Configuring Intrusion Protection

Intrusion protection features support containment of an AP or a client. In the case of an AP, we will attempt to disconnect all client that are connected or attempting to connect to the AP. In the case of a client, the client's association to an AP is targeted. The following containment mechanisms are supported:

Deauthentication containment: An AP or client is contained by disrupting its association on the wireless interface.
Tarpit containment: An AP is contained by luring clients that are attempting to associate with it to a tarpit. The tarpit can be on the same channel as the AP being contained, or on a different channel (see Tarpit Shielding Overview).
Wired containment: An AP or client is contained by disrupting its connection on the wired interface.

The WIP feature supports separate enforcement policies that use the underlying containment mechanisms to contain an AP or a client that do not conform to the policy. These policies are discussed in the sections that follow.

Understanding Infrastructure Intrusion Protection

Table 1 presents a summary of the infrastructure intrusion protection features with their related commands, traps, and syslog identifications. Details of each feature follow the table.

Table 1: Infrastructure Protection Summary

Feature

Command

Trap

Syslog ID

Protecting 40MHz 802.11 High Throughput Devices

ids unauthorized-device-profile

protect-ht-40mhz

wlsxAPDeauthContainment

wlsxClientDeauthContainment

wlsxTarpitContainment

106005, 106006, 126102, 126103, 126108, 127102, 127103, 127108

Protecting 802.11n High Throughput Devices

ids unauthorized-device-profile

protect-high-throughput

wlsxAPDeauthContainment

wlsxClientDeauthContainment

wlsxTarpitContainment

106005, 106006, 126102, 126103, 126108, 127102, 127103, 127108

Protecting Against Adhoc Networks

ids unauthorized-device-profile

protect-adhoc-network

protect-adhoc-enhanced

wlsxAPDeauthContainment

wlsxClientDeauthContainment

wlsxTarpitContainment wlsxEhancedAdhocContainment

106005, 106006, 126012, 126102, 126103, 126108, 127102, 127103, 127108, 126114

Protecting Against AP Impersonation

ids impersonation-profile

protect-ap-impersonation

wlsxAPDeauthContainment

wlsxClientDeauthContainment

wlsxTarpitContainment

106005, 106006, 126102, 126103, 126108, 127102, 127103, 127108

Protecting Against Misconfigured APs

ids unauthorized-device-profile

protect-misconfigured-ap

wlsxAPDeauthContainment

wlsxClientDeauthContainment

wlsxTarpitContainment

106005, 106006, 126102, 126103, 126108, 127102, 127103, 127108

Protecting SSIDs

ids unauthorized-device-profile

protect-ssid

wlsxAPDeauthContainment

wlsxClientDeauthContainment

wlsxTarpitContainment

106005, 106006, 126102, 126103, 126108, 127102, 127103, 127108

Protecting Against Wireless Hosted Networks ids unauthorized-device-profile detect-wireless-hosted-network protect-wireless-hosted-network

wlsxWirelessHostedNetwork-Detected

wlsxClientAssociatedToHosted-NetworkDetected

wlsxWirelessHostedNetwork-Containment

wlsxHostOfWirelessNetwork-Containment

126110, 126111, 126112, 126113

Protecting Against Rogue Containment

ids unauthorized-device-profile

rogue-containment

wlsxAPDeauthContainment

wlsxClientDeauthContainment

wlsxTarpitContainment

106005, 106006, 126102, 126103, 126108, 127102, 127103, 127108

Protecting Against Suspected Rogue Containment

ids unauthorized-device-profile

suspect-rogue-containment

suspect-rogue-conf-level

wlsxAPDeauthContainment

wlsxClientDeauthContainment

wlsxTarpitContainment

106005, 106006, 106010, 126102, 126103, 126108, 127102, 127103, 127108

Protection against Wired Rogue APs

ids general-profile
wired-containment
wired-containment-ap-adj-mac
wired-containment-susp-l3-rogue

wlsxAPWiredContainment

126104,126105, 126106, 126107

Protecting 40MHz 802.11 High Throughput Devices

Protection from AP(s) that support 40MHz HT involves containing the AP such that clients can not connect.

Protecting 802.11n High Throughput Devices

Protection from AP(s) that support HT involves containing the AP such that clients can not connect.

Protecting Against Adhoc Networks

Protection from an adoc Network involves containing the adhoc network so that clients can not connect to it. The basic adhoc protection feature protects against adhoc networks using WPA/WPA2 security. The enhanced adhoc network protection feature protects against open/WEP adhoc networks. Both features can used together for maximum protection, or enabled or disabled separately

 

This feature requires that you enable the wireless-containment setting in the IDS general profile.

Protecting Against AP Impersonation

Protection from AP impersonation involves containing both the legitimate and impersonating AP so that clients can not connect to either AP.

Protecting Against Misconfigured APs

Protect Misconfigured AP enforces that valid APs are configured properly. An offending AP is contained by preventing clients from associating to it.

Protecting Against Wireless Hosted Networks

Clients using the Windows wireless hosted network feature can act as an access point to which other wireless clients can connect, effectively becoming a Wi-Fi HotSpot. This creates a security issue for enterprises, because unauthorized users can use a hosted network to gain access to the corporate network, and valid users that connect to a hosted network are vulnerable to attack or security breaches. This feature detects a wireless hosted network, and contains the client hosting this network.

Protecting SSIDs

Protect SSID enforces that valid/protected SSIDs are used only by valid APs. An offending AP is contained by preventing clients from associating to it.

Protecting Against Rogue Containment

By default, rogue APs are not automatically disabled. Rogue containment automatically disables a rogue AP by preventing clients from associating to it.

Protecting Against Suspected Rogue Containment

By default, suspected rogue APs are not automatically contained. In combination with the suspected rogue containment confidence level, suspected rogue containment automatically disables a suspect rogue by preventing clients from associating to it.

Protection against Wired Rogue APs

This feature enables containment from the wired side of the network.The basic wired containment feature in the IDS general profile isolates layer-3 APs whose wired interface MAC addresses are either the same as (or one character off from) their BSSIDs. The enhanced wired containment feature introduced in ArubaOS 6.3 can also identify and contain an AP with a preset wired MAC address that is completely different from the AP’s BSSID. In many non-Aruba APs, the MAC address the AP provides to wireless clients as a ‘gateway MAC’ is offset by one character from its wired MAC address.This enhanced feature allows ArubaOS to check to see if a suspected Layer-3 rogue AP’s MAC address follows this common pattern.

Understanding Client Intrusion Protection

Table 2 list the client intrusion protection features with their related commands, traps, and syslog identifications. Details of each feature follow the table.

Table 2: Client Protection Summary

Feature

Command

Trap

Syslog ID

Protecting Valid Stations

ids unauthorized-device-profile

protect-valid-sta

wlsxAPDeauthContainment

wlsxClientDeauthContainment

wlsxTarpitContainment

106005, 106006, 126102, 126103, 126108, 127102, 127103, 127108

Protecting Windows Bridge

ids unauthorized-device-profile

protect-windows-bridge

wlsxAPDeauthContainment

wlsxClientDeauthContainment

wlsxTarpitContainment

106005, 106006, 126102, 126103, 126108, 127102, 127103, 127108

Protecting Valid Stations

Protecting a valid client involves disconnecting that client if it is associated to a non-valid AP.

Protecting Windows Bridge

Protecting from a Windows Bridge involves containing the client that is forming the bridge so that it can not connect to the AP.