Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 05-WLAN IDS Configuration | 161.09 KB |
WLAN IDS configuration task list
Displaying and maintaining attack detection
Configuring blacklist and whitelist
Displaying and maintaining blacklist and whitelist
WLAN IDS configuration examples
WLAN IDS configuration example
Blacklist and whitelist configuration example
Overview
802.11 networks are susceptible to a wide array of threats. Wireless intrusion detection system (WIDS) is used for the early detection of malicious attacks and intrusions on a wireless network.
Attack detection
The attack detection function detects intrusions or attacks on a WLAN network, and informs the network administrator of the attacks through recording information or sending logs. At present, WIDS detection supports detection of the following attacks:
· Flood attack
· Spoofing attack
· Weak IV attack
Flood attack detection
A flood attack refers to the case where WLAN devices receive large volumes of frames of the same kind within a short span of time. When this occurs, the WLAN devices are overwhelmed. Consequently, they are unable to service normal clients.
WIDS attacks detection counters flood attacks by constantly keeping track of the density of traffic generated by each device. When the traffic density of a device exceeds the limit, the device is considered flooding the network and, if the dynamic blacklist feature is enabled, is added to the blacklist and forbidden to access the WLAN for a period of time.
WIDS inspects the following types of frames:
· Authentication requests and de-authentication requests
· Association requests, disassociation requests and reassociation requests
· Probe requests
· 802.11 null data frames
· 802.11 action frames.
Spoofing attack detection
In this kind of attack, a potential attacker can send frames in the air on behalf of another device. For instance, a client in a WLAN has been associated with an AP and operates properly. In this case, a spoofed de-authentication frame can cause a client to get de-authenticated from the network and can affect the normal operation of the WLAN.
At present, spoofing attack detection counters this type of attack by detecting broadcast de-authentication and disassociation frames sent on behalf of an AP. When such a frame is received, it is identified as a spoofed frame, and the attack is immediately logged.
Weak IV detection
WEP uses an IV to encrypt each frame. An IV and a key are used to generate a key stream, and thus encryptions using the same key have different results. When a WEP frame is sent, the IV used in encrypting the frame is also sent as part of the frame header.
However, if a WLAN device generates IVs in an insecure way, for example, if it uses a fixed IV for all frames, the shared secret key may be exposed to any potential attackers. When the shared secret key is compromised, the attacker can access network resources.
Weak IV detection counters this attack by verifying the IVs in WEP frames. Whenever a frame with a weak IV is detected, it is immediately logged.
Blacklist and white list
You can configure the blacklist and white list functions to filter frames from WLAN clients and implement client access control.
WLAN client access control is accomplished through the following types of lists.
· White list—Contains the MAC addresses of all clients allowed to access the WLAN. If the white list is used, only permitted clients can access the WLAN, and all frames from other clients are discarded.
· Static blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. This list is manually configured.
· Dynamic blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. A client is dynamically added to the list if it is considered sending attacking frames until the timer of the entry expires.
When an AP receives an 802.11 frame, it checks the source MAC address of the frame and processes the frame by following these rules:
1. If the source MAC address does not match any entry in the white list, the frame is dropped. If there is a match, the frame is considered valid and is processed further.
2. If no white list entries exist, the static and dynamic blacklists are searched.
3. If the source MAC address matches an entry in any of the two lists, the frame is dropped.
4. If there is no match, or no blacklist entries exist, the frame is considered valid and is processed further.
Figure 1 Frame filtering
If client 1 is present in the backlist, it cannot associate with the fat AP. If it is only in the white list, it can get associated with the fat AP.
WLAN IDS configuration task list
|
Task |
Description |
|
|
Optional. |
||
|
Optional. |
||
|
Optional. |
||
Configuring AP operating mode
A WLAN consists of various APs that span across the building offering WLAN services to the clients. The administrator may want some of these APs to detect rogue devices. The administrator can configure an AP to operate in any of the three modes, normal, monitor, or hybrid.
· In normal mode, an AP provides WLAN data services but does not perform any scanning.
· In monitor mode, an AP scans all Dot11 frames in the WLAN, but cannot provide WLAN services. An AP operating in this mode cannot provide WLAN service, and you do not need to configure a service template.
· In hybrid mode, an AP can both scan devices in the WLAN and provide WLAN services. For an AP operating in this mode, you need to configure a service template so that the AP can provide WLAN service when scanning devices.
