Rogue AP Detection and Classification
The most important IDS functionality offered in the Aruba Instant network is the ability to detect rogue APs, interfering APs, and other devices that can potentially disrupt network operations. An AP is considered to be a rogue AP if it is both unauthorized and plugged into the wired side of the network. An AP is considered to be an interfering AP if it is seen in the RF environment but is not connected to the wired network. While the interfering AP can potentially cause RF interference, it is not considered a direct security threat since it is not connected to the wired network. However, an interfering AP may be reclassified as a rogue AP.
Navigate to IDS in the Instant UI and click the IDS link. The built-in IDS scans for access points that are not controller by this Virtual Controller. These are listed below and classified as either Interfering or Rogue, depending on whether they are on a foreign network or your network.
Figure 132 - Intrusion Detection
Wireless Intrusion Protection (WIP)
WIP offers a wide selection of intrusion detection and protection features to protect the network against wireless threats. Like most other security-related features of the Aruba network, the WIP configuration can be done on the IAP.
An administrator can configure the following five main options.
|
|
Infrastructure Detection Policies— Specifies which wireless attacks on access points to detect |
|
|
Client Detection Policies— Specifies which wireless attacks on clients to detect |
|
|
Infrastructure Protection Policies— Specifies which wireless attacks on access points to protect against |
|
|
Client Protection Policies— Specifies which wireless attacks on clients to protect against |
|
|
Containment Methods— Prevents unauthorized stations from connecting to your Instant network. |
In each of these options there are several default levels that enable different sets of policies. An administrator can customize (enable/disable) these options accordingly.
Four levels of detection can be configured in the WIP Detection page— Off, Low, Medium, and High (as shown in Figure 133).
Figure 133 - Wireless Intrusion Protection— Detection
The following table describes the detection policies that are enabled in the Infrastructure Detection Custom settings field.
Table 25 - Infrastructure Detection Policies
Off
|
Rogue Classification
|
Low
|
|
|
IDS Signature— Deauthentication Broadcast |
|
|
IDS Signature— Disassociation Broadcast |
|
Medium
|
|
|
Detect Adhoc networks using VALID SSID— Valid SSID list is auto-configured based on Instant AP configuration |
|
|
Detect Malformed Frame— Large Duration |
|
High
|
|
|
Detect AP Impersonation |
|
|
Detect Valid SSID Misuse |
|
|
Detect 802.11 40MHz intolerance settings |
|
|
Detect Active 802.11n Greenfield Mode |
|
|
Detect Client Flood Attack |
|
|
Detect CTS Rate Anomaly |
|
|
Detect RTS Rate Anomaly |
|
|
Detect Invalid Address Combination |
|
|
Detect Malformed Frame— HT IE |
|
|
Detect Malformed Frame— Association Request |
|
|
Detect Malformed Frame— Auth |
|
|
Detect Overflow EAPOL Key |
|
|
Detect Beacon Wrong Channel |
|
|
Detect devices with invalid MAC OUI |
|
The following table describes the detection policies that are enabled in the Client Detection Custom settings field.
Table 26 - Client Detection Policies
Off
|
All detection policies are disabled.
|
Low
|
|
|
Detect Valid Station Misassociation |
|
Medium
|
|
|
Detect Disconnect Station Attack |
|
|
Detect FATA-Jack Attack |
|
|
Detect Hotspotter Attack |
|
|
Detect unencrypted Valid Client |
|
|
Detect Power Save DOS Attack |
|
High
|
|
|
Detect EAP Rate Anomaly |
|
|
Detect Chop Chop Attack |
|
|
Detect TKIP Replay Attack |
|
|
IDS Signature— Air Jack |
|
Three levels of detection can be configured in the WIP Protection page— Off, Low, and High (as shown in Figure 134).
Figure 134 - Wireless Intrusion Protection— Detection
The following table describes the detection policies that are enabled in the Infrastructure Protection Custom settings field.
Table 27 - Infrastructure Protection Policies
Off
|
All detection policies are disabled
|
Low
|
|
|
Protect SSID – Valid SSID list should be auto derived from Instant configuration |
|
High
|
|
|
Protect from Adhoc Networks |
|
|
Protect AP Impersonation |
|
The following table describes the detection policies that are enabled in the Client Protection Custom settings field.
Table 28 - Client Protection Policies
Off
|
All detection policies are disabled
|
Low
|
|
High
|
|
Containment Methods
You can enable wired and wireless containments to prevent unauthorized stations from connecting to your Instant network.
Instant supports the following types of containment mechanisms:
|
|
Wired containment— When enabled, Aruba Access Points generate ARP packets on the wired network to contain wireless attacks. |
|
|
Wireless containment— When enabled, the system attempts to disconnect all clients that are connected or attempting to connect to the identified Access Point. |
|
|
None— Disables all the containment mechanisms. |
|
|
Deauthenticate only— With deauthentication containment, the Access Point or client is contained by disrupting the client association on the wireless interface. |
|
|
Tarpit containment— With Tarpit containment, the Access Point is contained by luring clients that are attempting to associate with it to a tarpit. The tarpit can be on the same channel or a different channel as the Access Point being contained. |
Figure 135 - Containment Methods