) are considered as rogues.

Figure 4 Network diagram

 

Configuration procedure

# Create a WLAN ESS interface.

<AC> system-view

[AC] interface wlan-ess 1

[AC-WLAN-ESS1] quit

# Create service template 1 of clear type, configure its SSID as normal, and bind WLAN-ESS1 to normal.

<AC> system-view

[AC] wlan service-template 1 clear

[AC-wlan-st-1] ssid normal

[AC-wlan-st-1] bind wlan-ess 1

# Configure the authentication method as open-system, and enable service template 1.

[AC-wlan-st-1] authentication-method open-system

[AC-wlan-st-1] service-template enable

[AC-wlan-st-1] quit

# Configure AP1 to operate in normal mode, and provide WLAN service only.

[AC] wlan ap ap1 model WA2100

[AC-wlan-ap-ap1] serial-id 210235A29G007C000020

# Configure the radio type as 802.11g, bind service template 1 to the radio, and enable the radio.

[AC-wlan-ap-ap1] radio 1 type dot11g

[AC-wlan-ap-ap1-radio-1] service-template 1

[AC-wlan-ap-ap1-radio-1] radio enable

# Configure AP2 to operate in monitor mode. It only scans rogue devices, but does not provide access services.

[AC] wlan ap ap2 model WA2100

[AC-wlan-ap-ap2] serial-id 210235A29G007C000021

[AC-wlan-ap-ap2] work-mode monitor

# Configure the radio type as 802.11g, and enable the radio.

[AC-wlan-ap-ap2] radio 1 type dot11g

[AC-wlan-ap-ap2-radio-1] radio enable

[AC-wlan-ap-ap2-radio-1] return

# Configure IDS rules to allow Client 1, Client 2, and Client 3 to connect to the WLAN network to use WLAN services provided by AP 1.

<AC> system-view

[AC] wlan ids

[AC-wlan-ids] device permit mac-address 000f-e215-1515

[AC-wlan-ids] device permit mac-address 000f-e215-1530

[AC-wlan-ids] device permit mac-address 0015-e213-1235

# Configure Client 4 (rogue client), configure the countermeasures mode and enable countermeasures.

[AC-wlan-ids] device attack mac-address 0015-e220-405e

[AC-wlan-ids] countermeasures mode config

[AC-wlan-ids] countermeasures enable

 

Overview

Frame filtering is a feature of 802.11 MAC and a sub-feature of WLAN IDS.

An access controller maintains a white list (permitted entries), a static blacklist (denied entries), and a dynamic blacklist (denied entries that are added to the blacklist when WLAN IDS detects flood attacks). You can configure the white and black lists through the CLI.

You can configure the blacklist and white list functions to filter frames from WLAN clients and implement client access control.

WLAN client access control is accomplished through the following three types of lists.

·     White list—Contains the MAC addresses of all clients allowed to access the WLAN. If the white list is used, only permitted clients can access the WLAN, and all frames from other clients are discarded.

·     Static blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. This list is manually configured.

·     Dynamic blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. A client is dynamically added to the list if it is considered sending attacking frames until the timer of the entry expires. A dynamic blacklist can collaborate with ARP detection. When ARP detection detects any attacks, the MAC addresses of attackers are added to the dynamic blacklist. For more information about ARP detection, see Security Configuration Guide.

When an AP receives an 802.11 frame, it checks the source MAC address of the frame and processes the frame by following these rules:

1.     If the source MAC address does not match any entry in the white list, the frame is dropped. If there is a match, the frame is considered valid and is further processed.

2.     If no white list entries exist, the static and dynamic blacklists are searched.

3.     If the source MAC address matches an entry in any of the two lists, the frame is dropped.

4.     If there is no match, or no blacklist entries exist, the frame is considered valid and is further processed.

The static blacklist and whitelist configured on the AC apply to all APs connected to the AC, and dynamic blacklist applies to APs that received attack packets.

Figure 5 Frame filtering

 

In the topology, three APs are connected to an AC. Configure white list and static blacklist entries on the AC, which sends all the entries to the APs. If the MAC address of a station, Client 1 for example, is present in the blacklist, it cannot access any of the APs. If only Client 1 is present in the white list, it can access any of the APs, and other clients cannot access any of the APs.

·     Enable dynamic blacklist function on the AC. If AP 1 receives attack frames from Client 1, a dynamic blacklist entry is generated in the blacklist, and Client 1 cannot associate with AP 1, but can associate with AP 2 or AP 3. If AP 2 or AP 3 receives attack frames from Client 1, a new dynamic blacklist entry is generated in the blacklist.

Configuring WLAN IDS frame filtering

WLAN IDS frame filtering configuration involves white list configuration, blacklist configuration, and dynamic blacklist feature configuration.

·     The maximum number of static and dynamic blacklist and whitelist entries depends on your device model. For more information, see About the WX Series Access Controllers Configuration Guides.

·     In WLAN IDS view, you can configure the static blacklist, white list, enable dynamic blacklist feature and configure the lifetime for dynamic entries.

·     Only entries present in the white list are permitted. You can add entries into or delete entries from the list.

·     Entries present in the static blacklist are denied.

·     Whenever WLAN IDS detects a flood attack, the attacking device is added into the dynamic blacklist. You can set a lifetime in seconds for dynamic blacklist entries. After the lifetime of an entry expires, the device entry is removed from the dynamic blacklist. If a flood attack from the device is detected again before the lifetime expires, the entry is refreshed.

To configure WLAN IDS frame filtering:

 

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Enter WLAN IDS view.	wlan ids	N/A
3.     Add an entry into the white list.	whitelist mac-address mac-address	Optional
4.     Add an entry into the static blacklist.	static-blacklist mac-address mac-address	Optional
5.     Enable the dynamic blacklist feature.	dynamic-blacklist enable	Optional. By default, the dynamic blacklist feature is disabled.
6.     Configure the lifetime for dynamic blacklist entries.	dynamic-blacklist lifetime lifetime	Optional. By default, the lifetime is 300 seconds.

 

Displaying and maintaining WLAN IDS frame filtering

 

Task	Command	Remarks
Display blacklist entries.	display wlan blacklist { static | dynamic } [ | { begin | exclude | include } regular-expression ]	Available in any view
Display white list entries.	display wlan whitelist [ | { begin | exclude | include } regular-expression ]	Available in any view
Clear dynamic blacklist entries.	reset wlan dynamic-blacklist { mac-address mac-address | all }	Available in user view

 

WLAN IDS frame filtering configuration example

Network requirements

As shown in Figure 6, an AC is connected to a Layer 2 switch. AP 1 and AP 2 are connected to the AC through the Layer 2 switch. Client 1 (0000-000f-1211) is a rogue client. To ensure WLAN security, add the MAC address of Client 1 into the blacklist on the AC to disable it from accessing the wireless network through any AP.

Figure 6 Network diagram

 

Configuration procedure

# Add MAC address 0000-000f-1211 of Client 1 into the blacklist.

<AC> system-view

[AC] wlan ids

[AC-wlan-ids] static-blacklist mac-address 0000-000f-1211

After the configuration, Client 1 cannot access AP 1 or AP 2.