To configure the AP operating mode:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the AP operating mode. |
·
Configure the AP operating mode as
monitor: ·
Configure the AP operating mode as hybrid: |
Use either command. By default, the AP operating mode is normal. · When an AP has its operating mode changed from normal to monitor, it does not restart. · When an AP has its operating mode changed from monitor to normal, it restarts. · Before switching the AP operating mode from hybrid to normal, use the undo wlan device-detection enable command to disable the hybrid mode. |
Configuring attack detection
Configuring attack detection
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter IDS view. |
wlan ids |
N/A |
|
3. Enable IDS attack detection. |
attack-detection enable { all | flood | spoof | weak-iv } |
By default, IDS attack detection is disabled. |
Displaying and maintaining attack detection
|
Task |
Command |
Remarks |
|
Display all the attacks detected by WLAN IDS IPS. |
display wlan ids history [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display the count of attacks detected by WLAN IDS IPS. |
display wlan ids statistics [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Clear the history of attacks detected by the WLAN system. |
reset wlan ids history |
Available in user view. |
|
Clear the statistics of attacks detected in the WLAN system. |
reset wlan ids statistics |
Available in user view. |
Configuring blacklist and whitelist
Perform this task to configure the static blacklist, static white list, enable dynamic blacklist feature, and configure the lifetime for dynamic entries.
· WLAN IDS permits devices present in the static white list. You can add entries into or delete entries from the list.
· WLAN IDS denies devices present in the static blacklist. You can add entries into or delete entries from the list.
· WLAN IDS adds dynamically detected attack devices into the dynamic blacklist. You can set a lifetime in seconds for dynamic blacklist entries. After the lifetime of an entry expires, the device entry will be removed from the dynamic blacklist. If a flood attack from the device is detected again before the lifetime expires, the entry is refreshed.
Configuring static lists
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter WLAN IDS view. |
wlan ids |
N/A |
|
3. Add an entry into the white list. |
whitelist mac-address mac-address |
Optional. By default, no white list exists. |
|
4. Add an entry into the static blacklist. |
static-blacklist mac-address mac-address |
Optional. By default, no static blacklist exists. |
Configuring dynamic blacklist
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter WLAN IDS view. |
wlan ids |
N/A |
|
3. Enable the dynamic blacklist feature. |
dynamic-blacklist enable |
Optional. By default, the dynamic blacklist feature is disabled. |
|
4. Configure the lifetime for dynamic blacklist entries. |
dynamic-blacklist lifetime lifetime |
Optional. By default, the lifetime is 300 seconds. |
Displaying and maintaining blacklist and whitelist
|
Task |
Command |
Remarks |
|
Display blacklist entries. |
display wlan blacklist { static | dynamic } [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display white list entries. |
display wlan whitelist [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Clear dynamic blacklist entries. |
reset wlan dynamic-blacklist { mac-address mac-address | all } |
Available in user view. |
WLAN IDS configuration examples
WLAN IDS configuration example
Network requirements
As shown in Figure 2, WLAN IDS allows Client 1 (MAC address 000f-e215-1515), Client 2 (MAC address 000f-e215-1530) and Client 3 (MAC address 000f-e213-1235) to access the fat AP. Configure the operating mode of the fat AP as hybrid to enable it to provide WLAN access services and detect rogue clients in the network.
Configuration procedure
# Create a WLAN ESS interface.
<AP> system-view
[AP] interface wlan-bss 1
[AP-WLAN-BSS1] quit
# Create service template 1 of clear type, configure its SSID as service.
[AP] wlan service-template 1 clear
[AP-wlan-st-1] ssid service
[AP-wlan-st-1] authentication-method open-system
[AP-wlan-st-1] service-template enable
[AP-wlan-st-1] quit
# Bind WLAN-Radio 1/0/1 to service template 1 and WLAN-BSS 1.
[AP] interface WLAN-Radio 1/0/1
[AP-WLAN-Radio1/0/1] service-template 1 interface WLAN-BSS 1
[AP-WLAN-Radio1/0/1] quit
# Configure the AP to operate in hybrid mode. It scans rogue devices and provides access services.
[AP] wlan device-detection enable
Blacklist and whitelist configuration example
Network requirements
As shown in Figure 3, to ensure WLAN security, add the MAC address of the client into the blacklist on the AC to disable it from accessing the wireless network through any AP.
Configuration procedure
# Add MAC address 0000-000f-1211 of Client 1 into the blacklist.
<Sysname> system-view
[Sysname] wlan ids
[Sysname-wlan-ids] static-blacklist mac-address 0000-000f-1211
After the configuration, Client 1 cannot access the AP, and other clients can access the network.
