You are here: Intrusion Detection System > Rogue AP Detection and Classification
Previous TopicNext Topic

Rogue AP Detection and Classification

The most important IDS functionality offered in the Aruba Instant network is the ability to detect rogue APs, interfering APs, and other devices that can potentially disrupt network operations. An AP is considered to be a rogue AP if it is both unauthorized and plugged into the wired side of the network. An AP is considered to be an interfering AP if it is seen in the RF environment but is not connected to the wired network. While the interfering AP can potentially cause RF interference, it is not considered a direct security threat since it is not connected to the wired network. However, an interfering AP may be reclassified as a rogue AP.

Navigate to IDS in the Instant UI and click the IDS link. The built-in IDS scans for access points that are not controller by this Virtual Controller. These are listed below and classified as either Interfering or Rogue, depending on whether they are on a foreign network or your network.

Figure 132 - Intrusion Detection

Wireless Intrusion Protection (WIP)

WIP offers a wide selection of intrusion detection and protection features to protect the network against wireless threats. Like most other security-related features of the Aruba network, the WIP configuration can be done on the IAP.

An administrator can configure the following five main options.

Infrastructure Detection Policies— Specifies which wireless attacks on access points to detect
Client Detection Policies— Specifies which wireless attacks on clients to detect
Infrastructure Protection Policies— Specifies which wireless attacks on access points to protect against
Client Protection Policies— Specifies which wireless attacks on clients to protect against
Containment Methods— Prevents unauthorized stations from connecting to your Instant network.

In each of these options there are several default levels that enable different sets of policies. An administrator can customize (enable/disable) these options accordingly.

Four levels of detection can be configured in the WIP Detection page— Off, Low, Medium, and High (as shown in Figure 133).

Figure 133 - Wireless Intrusion Protection— Detection

The following table describes the detection policies that are enabled in the Infrastructure Detection Custom settings field.

Table 25 - Infrastructure Detection Policies

Detection Level

Detection Policy

Off

Rogue Classification

Low

Detect AP Spoofing
Detect Windows Bridge
IDS Signature— Deauthentication Broadcast
IDS Signature— Disassociation Broadcast

Medium

Detect Adhoc networks using VALID SSID— Valid SSID list is auto-configured based on Instant AP configuration
Detect Malformed Frame— Large Duration

High

Detect AP Impersonation
Detect Adhoc Networks
Detect Valid SSID Misuse
Detect Wireless Bridge
Detect 802.11 40MHz intolerance settings
Detect Active 802.11n Greenfield Mode
Detect AP Flood Attack
Detect Client Flood Attack
Detect Bad WEP
Detect CTS Rate Anomaly
Detect RTS Rate Anomaly
Detect Invalid Address Combination
Detect Malformed Frame— HT IE
Detect Malformed Frame— Association Request
Detect Malformed Frame— Auth
Detect Overflow IE
Detect Overflow EAPOL Key
Detect Beacon Wrong Channel
Detect devices with invalid MAC OUI

The following table describes the detection policies that are enabled in the Client Detection Custom settings field.

Table 26 - Client Detection Policies

Detection Level

Detection Policy

Off

All detection policies are disabled.

Low

Detect Valid Station Misassociation

Medium

Detect Disconnect Station Attack
Detect Omerta Attack
Detect FATA-Jack Attack
Detect Block ACK DOS
Detect Hotspotter Attack
Detect unencrypted Valid Client
Detect Power Save DOS Attack

High

Detect EAP Rate Anomaly
Detect Rate Anomaly
Detect Chop Chop Attack
Detect TKIP Replay Attack
IDS Signature— Air Jack
IDS Signature— ASLEAP

Three levels of detection can be configured in the WIP Protection page— Off, Low, and High (as shown in Figure 134).

Figure 134 - Wireless Intrusion Protection— Detection

The following table describes the detection policies that are enabled in the Infrastructure Protection Custom settings field.

Table 27 - Infrastructure Protection Policies

Detection Level

Detection Policy

Off

All detection policies are disabled

Low

Protect SSID – Valid SSID list should be auto derived from Instant configuration
Rogue Containment

High

Protect from Adhoc Networks
Protect AP Impersonation

The following table describes the detection policies that are enabled in the Client Protection Custom settings field.

Table 28 - Client Protection Policies

Detection Level

Detection Policy

Off

All detection policies are disabled

Low

Protect Valid Station

High

Protect Windows Bridge

Containment Methods

You can enable wired and wireless containments to prevent unauthorized stations from connecting to your Instant network.

Instant supports the following types of containment mechanisms:

Wired containment— When enabled, Aruba Access Points generate ARP packets on the wired network to contain wireless attacks.
Wireless containment— When enabled, the system attempts to disconnect all clients that are connected or attempting to connect to the identified Access Point.
None— Disables all the containment mechanisms.
Deauthenticate only— With deauthentication containment, the Access Point or client is contained by disrupting the client association on the wireless interface.
Tarpit containment— With Tarpit containment, the Access Point is contained by luring clients that are attempting to associate with it to a tarpit. The tarpit can be on the same channel or a different channel as the Access Point being contained.

Figure 135 - Containment Methods